From: Tom Yu <tlyu@mit.edu>
Date: Fri, 29 Mar 2013 23:27:33 +0000 (-0400)
Subject: KDC TGS-REQ null deref [CVE-2013-1416]
X-Git-Tag: krb5-1.9.5-final~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9fd9edbf12c4203cb2690c51c7ddea006e3215a5;p=thirdparty%2Fkrb5.git

KDC TGS-REQ null deref [CVE-2013-1416]

By sending an unusual but valid TGS-REQ, an authenticated remote
attacker can cause the KDC process to crash by dereferencing a null
pointer.

prep_reprocess_req() can cause a null pointer dereference when
processing a service principal name.  Code in this function can
inappropriately pass a null pointer to strlcpy().  Unmodified client
software can trivially trigger this vulnerability, but the attacker
must have already authenticated and received a valid Kerberos ticket.

The vulnerable code was introduced by the implementation of new
service principal realm referral functionality in krb5-1.7, but was
corrected as a side effect of the KDC refactoring in krb5-1.11.

CVSSv2 vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:O/RC:C

(cherry picked from commit 8ee70ec63931d1e38567905387ab9b1d45734d81)

ticket: 7622 (new)
version_fixed: 1.9.5
status: resolved
---

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index d5f34b63d1..3fdaad9bc3 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1137,7 +1137,8 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
             retval = ENOMEM;
             goto cleanup;
         }
-        strlcpy(comp1_str,comp1->data,comp1->length+1);
+        if (comp1->data != NULL)
+            memcpy(comp1_str, comp1->data, comp1->length);
 
         if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
              krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
@@ -1160,7 +1161,8 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
                 retval = ENOMEM;
                 goto cleanup;
             }
-            strlcpy(temp_buf, comp2->data,comp2->length+1);
+            if (comp2->data != NULL)
+                memcpy(temp_buf, comp2->data, comp2->length);
             retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms);
             free(temp_buf);
             if (retval) {