Fix KDC uninit ptrs [CVE-2012-1014 CVE-2012-1015]

Fix KDC heap corruption and crash vulnerabilities [MITKRB5-SA-2012-001
CVE-2012-1014 CVE-2012-1015].

CVE-2012-1015: The cleanup code in kdc_handle_protected_negotiation()
in kdc_util.c could free an uninitialized pointer in some error
conditions involving "similar" enctypes and a failure in
krb5_c_make_checksum().  Initialize the pointer correctly.

Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of
CVE-2012-1015 (possibly in unpatched KDCs).

CVE-2012-1014: process_as_req() could encounter an error condition
(typically a malformed AS-REQ message) that could cause its cleanup
code to dereference an uninitialized pointer, causing a crash.
Initialize the pointer correctly.

ticket: 7226 (new)
version_fixed: 1.10.3
status: resolved

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 23623fe1b4e4a94697e692d85ae8ec2ad981c2bb..8ada9d0170b892b4f36851dbeced6a570fb11c10 100644 (file)
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     krb5_enctype useenctype;
     struct as_req_state *state;
 
-    state = malloc(sizeof(*state));
+    state = calloc(sizeof(*state), 1);
     if (!state) {
         (*respond)(arg, ENOMEM, NULL);
         return;
@@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     state->authtime = 0;
     state->c_flags = 0;
     state->req_pkt = req_pkt;
+    state->inner_body = NULL;
     state->rstate = NULL;
     state->sname = 0;
     state->cname = 0;

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 9d8cb3453981755d21879de91514bea8588086fc..d4ece3f0d1015ffb061b904331f949d3478153da 100644 (file)
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
                 continue;
 
             }
-            if (request_contains_enctype(context, request, db_etype)) {
+            if (krb5_is_permitted_enctype(context, db_etype) &&
+                request_contains_enctype(context, request, db_etype)) {
                 retval = _make_etype_info_entry(context, client->princ,
                                                 client_key, db_etype,
                                                 &entry[i], etype_info2);

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index a43b291e7e2292fcfcf23a03d443dfde781ee77c..94dad3a6560e11051f7b550a6252dcb4e7fbdb9f 100644 (file)
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request,
         return 0;
     pa.magic = KV5M_PA_DATA;
     pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
+    memset(&checksum, 0, sizeof(checksum));
     retval = krb5_c_make_checksum(kdc_context,0, reply_key,
                                   KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
     if (retval != 0)

diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index c4bf92e509689326a00f59909f91826100398460..367c8941b3653594c94dae6dfd86c72904a8716d 100644 (file)
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
     krb5_boolean        saw_non_permitted = FALSE;
 
     ret = 0;
+    if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
+        return KRB5_KDB_NO_PERMITTED_KEY;
+
     if (kvno == -1 && stype == -1 && ktype == -1)
         kvno = 0;