Re: Segfaults after receiving invalid AS-REQ
On 2017-08-31 15:08:08, Lars-Johan Liman wrote: > On 8/31/2017 5:54 AM, Lars-Johan Liman wrote: > >> Just curious: is this patch available in the Github repository or does > >> "waiting" mean somewhere else? > > jalt...@secure-endpoints.com: > > Its not in the repository. > > Ack. Thanks. > > Cheers, > /Liman For anyone interested I saw Debian Security Advisory DSA-4055-1 (relating to newly published CVE-2017-17439) which is regarding the problem discussed in this thread. This made me look in the repo and the upstream fix is now public: https://github.com/heimdal/heimdal/commit/1a6a6e462dc2ac6111f9e02c6852ddec4849b887 Here is an issue with additional information: https://github.com/heimdal/heimdal/issues/353 -- Patrik Lundin
Re: Segfaults after receiving invalid AS-REQ
On 2017-08-30 09:53:50, Jeffrey Altman wrote: > On 8/30/2017 4:38 AM, Sergio Gelato wrote: > > * Andreas Haupt [2017-08-30 09:01:08 +0200]: > >> we are running KDCs on Heimdal version 7.4. Since the update to version 7.x > >> a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ. > >> Looks like an evil bug to me. Anybody else seeing this? > > > > Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs > > the next day with the attached patch. No reaction. Not to my status query > > the other day either. > > I diagnosed this problem as well and there is a patch waiting to be > included in a subsequent release. > Looking at the patch published by Sergio it appears to me that the offending variables were introduced 2015-02-13 (a873e21d7c06f22943a90a41dc733ae76799390d). I guess this means releases prior to this date are safe from this specific DoS while it effects everything since. Do you have any idea when a new release fixing this will be made available? I am just asking because it appears no official 7.x release is suitable for use as a public facing KDC at this time. Regards, Patrik Lundin
Re: Segfaults after receiving invalid AS-REQ
On 8/30/2017 4:38 AM, Sergio Gelato wrote: Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs the next day with the attached patch. No reaction. Not to my status query the other day either. jalt...@secure-endpoints.com: >>> I diagnosed this problem as well and there is a patch waiting to be >>> included in a subsequent release. On 8/31/2017 5:54 AM, Lars-Johan Liman wrote: >> Just curious: is this patch available in the Github repository or does >> "waiting" mean somewhere else? jalt...@secure-endpoints.com: > Its not in the repository. Ack. Thanks. Cheers, /Liman
Re: Segfaults after receiving invalid AS-REQ
On 8/31/2017 5:54 AM, Lars-Johan Liman wrote: > On 8/30/2017 4:38 AM, Sergio Gelato wrote: >>> Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs >>> the next day with the attached patch. No reaction. Not to my status query >>> the other day either. > > jalt...@secure-endpoints.com: >> I diagnosed this problem as well and there is a patch waiting to be >> included in a subsequent release. > > Just curious: is this patch available in the Github repository or does > "waiting" mean somewhere else? Its not in the repository. smime.p7s Description: S/MIME Cryptographic Signature
Re: Segfaults after receiving invalid AS-REQ
On 8/30/2017 4:38 AM, Sergio Gelato wrote: >> Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs >> the next day with the attached patch. No reaction. Not to my status query >> the other day either. jalt...@secure-endpoints.com: > I diagnosed this problem as well and there is a patch waiting to be > included in a subsequent release. Just curious: is this patch available in the Github repository or does "waiting" mean somewhere else? Cheers, /Liman #-- # Lars-Johan Liman, M.Sc. ! E-mail: li...@netnod.se # Senior Systems Specialist ! Tel: +46 8 - 562 860 12 # Netnod Internet Exchange, Stockholm ! http://www.netnod.se/ #--
Re: Segfaults after receiving invalid AS-REQ
On 8/30/2017 4:38 AM, Sergio Gelato wrote: > * Andreas Haupt [2017-08-30 09:01:08 +0200]: >> we are running KDCs on Heimdal version 7.4. Since the update to version 7.x >> a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ. >> Looks like an evil bug to me. Anybody else seeing this? > > Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs > the next day with the attached patch. No reaction. Not to my status query > the other day either. I diagnosed this problem as well and there is a patch waiting to be included in a subsequent release. We did not receive the e-mail you sent to heimdal-b...@h5l.org. If we had we would have responded. I am now researching where that message is sitting. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: Segfaults after receiving invalid AS-REQ
Hi Sergio, On Wed, 2017-08-30 at 10:38 +0200, Sergio Gelato wrote: > * Andreas Haupt [2017-08-30 09:01:08 +0200]: > > > > we are running KDCs on Heimdal version 7.4. Since the update to version > > 7.x > > a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ. > > Looks like an evil bug to me. Anybody else seeing this? > Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs > the next day with the attached patch. No reaction. Not to my status query > the other day either. Thanks! I try your patch! Cheers, Andreas -- | Andreas Haupt| E-Mail: andreas.ha...@desy.de | DESY Zeuthen| WWW:http://www-zeuthen.desy.de/~ahaupt | Platanenallee 6 | Phone: +49/33762/7-7359 | D-15738 Zeuthen | Fax:+49/33762/7-7216 smime.p7s Description: S/MIME cryptographic signature
Re: Segfaults after receiving invalid AS-REQ
* Sergio Gelato [2017-08-30 10:38:30 +0200]: > * Andreas Haupt [2017-08-30 09:01:08 +0200]: > > we are running KDCs on Heimdal version 7.4. Since the update to version 7.x > > a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ. > > Looks like an evil bug to me. Anybody else seeing this? > > Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs > the next day with the attached patch. No reaction. Not to my status query > the other day either. To elaborate: as far as I can tell this is "only" a DoS. Trivial to exploit: just send an AS-REQ with no cname field (how to make such a packet is left as an exercise). Can be over UDP. I'm not sure the shodan user who did this to one of my KDCs that day knew when (s)he was doing. Haven't had any further problems since I applied that patch.
Re: Segfaults after receiving invalid AS-REQ
* Andreas Haupt [2017-08-30 09:01:08 +0200]: > we are running KDCs on Heimdal version 7.4. Since the update to version 7.x > a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ. > Looks like an evil bug to me. Anybody else seeing this? Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs the next day with the attached patch. No reaction. Not to my status query the other day either. commit 7a1cf14d57608401dde283ee76c2ec5c7f648e41 tree d77d9f1e9f2b2c9c4481a4f7f63b551e6cba62c8 parent ce3e80c72a58aeae5298aea9c4e5ee4719e95b76 author Sergio Gelato 1497530749 +0200 committer Sergio Gelato 1497530749 +0200 Guard against null r->client_princ when calling _kdc_fast_mk_error(). Some validation failures ("malformed server name", "No client in request") result in r->client_princ == NULL at the point of calling _kdc_fast_mk_error(). Do not evaluate &r->client_princ->name or &r->client_princ->realm when this is the case. This bug is believed to have been the cause of a kdc crash with: 2017-06-14T18:05:19 No client in request 2017-06-14T18:05:19 AS-REQ malformed client name from IPv4:80.82.77.139 Jun 14 18:05:19 KDC kernel: [807788.585703] kdc[3162]: segfault at c ip b752a123 sp bff56c74 error 4 in libasn1.so.8.0.0[b74aa000+b5000] (The instruction pointer pointed into der_length_general_string().) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 95a7492..df38ece 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -2227,14 +2227,20 @@ out: * In case of a non proxy error, build an error message. */ if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) { +PrincipalName *error_client_name = NULL; + Realm *error_client_realm = NULL; + if (r->client_princ) { + error_client_name = &r->client_princ->name; + error_client_realm = &r->client_princ->realm; + } ret = _kdc_fast_mk_error(context, r, &error_method, r->armor_crypto, &req->req_body, ret, r->e_text, r->server_princ, - &r->client_princ->name, - &r->client_princ->realm, + error_client_name, + error_client_realm, NULL, NULL, reply); if (ret) signature.asc Description: PGP signature