Attachment 17617 Details for Bug 15203 – MIT krb5 fix

MIT krb5 fix

patch.txt (text/plain), 3.44 KB, created by Greg Hudson on 2022-11-03 21:35:41 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Greg Hudson

Created: 2022-11-03 21:35:41 UTC

Size: 3.44 KB

patch

obsolete

>commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583
>Author: Greg Hudson <ghudson@mit.edu>
>Date:   Mon Oct 17 20:25:11 2022 -0400
>
>    Fix integer overflows in PAC parsing
>    
>    In krb5_parse_pac(), check for buffer counts large enough to threaten
>    integer overflow in the header length and memory length calculations.
>    Avoid potential integer overflows when checking the length of each
>    buffer.  Credit to OSS-Fuzz for discovering one of the issues.
>    
>    CVE-2022-42898:
>    
>    In MIT krb5 releases 1.8 and later, an authenticated attacker may be
>    able to cause a KDC or kadmind process to crash by reading beyond the
>    bounds of allocated memory, creating a denial of service.  A
>    privileged attacker may similarly be able to cause a Kerberos or GSS
>    application service to crash.  On 32-bit platforms, an attacker can
>    also cause insufficient memory to be allocated for the result,
>    potentially leading to remote code execution in a KDC, kadmind, or GSS
>    or Kerberos application server process.  An attacker with the
>    privileges of a cross-realm KDC may be able to extract secrets from a
>    KDC process's memory by having them copied into the PAC of a new
>    ticket.
>    
>    ticket: 9074 (new)
>    tags: pullup
>    target_version: 1.20-next
>    target_version: 1.19-next
>
>diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
>index 2f1df8d42b..f6c4373de0 100644
>--- a/src/lib/krb5/krb/pac.c
>+++ b/src/lib/krb5/krb/pac.c
>@@ -28,6 +28,8 @@
> #include "int-proto.h"
> #include "authdata.h"
> 
>+#define MAX_BUFFERS 4096
>+
> /* draft-brezak-win2k-krb-authz-00 */
> 
> /*
>@@ -317,6 +319,9 @@ krb5_pac_parse(krb5_context context,
>     if (version != 0)
>         return EINVAL;
> 
>+    if (cbuffers < 1 || cbuffers > MAX_BUFFERS)
>+        return ERANGE;
>+
>     header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
>     if (len < header_len)
>         return ERANGE;
>@@ -349,8 +354,8 @@ krb5_pac_parse(krb5_context context,
>             krb5_pac_free(context, pac);
>             return EINVAL;
>         }
>-        if (buffer->Offset < header_len ||
>-            buffer->Offset + buffer->cbBufferSize > len) {
>+        if (buffer->Offset < header_len || buffer->Offset > len ||
>+            buffer->cbBufferSize > len - buffer->Offset) {
>             krb5_pac_free(context, pac);
>             return ERANGE;
>         }
>diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
>index 0b1b1f0564..173bde7bab 100644
>--- a/src/lib/krb5/krb/t_pac.c
>+++ b/src/lib/krb5/krb/t_pac.c
>@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
>     0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
> };
> 
>+static const unsigned char fuzz1[] = {
>+    0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
>+    0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
>+};
>+
>+static const unsigned char fuzz2[] = {
>+    0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
>+    0x20, 0x20
>+};
>+
> static const char *s4u_principal = "w2k8u@ACME.COM";
> static const char *s4u_enterprise = "w2k8u@abc@ACME.COM";
> 
>@@ -828,6 +838,14 @@ main(int argc, char **argv)
>         krb5_free_principal(context, sep);
>     }
> 
>+    /* Check problematic PACs found by fuzzing. */
>+    ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
>+    if (!ret)
>+        err(context, ret, "krb5_pac_parse should have failed");
>+    ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
>+    if (!ret)
>+        err(context, ret, "krb5_pac_parse should have failed");
>+
>     /*
>      * Test empty free
>      */

Actions: View

Attachments on bug 15203: 17565 | 17567 | 17597 | 17600 | 17617 | 17618 | 17619 | 17620 | 17621 | 17622 | 17623 | 17624 | 17625 | 17627 | 17657 | 17658 | 17659