Bug 80574 - (CVE-2005-1175) VUL-0: CVE-2005-1175: krb5 KDC heap corruption by random free (CAN-2005-1174, MITKRB5-SA-2005-002)
(CVE-2005-1175)
VUL-0: CVE-2005-1175: krb5 KDC heap corruption by random free (CAN-2005-1174,...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other All
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVE-2005-1175: CVSS v2 Base Score: 7....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-27 07:06 UTC by Ludwig Nussel
Modified: 2021-11-03 14:59 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
krb5-1.4-VUL-0-krb5-overflow.dif (1.19 KB, patch)
2005-04-27 09:06 UTC, Michael Calmer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2005-04-27 07:06:57 UTC
This issue is not public yet, please keep any information about it inside SUSE.

Two months is ridiculous. I'd suggest to not submit packages yet.

Date: Wed, 27 Apr 2005 00:29:13 +0200 (MEST)
From: Roman Drahtmueller <draht@suse.de>
To: SecTeam <security-team@suse.de>
Cc: Ed Reed <ereed@novell.com>
Subject: [security-team] Whoops: MIT-KRB
Reply-To: security-team@suse.de

...starting with 9.3, we have the MIT implementation of Kerberos in the 
product(s). 

Disclosure date is 2005-0705. I suggest to ask the MIT folks to contact 
vendor-sec for responsible disclosure procedure.
The bugzilla bug for this needs to be limited access to not have this 
leak out prematurely.

Grüße,
R.


 From tlyu@MIT.EDU Wed Apr 27 00:24:06 2005
 From: Tom Yu <tlyu@MIT.EDU>
 To: secure@novell.com
 Date: Tue, 26 Apr 2005 17:00:22 -0400
 Subject: confidential - draft security advisory [MITKRB5-SA-2005-002]

--------------------------- pgpenvelope processed message


The MIT Kerberos Development Team is aware of the following
vulnerabilities in the MIT krb5 software.  Please do not publicly
disseminate this information prior to our public disclosure.

Our current target date for public disclosure is 05 July 2005.  Please
let me know if you have any concerns about the release date.  Also,
please send me any comments you have concerning the advisory text or
the patches.

DRAFT - DO NOT PUBLISH

                 MIT krb5 Security Advisory 2005-002

Original release: 2005-??-??

Topic: buffer overflow, heap corruption in KDC

Severity: CRITICAL

SUMMARY
=======

The MIT krb5 Key Distribution Center (KDC) implementation can corrupt
the heap by attempting to free memory at a random address when it
receives a certain unlikely (but valid) request via a TCP connection.
This attempt to free unallocated memory can result in a KDC crash and
consequent denial of service.  [CAN-2005-1174]

Additionally, the same request, when received by the KDC via either
TCP or UDP, can trigger a bug in the krb5 library which results in a
single-byte overflow of a heap buffer.  Additionally, application
servers are vulnerable to a highly improbable attack, provided that
the attacker controls a realm sharing a cross-realm key with the
target realm. [CAN-2005-1175]

An unauthenticated attacker may be able to use these vulnerabilities
to execute arbitrary code on the KDC host, potentially compromising an
entire Kerberos realm.  No exploit code is known to exist at this
time.  Exploitation of these vulnerabilities is believed to be
difficult.

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code on
the KDC host, potentially compromising an entire Kerberos realm.  An
unsuccessful attack against the heap corruption vulnerability may
result in a denial of service by crashing the KDC process.

AFFECTED SOFTWARE
=================

* [CAN-2005-1174] affects the KDC implementation in all MIT krb5
  releases supporting TCP client connections to the KDC.  This
  includes krb5-1.3 and later releases, up to and including
  krb5-1.4.1.

* [CAN-2005-1175] affects KDC implementations and application servers
  in all MIT krb5 releases, up to and including krb5-1.4.1.
  Third-party application servers which use MIT krb5 are also
  affected.

FIXES
=====

* WORKAROUNDS: Disabling TCP support in the KDC avoids one
  vulnerability [CAN-2005-1174].  The single-byte overflow
  [CAN-2005-1175] is still possible even without KDC TCP support
  enabled.  Running the KDC from init or from some similar automatic
  respawning facility may reduce the length of denials of service, but
  this approach may make it difficult to notice deliberate attacks
  having a goal of code execution.

