MITKRB5-SA-2003-05: Buffer overrun and underrun in principal namehandling

Wed, 19 Mar 2003 17:10:13 -0800 

                 MIT krb5 Security Advisory 2003-005

2003-03-19

Topic: Buffer overrun and underrun in principal name handling

Severity: SERIOUS

SUMMARY
=======

Buffer overrun and underrun problems exist in Kerberos principal name
handling in unusual cases, such as names with zero components, names
with one empty component, or host-based service principal names with
no host name component.

IMPACT
======

 * Corruption of malloc pool, probably leading to program crash.

   + The KDC may be vulnerable.

   + Depending on the malloc implementation and platform, it may be
     possible to build more serious exploits on this.

 * Reference to data just past the end of an array in the KDC, for
   comparison against certain fixed data.  May result in crashing the
   KDC.

AFFECTED SOFTWARE
=================

MIT Kerberos 5, all released versions though 1.2.7 and 1.3-alpha1.

FIX
===

The following patches should fix the most urgent aspects of the
problems in the 1.2.7 release.  If these patches do not apply cleanly
to 1.2.6 and earlier versions, the corresponding changes should be
fairly straightforward.  The patch to krb5.hin should change any
missed overrun cases in this area into null pointer dereferences,
which will be more likely to crash the program instead of referencing
arbitrary data.

Index: include/krb5.hin
===================================================================
RCS file: /cvs/krbdev/krb5/src/include/krb5.hin,v
retrieving revision 1.94.2.5.2.17
diff -p -u -r1.94.2.5.2.17 krb5.hin
--- include/krb5.hin    2002/04/16 23:47:53     1.94.2.5.2.17
+++ include/krb5.hin    2003/03/19 00:38:54
@@ -326,7 +326,7 @@ typedef krb5_const krb5_principal_data F
 #define        krb5_princ_size(context, princ) (princ)->length
 #define        krb5_princ_type(context, princ) (princ)->type
 #define        krb5_princ_name(context, princ) (princ)->data
-#define        krb5_princ_component(context, princ,i) ((princ)->data + i)
+#define        krb5_princ_component(context, princ,i) (i < krb5_princ_size(context, 
princ) ? ((princ)->data + i) : NULL)
 
 /*
  * end "base-defs.h"
Index: kdc/kdc_util.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kdc/kdc_util.c,v
retrieving revision 5.96.2.2.2.3
diff -p -u -r5.96.2.2.2.3 kdc_util.c
--- kdc/kdc_util.c      2002/10/31 00:38:34     5.96.2.2.2.3
+++ kdc/kdc_util.c      2003/03/19 00:39:00
@@ -157,7 +157,8 @@ realm_compare(princ1, princ2)
 krb5_boolean krb5_is_tgs_principal(principal)
        krb5_principal  principal;
 {
-       if ((krb5_princ_component(kdc_context, principal, 0)->length ==
+       if (krb5_princ_size(kdc_context, principal) > 0 &&
+           (krb5_princ_component(kdc_context, principal, 0)->length ==
             KRB5_TGS_NAME_SIZE) &&
            (!memcmp(krb5_princ_component(kdc_context, principal, 0)->data,
                     KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE)))
Index: lib/krb5/krb/unparse.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/unparse.c,v
retrieving revision 5.27.4.1
diff -p -u -r5.27.4.1 unparse.c
--- lib/krb5/krb/unparse.c      2002/08/12 22:55:01     5.27.4.1
+++ lib/krb5/krb/unparse.c      2003/03/19 00:39:02
@@ -153,7 +153,8 @@ krb5_unparse_name_ext(context, principal
                *q++ = COMPONENT_SEP;
        }
 
-       q--;                    /* Back up last component separator */
+       if (i > 0)
+           q--;                /* Back up last component separator */
        *q++ = REALM_SEP;
        
        cp = krb5_princ_realm(context, principal)->data;


The problem exists in other parts of the code as well, but should only
result in crashing application servers when the realm has been
misconfigured to use broken service names, or crashing application
clients when they are supplied broken principal names.

ACKNOWLEDGMENTS
===============

Thanks to Nalin Dahyabhai of Red Hat for bringing the problems to our
attention.

CONTACT
=======

For more information, contact Ken Raeburn <[EMAIL PROTECTED]>, Sam
Hartman <[EMAIL PROTECTED]>, or Marshall Vale <[EMAIL PROTECTED]>.

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/www/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/www/index.html

Attachment: pgp00000.pgp
Description: PGP signature

_______________________________________________
kerberos-announce mailing list
[EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos-announce

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to