Home / vulnerabilities Kerberos krb5-1.13 Insecure Functions
Posted on 07 April 2015
Source : packetstormsecurity.org Link
-=[Advanced Information Security Corp]=-
Nicholas Lemonias
Report Date: 3/4/2015
Email: lem.nikolas@gmail.com
Introduction
==============
During a source-code audit of the krb5-1.13 stable release (15 October 2014)
implementation for linux; conducted internally by the Advanced
Information Security Group, instances of insecure function use were
observed, which could
lead to a number of attacks.
Software Overview
==================
Kerberos is a computer network authentication protocol which works on
the basis of 'tickets' to allow nodes
communicating over a non-secure network to prove their identity to
one another in a secure manner.
Its designers aimed it primarily at a clientserver model and it
provides mutual authenticationboth the user
and the server verify each other's identity. Kerberos protocol
messages are protected against eavesdropping and replay attacks.
Kerberos builds on symmetric key cryptography and requires a trusted
third party, and optionally may use
public-key cryptography during certain phases of authentication.
Massachusetts Institute of Technology (MIT) developed Kerberos to
protect network services provided by Project Athena.
The protocol is based on the earlier NeedhamSchroeder symmetric key
protocol. Several versions of the protocol exist; versions
13 occurred only internally at MIT.
Steve Miller and Clifford Neuman, the primary designers of Kerberos
version 4, published that version in the late 1980s, although they had
targeted it primarily for Project Athena.
Version 5, designed by John Kohl and Clifford Neuman, appeared as RFC
1510 in 1993 (made obsolete by RFC 4120 in 2005), with the intention
of overcoming the limitations and security problems of version 4.
Authorities in the United States classified Kerberos as auxiliary
military technology and banned its export because it used the Data
Encryption Standard (DES) encryption algorithm (with 56-bit keys).
PoC 1 - Code Snippet [CWE 362]
==============================
(.../src/ccapi/server/win/ccs_win_pipe.c:67)
struct ccs_win_pipe_t* ccs_win_pipe_new (const char* uuid, const UINT64 h) {
cc_int32 err = ccNoError;
struct ccs_win_pipe_t* out_pipe = NULL;
char* uuidCopy = NULL;
if (!err) {
if (!uuid) {err = cci_check_error(ccErrBadParam);}
}
if (!err) {
uuidCopy = (char*)malloc(1+strlen(uuid));
if (!uuidCopy) {err = cci_check_error(ccErrBadParam);}
strcpy(uuidCopy, uuid);
}
if (!err) {
out_pipe = (struct ccs_win_pipe_t*)malloc(sizeof(struct
ccs_win_pipe_t));
if (!out_pipe) {err = cci_check_error(ccErrBadParam);}
out_pipe->uuid = uuidCopy;
out_pipe->clientHandle = h;
}
#if 0
cci_debug_printf("0x%X = %s(%s, 0x%X)", out_pipe, __FUNCTION__, uuid, h);
#endif
return out_pipe;
}
Description: Memory leak [1]
PoC 2 - Code Snippet [CWE 457]
==============================
(.../src/lib/kadm5/chpass_util.c:110)
int code, code2;
unsigned int pwsize;
static char buffer[255];
char *new_password;
kadm5_principal_ent_rec princ_ent;
kadm5_policy_ent_rec policy_ent;
_KADM5_CHECK_HANDLE(server_handle);
if (ret_pw)
*ret_pw = NULL;
if (new_pw != NULL) {
new_password = new_pw;
} else { /* read the password */
krb5_context context;
if ((code = (int) kadm5_init_krb5_context(&context)) == 0) {
pwsize = sizeof(buffer);
code = krb5_read_password(context, KADM5_PW_FIRST_PROMPT,
KADM5_PW_SECOND_PROMPT,
buffer, &pwsize);
krb5_free_context(context);
}
if (code == 0)
new_password = buffer;
else {
#ifdef ZEROPASSWD
memset(buffer, 0, sizeof(buffer));
#endif
if (code == KRB5_LIBOS_BADPWDMATCH) {
strncpy(msg_ret, string_text(CHPASS_UTIL_NEW_PASSWORD_MISMATCH),
msg_len - 1);
msg_ret[msg_len - 1] = '