[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ldvsk6qnfbi.fsf@cathode-dark-space.mit.edu>
Date: Tue, 20 Apr 2010 14:34:25 -0400
From: Tom Yu <tlyu@....edu>
To: bugtraq@...urityfocus.com
Subject: MITKRB5-SA-2010-004 [CVE-2010-1320] double free in KDC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MITKRB5-SA-2010-004
MIT krb5 Security Advisory 2010-004
Original release: 2010-04-20
Topic: double free in KDC
CVE-2010-1320
CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 9
Access Vector: Network
Access Complexity: Low
Authentication: Single
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
CVSSv2 Temporal Score: 7
Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed
SUMMARY
=======
A double free vulnerability exists in the KDC in MIT krb5 releases
krb5-1.7 and later.
This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.
IMPACT
======
An authenticated remote attacker can crash the KDC by inducing the KDC
to perform a double free. Under some circumstances on some platforms,
this could also allow malicious code execution. Successfully inducing
code execution by exploiting a double free is believed to be
difficult, and no such exploits are known to exist for this
vulnerability.
AFFECTED SOFTWARE
=================
* KDC in krb5-1.7 and later
FIXES
=====
* The upcoming krb5-1.8.2 release, as well as an upcoming krb5-1.7
series release, will contain a fix.
* Apply the following patch:
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b2f0655..76ca94a 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -543,6 +543,7 @@ tgt_again:
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
+ enc_tkt_reply.authorization_data = NULL;
clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
}
@@ -554,6 +555,7 @@ tgt_again:
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
+ enc_tkt_reply.authorization_data = NULL;
old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
This patch is also available at
http://web.mit.edu/kerberos/advisories/2010-004-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2010-004-patch.txt.asc
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVSSv2:
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE: CVE-2010-1320
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1320
Debian bug #577490
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490
ACKNOWLEDGMENTS
===============
Joel Johnson reported this bug to Debian. Brian Almeida provided a
report that this bug affects krb5-1.7 releases.
CONTACT
=======
The MIT Kerberos Team security contact address is
<krbcore-security@....edu>. When sending sensitive information,
please PGP-encrypt it using the following key:
pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@....edu>
DETAILS
=======
When process_tgs_req() handles renewal or validation of existing
tickets, it copies header_ticket->enc_part2 (from the ticket that is
being validated or renewed) to enc_tkt_reply (the new ticket being
generated for the reply). This causes
enc_tkt_reply.authorization_data to be an alias for memory that
belongs to the request. As process_tgs_req() exits, it frees both
header_ticket and enc_tkt_reply, which causes the aliased memory to be
freed twice.
In the krb5-1.8 releases, unlike prior MIT krb5 releases, the TGS
request processing normally adds a "signedpath" authorization data
element, which causes merge_authdata() to run. Inside
merge_authdata() is a call to realloc() that can potentially cause the
authorization data from header_ticket to be freed (if realloc() needs
to relocate the memory) an additional time before the cleanup code at
the end of process_tgs_req(). The krb5-1.7 releases can still
encounter this condition under less common circumstances, such as when
a client provides authorization data that it wants the KDC include in
the new ticket.
REVISION HISTORY
================
2010-04-20 original release
Copyright (C) 2010 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
iEYEARECAAYFAkvN7+QACgkQSO8fWy4vZo5+dQCfV+qgkScspXVbQ9rgZ/L8m1Rp
9mcAn31H+mi9pTcmEyhMzRuXD47VVKv3
=W2dB
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists