Kerberos KDC Double Free in process_tgs_req() Remote Arbitrary Code

2010.04.27
Credit: Tom Yu
Risk: High
Local: No
Remote: Yes
CWE: CWE-394259


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2010-004 MIT krb5 Security Advisory 2010-004 Original release: 2010-04-20 Topic: double free in KDC CVE-2010-1320 CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 9 Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= A double free vulnerability exists in the KDC in MIT krb5 releases krb5-1.7 and later. This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol. IMPACT ====== An authenticated remote attacker can crash the KDC by inducing the KDC to perform a double free. Under some circumstances on some platforms, this could also allow malicious code execution. Successfully inducing code execution by exploiting a double free is believed to be difficult, and no such exploits are known to exist for this vulnerability. AFFECTED SOFTWARE ================= * KDC in krb5-1.7 and later FIXES ===== * The upcoming krb5-1.8.2 release, as well as an upcoming krb5-1.7 series release, will contain a fix. * Apply the following patch: diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index b2f0655..76ca94a 100644 - --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -543,6 +543,7 @@ tgt_again: to the caller */ ticket_reply = *(header_ticket); enc_tkt_reply = *(header_ticket->enc_part2); + enc_tkt_reply.authorization_data = NULL; clear(enc_tkt_reply.flags, TKT_FLG_INVALID); } @@ -554,6 +555,7 @@ tgt_again: to the caller */ ticket_reply = *(header_ticket); enc_tkt_reply = *(header_ticket->enc_part2); + enc_tkt_reply.authorization_data = NULL; old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime; This patch is also available at http://web.mit.edu/kerberos/advisories/2010-004-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-004-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2010-1320 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1320 Debian bug #577490 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490 ACKNOWLEDGMENTS =============== Joel Johnson reported this bug to Debian. Brian Almeida provided a report that this bug affects krb5-1.7 releases. CONTACT ======= The MIT Kerberos Team security contact address is <krbcore-security (at) mit (dot) edu [email concealed]>. When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact <krbcore-security (at) mit (dot) edu [email concealed]> DETAILS ======= When process_tgs_req() handles renewal or validation of existing tickets, it copies header_ticket->enc_part2 (from the ticket that is being validated or renewed) to enc_tkt_reply (the new ticket being generated for the reply). This causes enc_tkt_reply.authorization_data to be an alias for memory that belongs to the request. As process_tgs_req() exits, it frees both header_ticket and enc_tkt_reply, which causes the aliased memory to be freed twice. In the krb5-1.8 releases, unlike prior MIT krb5 releases, the TGS request processing normally adds a "signedpath" authorization data element, which causes merge_authdata() to run. Inside merge_authdata() is a call to realloc() that can potentially cause the authorization data from header_ticket to be freed (if realloc() needs to relocate the memory) an additional time before the cleanup code at the end of process_tgs_req(). The krb5-1.7 releases can still encounter this condition under less common circumstances, such as when a client provides authorization data that it wants the KDC include in the new ticket. REVISION HISTORY ================ 2010-04-20 original release Copyright (C) 2010 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAkvN7+QACgkQSO8fWy4vZo5+dQCfV+qgkScspXVbQ9rgZ/L8m1Rp 9mcAn31H+mi9pTcmEyhMzRuXD47VVKv3 =W2dB -----END PGP SIGNATURE-----

References:

http://www.securityfocus.com/bid/39599
http://www.securityfocus.com/archive/1/archive/1/510843/100/0/threaded
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt
http://securitytracker.com/id?1023904
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top