lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 28 Nov 2018 08:21:19 +0100
From: Imre Rad <radimre83@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2017-9732: knc (kerberized netcat) memory exhaustion

Product:
"KNC is Kerberised NetCat. It works in basically the same way as either
netcat or stunnel except that it is uses GSS-API to secure the
communication. You can use it to construct client/server applications while
keeping the Kerberos libraries out of your programs address space quickly
and easily."

Official page:
http://oskt.secure-endpoints.com/knc.html

Source code repository:
https://github.com/elric1/knc/

Vulnerability:
knc (Kerberised NetCat) before 1.11-1 is vulnerable to denial of service
(memory exhaustion) that can be exploited remotely without authentication,
possibly affecting another services running on the targeted host.

The knc implementation uses a temporary buffer in read_packet() function
that is not freed (memory leak). An unauthenticated attacker can abuse this
by sending a blob of valid kerberos handshake structure but with unexpected
type; instead of token type AP_REQ (0x0100) I sent 0x0000 at bytes 16 and
17 in my proof of concept. During the attack, gss_sec_accept_context
returns G_CONTINUE_NEEDED and the memory is exhausted in the long run.

The attack might not even be logged, depending on how the Open Source
Kerberos Tooling stack is configured.

Proof of Concept code:
https://github.com/irsl/knc-memory-exhaustion/

Bugfix:
https://github.com/elric1/knc/commit/f237f3e09ecbaf59c897f5046538a7b1a3fa40c1

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists