About the vulnerability reporting instructions on the web site

2017-08-30 Thread Sergio Gelato 
I am under the impression that Heimdal's process for reporting sensitive bugs
is broken. I am referring to the following sentence on https://www.h5l.org/ :

"Security sensitive bug reports should be sent to heimdal-b...@h5l.org using 
this PGP key (key id 3B81827E)."

Not only do I get the impression that bug reports sent in this manner are not
being acted on (it could be just a lack of feedback but that's also a problem),
but all subkeys of that PGP key have expired: the ones in the file on the web
site ten years ago, the newer ones available through the PGP keyservers more
recently.

The web site *is* being updated with release information so I don't understand
why it is not also being updated with contact information.


signature.asc
Description: PGP signature

Re: Segfaults after receiving invalid AS-REQ

2017-08-30 Thread Sergio Gelato 
* Sergio Gelato [2017-08-30 10:38:30 +0200]:
> * Andreas Haupt [2017-08-30 09:01:08 +0200]:
> > we are running KDCs on Heimdal version 7.4. Since the update to version 7.x
> > a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ.
> > Looks like an evil bug to me. Anybody else seeing this?
> 
> Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs
> the next day with the attached patch. No reaction. Not to my status query
> the other day either.

To elaborate: as far as I can tell this is "only" a DoS. Trivial to exploit:
just send an AS-REQ with no cname field (how to make such a packet is left
as an exercise). Can be over UDP.

I'm not sure the shodan user who did this to one of my KDCs that day knew
when (s)he was doing. Haven't had any further problems since I applied that
patch.

Re: Segfaults after receiving invalid AS-REQ

2017-08-30 Thread Sergio Gelato 
* Andreas Haupt [2017-08-30 09:01:08 +0200]:
> we are running KDCs on Heimdal version 7.4. Since the update to version 7.x
> a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ.
> Looks like an evil bug to me. Anybody else seeing this?

Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs
the next day with the attached patch. No reaction. Not to my status query
the other day either.

commit 7a1cf14d57608401dde283ee76c2ec5c7f648e41
tree d77d9f1e9f2b2c9c4481a4f7f63b551e6cba62c8
parent ce3e80c72a58aeae5298aea9c4e5ee4719e95b76
author Sergio Gelato  1497530749 +0200
committer Sergio Gelato  1497530749 +0200

Guard against null r->client_princ when calling _kdc_fast_mk_error().

Some validation failures ("malformed server name", "No client in request")
result in r->client_princ == NULL at the point of calling _kdc_fast_mk_error().
Do not evaluate &r->client_princ->name or &r->client_princ->realm when this
is the case.

This bug is believed to have been the cause of a kdc crash with:

2017-06-14T18:05:19 No client in request
2017-06-14T18:05:19 AS-REQ malformed client name from IPv4:80.82.77.139
Jun 14 18:05:19 KDC kernel: [807788.585703] kdc[3162]: segfault at c ip
 b752a123 sp bff56c74 error 4 in libasn1.so.8.0.0[b74aa000+b5000]
(The instruction pointer pointed into der_length_general_string().)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 95a7492..df38ece 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2227,14 +2227,20 @@ out:
  * In case of a non proxy error, build an error message.
  */
 if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
+PrincipalName *error_client_name = NULL;
+	Realm *error_client_realm = NULL;
+	if (r->client_princ) {
+	error_client_name = &r->client_princ->name;
+	error_client_realm = &r->client_princ->realm;
+	}
 	ret = _kdc_fast_mk_error(context, r,
  &error_method,
  r->armor_crypto,
  &req->req_body,
  ret, r->e_text,
  r->server_princ,
- &r->client_princ->name,
- &r->client_princ->realm,
+ error_client_name,
+ error_client_realm,
  NULL, NULL,
  reply);
 	if (ret)


signature.asc
Description: PGP signature