* Apply the patch at:

  http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt.asc

  The patch was generated against the krb5-1.4.1 release.  It may
  apply, with some offset, to earlier releases.  On releases prior to
  krb5-1.3, only the patch to lib/krb5/krb/unparse.c should be
  necessary.

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVE: CAN-2005-1174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174

CVE: CAN-2005-1175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175


ACKNOWLEDGMENTS
===============

Thanks to Daniel Wachdorf for reporting these vulnerabilities.

DETAILS
=======

Kerberos 5 principal names may have an arbitrary number of components.
The krb5_unparse_name() function in the MIT krb5 library converts an
internal representation of a Kerberos principal name into a
human-readable string.  The internal representation might have
originated from the decoding of a Kerberos protocol message.

The single-byte overflow occurs whenever the krb5_unparse_name()
function is called on a principal name having zero components.  The
function writes a null byte to an address one beyond the end of a
buffer allocated my malloc().  The corresponding krb5_parse_name()
function never generates an internal representation having zero
components; instead, it generates at least one zero-length component.
The current string representation form of Kerberos principal names has
some ambiguity between a zero-component principal name and a
one-component principal name having a zero-length single component.

Application servers which call krb5_unparse_name(), directly or
indirectly, are vulnerable to the single-byte overflow in
krb5_unparse_name(), provided that the attacker controls a realm which
shares a cross-realm key with the target realm.  This enables the
attacker to use a cross-realm ticket for a zero-component client
principal name, which the application server will then pass to
krb5_unparse_name(), triggering the single-byte overflow.

For this attack to succeed, the attacker needs access to a KDC in the
target realm which will create a ticket for a zero-component client
principal name.  Since the current MIT krb5 KDC implementation will
refuse to create such a ticket, the attack is unlikely to succeed
unless the implementation has been altered to allow the issuance of
tickets for zero-component client principal names.

When the KDC fails to find the principal with a zero-component name in
its database (such a principal is very unlikely to exist in most
databases, as there are extremely few uses for such a principal), it
attempts to encode an error packet containing the offending principal
name, using prepare_error_as() or prepare_error_tgs().  This encoding
attempt fails inside encode_krb5_error(), since the ASN.1 encoder
function asn1_encode_principal_name() interprets the internal
representation of a zero-component principal name as an error
condition.

encode_krb5_error() does not allocate an output buffer when it
encounters an error condition.  While the UDP request handling code in
kdc/network.c:process_packet() does not attempt to free the output
buffer containing the encoded message when it encounters an error, the
TCP request handling code in process does free the buffer inside
kill_tcp_connection(), which attempts to free unallocated memory
pointed to by an uninitialized pointer.

REVISION HISTORY
================

Copyright (C) 2005 Massachusetts Institute of Technology


Index: kdc/do_as_req.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kdc/do_as_req.c,v
retrieving revision 5.90
diff -c -r5.90 do_as_req.c
*** kdc/do_as_req.c	4 Nov 2002 02:20:51 -0000	5.90
--- kdc/do_as_req.c	25 Apr 2005 22:02:56 -0000
***************
*** 524,529 ****

      retval = krb5_mk_error(kdc_context, &errpkt, scratch);
      free(errpkt.text.data);
!     *response = scratch;
      return retval;
  }
--- 524,533 ----

      retval = krb5_mk_error(kdc_context, &errpkt, scratch);
      free(errpkt.text.data);
!     if (retval)
! 	free(scratch);
!     else
! 	*response = scratch;
!
      return retval;
  }
Index: kdc/do_tgs_req.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kdc/do_tgs_req.c,v
retrieving revision 5.89
diff -c -r5.89 do_tgs_req.c
*** kdc/do_tgs_req.c	22 May 2003 20:28:21 -0000	5.89
--- kdc/do_tgs_req.c	25 Apr 2005 22:02:56 -0000
***************
*** 722,728 ****

      retval = krb5_mk_error(kdc_context, &errpkt, scratch);
      free(errpkt.text.data);
!     *response = scratch;
      return retval;
  }

