FreeIPA version 4.10.1 has an issue where specially crafted HTTP requests potentially lead to denial of service or data exposure.
ed1964cddf58cd1a3b007267cb1f6a3b11008a5d76ebdb87f9a639382cd73688Summary:
Specially crafted HTTP requests can read files in the DC server. And use keytab files for authorization for different kerberos principals.
Tested FreeIPA version:
ipa-server-4.10.1
Details
The "user" parameter in the HTTP URI "/sip/session/login_password" is inserted into the "run" function from the file "ipautil.py". Then it is passed as an argument to the "subprocess.Popen". As a result, the following list is passed: "args=['/usr/bin/kinit', '{user params}', '-c', /run/ipa/ccaches/kinit_13704', '-T', '/run/ipa/ccaches/armor_13704', '-C', '-E']". If instead of "{user params}" there is a string "-V", then it will be taken as an argument for "kinit". As a result, remote attackers can use options such as "-t", "-X", "-S" or "-I" for DOS, or use the keytab file from the system to log in under participants without a password.
PoC (attached screenshots):
Simple request with "user=-H&password=0000000"
With multiple parameters "user=-Vkt&password=0000000"
Impact
Possible DOS, use keytab from system and read files on DC.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed