Regression tests for CVE-2012-1014, CVE-2012-1015

author Tom Yu <tlyu@mit.edu>

Wed, 8 Aug 2012 03:14:03 +0000 (23:14 -0400)

committer Tom Yu <tlyu@mit.edu>

Wed, 8 Aug 2012 17:32:19 +0000 (13:32 -0400)
author Tom Yu <tlyu@mit.edu>
Wed, 8 Aug 2012 03:14:03 +0000 (23:14 -0400)
committer Tom Yu <tlyu@mit.edu>
Wed, 8 Aug 2012 17:32:19 +0000 (13:32 -0400)
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in

index 008e7d11a2eebe4ede82fa08130ea04dda29c0df..a8ca4641d9e57fe64d9edca6223d133ea39b032c 100644 (file)
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -75,6 +75,8 @@ check-pytests:: hist
         $(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
         $(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS)
  #      $(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS)
+       $(RUNPYTEST) $(srcdir)/t_cve-2012-1014.py $(PYTESTFLAGS)
+       $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
  
  clean::
         $(RM) kdc.conf
diff --git a/src/tests/t_cve-2012-1014.py b/src/tests/t_cve-2012-1014.py

new file mode 100644 (file)

index 0000000..e02162d
--- /dev/null
+++ b/src/tests/t_cve-2012-1014.py
@@ -0,0 +1,31 @@
+#!/usr/bin/python
+
+import base64
+import socket
+from k5test import *
+
+realm = K5Realm()
+
+# CVE-2012-1014 KDC dereferences uninitialized pointer
+
+# Affects only krb5-1.10.x.
+
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+a = (hostname, realm.portbase)
+
+x1 = base64.b16decode('6A5E305BA103020105A2030201')
+x2 = base64.b16decode('A44F304DA007030500FEDCBA90A10E30' +
+                      '0CA003020101A10530031B0141A2031B' +
+                      '0141A30E300CA003020101A10530031B' +
+                      '0141A511180F31393934303631303036' +
+                      '303331375AA70302012AA80530030201' +
+                      '01')
+
+for x in range(11, 128):
+    s.sendto(''.join([x1, chr(x), x2]), a)
+
+# Make sure kinit still works.
+
+realm.kinit(realm.user_princ, password('user'))
+
+success('CVE-2012-1014 regression test')
diff --git a/src/tests/t_cve-2012-1015.py b/src/tests/t_cve-2012-1015.py

new file mode 100644 (file)

index 0000000..e00c4dc
--- /dev/null
+++ b/src/tests/t_cve-2012-1015.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python
+
+import base64
+import socket
+from k5test import *
+
+realm = K5Realm()
+
+# CVE-2012-1015 KDC frees uninitialized pointer
+
+# Force a failure in krb5_c_make_checksum(), which causes the cleanup
+# code in kdc_handle_protected_negotiation() to free an uninitialized
+# pointer in an unpatched KDC.
+
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+a = (hostname, realm.portbase)
+
+x1 = base64.b16decode('6A81A030819DA103020105A20302010A' +
+                      'A30E300C300AA10402020095A2020400' +
+                      'A48180307EA00703050000000000A120' +
+                      '301EA003020101A11730151B066B7262' +
+                      '7467741B0B4B5242544553542E434F4D' +
+                      'A20D1B0B4B5242544553542E434F4DA3' +
+                      '20301EA003020101A11730151B066B72' +
+                      '627467741B0B4B5242544553542E434F' +
+                      '4DA511180F3139393430363130303630' +
+                      '3331375AA7030201')
+
+x2 = base64.b16decode('A8083006020106020112')
+
+for x in range(0, 128):
+    s.sendto(''.join([x1, chr(x), x2]), a)
+
+# Make sure kinit still works.
+
+realm.kinit(realm.user_princ, password('user'))
+
+success('CVE-2012-1015 regression test')
author	Tom Yu <tlyu@mit.edu>
	Wed, 8 Aug 2012 03:14:03 +0000 (23:14 -0400)
committer	Tom Yu <tlyu@mit.edu>
	Wed, 8 Aug 2012 17:32:19 +0000 (13:32 -0400)
src/tests/Makefile.in		patch \| blob \| blame \| history
src/tests/t_cve-2012-1014.py	[new file with mode: 0644]	patch \| blob
src/tests/t_cve-2012-1015.py	[new file with mode: 0644]	patch \| blob