GSS-API lib null pointer deref

Credit: Tom Yu
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-Other

CVSS Base Score: 6.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2010-005 MIT krb5 Security Advisory 2010-005 Original release: 2010-05-18 Topic: GSS-API library null pointer dereference CVE-2010-1321 CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 6.8 Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 5.3 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= Certain invalid GSS-API tokens can cause a GSS-API acceptor (server) to crash due to a null pointer dereference in the GSS-API library. This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol. IMPACT ====== An authenticated remote attacker can cause a GSS-API application server (including the Kerberos administration daemon kadmind) to crash by sending a malformed GSS-API token that induces a null pointer dereference. AFFECTED SOFTWARE ================= * kadmind and other GSS-API server applications in all known releases of MIT krb5, up to and including krb5-1.8.1 * third-party GSS-API server applications that link link against the GSS-API library in all known releases of MIT krb5, up to and including krb5-1.8.1 * Independent implementations of the krb5 GSS-API mechanism may be vulnerable, as the underlying bug is based on plausible (but invalid) assumptions about the Kerberos protocol. FIXES ===== * The upcoming krb5-1.8.2 release and an upcoming krb5-1.7 series release will contain a fix for this vulnerability. * Apply the following patch. The patch was generated against krb5-1.8.1, but should also apply to krb5-1.7 series releases. diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index ce3075f..6241055 100644 - --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -607,6 +607,13 @@ kg_accept_krb5(minor_status, context_handle, } #endif + if (authdat->checksum == NULL) { + /* missing checksum counts as "inappropriate type" */ + code = KRB5KRB_AP_ERR_INAPP_CKSUM; + major_status = GSS_S_FAILURE; + goto fail; + } + if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) { /* Samba does not send 0x8003 GSS-API checksums */ krb5_boolean valid; This patch is also available at A PGP-signed patch is available at For the krb5-1.6 release: PGP-signed patch for krb5-1.6: Earlier releases may require minor porting. REFERENCES ========== This announcement is posted at: This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: The main MIT Kerberos web page is at: CVSSv2: CVE: CVE-2010-1321 ACKNOWLEDGMENTS =============== Thanks to Shawn Emery (Oracle) for reporting this vulnerability. CONTACT ======= The MIT Kerberos Team security contact address is <krbcore-security (at) mit (dot) edu [email concealed]>. When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact <krbcore-security (at) mit (dot) edu [email concealed]> DETAILS ======= The krb5 GSS-API mechanism specification requires that the checksum field in the authenticator of the Kerberos AP-REQ (which is optional in the base Kerberos protocol) be present and contain specific contents. If the checksum field is missing, the decoded structure contains a null pointer, which code called through krb5_gss_accept_sec_context() dereferences without first checking for a null pointer. Independent implementations of the krb5 GSS-API mechanism may be vulnerable because a developer might reasonably make the invalid assumption that the authenticator checksum field is not empty (and hence, that the C representation would not contain a null pointer). REVISION HISTORY ================ 2010-05-18 original release Copyright (C) 2010 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAkvy1ooACgkQSO8fWy4vZo4u8gCgz7jbjv/wCB4gvphXuK8x1g1f +PMAoKOiUzAEan9RPXQ4MN4SJ2Cl1Zl8 =wuxV -----END PGP SIGNATURE-----


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top