--- 722,732 ----

      retval = krb5_mk_error(kdc_context, &errpkt, scratch);
      free(errpkt.text.data);
!     if (retval)
! 	free(scratch);
!     else
! 	*response = scratch;
!
      return retval;
  }

Index: kdc/network.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kdc/network.c,v
retrieving revision 5.62
diff -c -r5.62 network.c
*** kdc/network.c	24 Sep 2004 02:21:47 -0000	5.62
--- kdc/network.c	25 Apr 2005 22:02:56 -0000
***************
*** 722,727 ****
--- 722,728 ----
      char pktbuf[MAX_DGRAM_SIZE];
      int port_fd = conn->fd;

+     response = NULL;
      saddr_len = sizeof(saddr);
      cc = recvfrom(port_fd, pktbuf, sizeof(pktbuf), 0,
  		  (struct sockaddr *)&saddr, &saddr_len);
Index: lib/krb5/krb/unparse.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/unparse.c,v
retrieving revision 5.33.8.1
diff -c -r5.33.8.1 unparse.c
*** lib/krb5/krb/unparse.c	18 Jan 2005 17:57:32 -0000	5.33.8.1
--- lib/krb5/krb/unparse.c	25 Apr 2005 22:02:56 -0000
***************
*** 91,96 ****
--- 91,98 ----
  				totalsize++;
  		totalsize++;	/* This is for the separator */
  	}
+ 	if (nelem == 0)
+ 		totalsize++;

  	/*
  	 * Allocate space for the ascii string; if space has been

--------------------------- pgpenvelope information
Version: GnuPG v1.2.5 (SunOS)

gpg: encrypted with ELG-E key, ID 24930971
gpg: encrypted with 2048-bit ELG-E key, ID F14018AF, created 2004-05-28
      "Novell Security Alerts, Novell, Inc. <secure@novell.com>"
gpg: Signature made Tue Apr 26 23:00:28 2005 MEST using DSA key ID 2E2F668E
gpg: Can't check signature: public key not found

pgpenvelope_decrypt: message processed at Wed Apr 27 00:24:29 2005

--------------------------- end pgpenvelope information
Comment 1 Michael Calmer 2005-04-27 09:06:54 UTC
Created attachment 35646 [details]
krb5-1.4-VUL-0-krb5-overflow.dif
Comment 2 Thomas Biege 2005-06-02 09:07:57 UTC
changing summary to better distinct this bug and a new oneI'll enter in a few
minutes.
Comment 3 Thomas Biege 2005-06-03 08:42:05 UTC
 SM-Tracker-1455
Comment 4 Thomas Biege 2005-06-28 06:39:26 UTC
Ok, I think you can start submitting the updated packages now. Coordinated
release will be in ~2 weeks.
Bug #86768 and bug# 91600 should be part of it.
The author of pam_krb5 doesn't respond to my mail.
The MIT folks (Tom Yu) don't care much about the NULL reference I think (low
response).

So, we should fix and release them all together to keep our work-load low.

Comment 5 Michael Calmer 2005-06-28 08:22:17 UTC
Well I think the pam_krb5 module on sourceforge is dead. I think we can simply 
release.  
 
Ok, I will submit packages for 9.3 today. Do we need new patchinfos with 
all the bugs inside? 
Comment 6 Thomas Biege 2005-06-28 10:11:14 UTC
Yes we do.. I'll take care of it later.
Comment 7 Michael Calmer 2005-06-28 10:16:08 UTC
The package is submitted and you take care of the patchinfo. 
 
I reassign these Bugs to you now 
 
 
Comment 8 Ludwig Nussel 2005-07-12 14:53:39 UTC
The date has passed but 
http://web.mit.edu/kerberos/advisories/ 
doesn't list the advisory so it looks like it's not public yet. 
Comment 9 Ludwig Nussel 2005-07-13 07:23:01 UTC
public now, gentoo released an advisory 
Comment 10 Ludwig Nussel 2005-07-13 07:33:15 UTC
updates released 
Comment 11 Thomas Biege 2009-10-13 21:19:20 UTC
CVE-2005-1175: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)