the original cloud security

GSS-API Library Null Pointer Dereference

GSS-API Library Null Pointer Dereference
Posted May 19, 2010
Site web.mit.edu

MIT krb5 Security Advisory 2010-005 - Certain invalid GSS-API tokens can cause a GSS-API acceptor (server) to crash due to a null pointer dereference in the GSS-API library. This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol.

tags | advisory, protocol
advisories | CVE-2010-1321
MD5 | 42d9ccf5f12c483da2fcceaa94f67481

GSS-API Library Null Pointer Dereference

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2010-005

MIT krb5 Security Advisory 2010-005
Original release: 2010-05-18

Topic: GSS-API library null pointer dereference

CVE-2010-1321

CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score: 6.8

Access Vector: Network
Access Complexity: Low
Authentication: Single
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete

CVSSv2 Temporal Score: 5.3

Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed

SUMMARY
=======

Certain invalid GSS-API tokens can cause a GSS-API acceptor (server)
to crash due to a null pointer dereference in the GSS-API library.

This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.

IMPACT
======

An authenticated remote attacker can cause a GSS-API application
server (including the Kerberos administration daemon kadmind) to crash
by sending a malformed GSS-API token that induces a null pointer
dereference.

AFFECTED SOFTWARE
=================

* kadmind and other GSS-API server applications in all known releases
of MIT krb5, up to and including krb5-1.8.1

* third-party GSS-API server applications that link link against the
GSS-API library in all known releases of MIT krb5, up to and
including krb5-1.8.1

* Independent implementations of the krb5 GSS-API mechanism may be
vulnerable, as the underlying bug is based on plausible (but
invalid) assumptions about the Kerberos protocol.

FIXES
=====

* The upcoming krb5-1.8.2 release and an upcoming krb5-1.7 series
release will contain a fix for this vulnerability.

* Apply the following patch. The patch was generated against
krb5-1.8.1, but should also apply to krb5-1.7 series releases.

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index ce3075f..6241055 100644
- --- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -607,6 +607,13 @@ kg_accept_krb5(minor_status, context_handle,
}
#endif

+ if (authdat->checksum == NULL) {
+ /* missing checksum counts as "inappropriate type" */
+ code = KRB5KRB_AP_ERR_INAPP_CKSUM;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
/* Samba does not send 0x8003 GSS-API checksums */
krb5_boolean valid;



This patch is also available at

http://web.mit.edu/kerberos/advisories/2010-005-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2010-005-patch.txt.asc


For the krb5-1.6 release:

http://web.mit.edu/kerberos/advisories/2010-005-patch_r16.txt

PGP-signed patch for krb5-1.6:

http://web.mit.edu/kerberos/advisories/2010-005-patch_r16.txt.asc

Earlier releases may require minor porting.


REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2010-1321
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321

ACKNOWLEDGMENTS
===============

Thanks to Shawn Emery (Oracle) for reporting this vulnerability.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

The krb5 GSS-API mechanism specification requires that the checksum
field in the authenticator of the Kerberos AP-REQ (which is optional
in the base Kerberos protocol) be present and contain specific
contents. If the checksum field is missing, the decoded structure
contains a null pointer, which code called through
krb5_gss_accept_sec_context() dereferences without first checking for
a null pointer.

Independent implementations of the krb5 GSS-API mechanism may be
vulnerable because a developer might reasonably make the invalid
assumption that the authenticator checksum field is not empty (and
hence, that the C representation would not contain a null pointer).

REVISION HISTORY
================

2010-05-18 original release

Copyright (C) 2010 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAkvy1ooACgkQSO8fWy4vZo4u8gCgz7jbjv/wCB4gvphXuK8x1g1f
+PMAoKOiUzAEan9RPXQ4MN4SJ2Cl1Zl8
=wuxV
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    6 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close