You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
106 lines
3.5 KiB
106 lines
3.5 KiB
From 7d68cfc84cd7d0657c01afa52dfe69181b401a4a Mon Sep 17 00:00:00 2001 |
|
From: Greg Hudson <ghudson@mit.edu> |
|
Date: Mon, 17 Oct 2022 20:25:11 -0400 |
|
Subject: [PATCH] Fix integer overflows in PAC parsing |
|
|
|
In krb5_parse_pac(), check for buffer counts large enough to threaten |
|
integer overflow in the header length and memory length calculations. |
|
Avoid potential integer overflows when checking the length of each |
|
buffer. |
|
|
|
CVE-2022-42898: |
|
|
|
In MIT krb5 releases 1.8 and later, an authenticated attacker may be |
|
able to cause a KDC or kadmind process to crash by reading beyond the |
|
bounds of allocated memory, creating a denial of service. A |
|
privileged attacker may similarly be able to cause a Kerberos or GSS |
|
application service to crash. On 32-bit platforms, an attacker can |
|
also cause insufficient memory to be allocated for the result, |
|
potentially leading to remote code execution in a KDC, kadmind, or GSS |
|
or Kerberos application server process. An attacker with the |
|
privileges of a cross-realm KDC may be able to extract secrets from |
|
the KDC process's memory by having them copied into the PAC of a new |
|
ticket. |
|
|
|
ticket: 9074 (new) |
|
tags: pullup |
|
target_version: 1.20-next |
|
target_version: 1.19-next |
|
--- |
|
src/lib/krb5/krb/pac.c | 9 +++++++-- |
|
src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++ |
|
2 files changed, 25 insertions(+), 2 deletions(-) |
|
|
|
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c |
|
index 950beda657..1b9ef12276 100644 |
|
--- a/src/lib/krb5/krb/pac.c |
|
+++ b/src/lib/krb5/krb/pac.c |
|
@@ -27,6 +27,8 @@ |
|
#include "k5-int.h" |
|
#include "authdata.h" |
|
|
|
+#define MAX_BUFFERS 4096 |
|
+ |
|
/* draft-brezak-win2k-krb-authz-00 */ |
|
|
|
/* |
|
@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context, |
|
if (version != 0) |
|
return EINVAL; |
|
|
|
+ if (cbuffers < 1 || cbuffers > MAX_BUFFERS) |
|
+ return ERANGE; |
|
+ |
|
header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); |
|
if (len < header_len) |
|
return ERANGE; |
|
@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context, |
|
krb5_pac_free(context, pac); |
|
return EINVAL; |
|
} |
|
- if (buffer->Offset < header_len || |
|
- buffer->Offset + buffer->cbBufferSize > len) { |
|
+ if (buffer->Offset < header_len || buffer->Offset > len || |
|
+ buffer->cbBufferSize > len - buffer->Offset) { |
|
krb5_pac_free(context, pac); |
|
return ERANGE; |
|
} |
|
diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c |
|
index ee47152ee4..ccd165380d 100644 |
|
--- a/src/lib/krb5/krb/t_pac.c |
|
+++ b/src/lib/krb5/krb/t_pac.c |
|
@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = { |
|
0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00 |
|
}; |
|
|
|
+static const unsigned char fuzz1[] = { |
|
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, |
|
+ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5 |
|
+}; |
|
+ |
|
+static const unsigned char fuzz2[] = { |
|
+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, |
|
+ 0x20, 0x20 |
|
+}; |
|
+ |
|
static const char *s4u_principal = "w2k8u@ACME.COM"; |
|
static const char *s4u_enterprise = "w2k8u@abc@ACME.COM"; |
|
|
|
@@ -646,6 +656,14 @@ main(int argc, char **argv) |
|
krb5_free_principal(context, sep); |
|
} |
|
|
|
+ /* Check problematic PACs found by fuzzing. */ |
|
+ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac); |
|
+ if (!ret) |
|
+ err(context, ret, "krb5_pac_parse should have failed"); |
|
+ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac); |
|
+ if (!ret) |
|
+ err(context, ret, "krb5_pac_parse should have failed"); |
|
+ |
|
/* |
|
* Test empty free |
|
*/ |
|
-- |
|
2.37.3 |
|
|
|
|