From: Nalin Dahyabhai Date: Thu, 13 Dec 2012 19:26:07 +0000 (-0500) Subject: PKINIT (draft9) null ptr deref [CVE-2012-1016] X-Git-Tag: krb5-1.12-alpha1~413 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd5ff932c9d1439c961b0cf9ccff979356686aff;p=thirdparty%2Fkrb5.git PKINIT (draft9) null ptr deref [CVE-2012-1016] Don't check for an agility KDF identifier in the non-draft9 reply structure when we're building a draft9 reply, because it'll be NULL. The KDC plugin for PKINIT can dereference a null pointer when handling a draft9 request, leading to a crash of the KDC process. An attacker would need to have a valid PKINIT certificate, or an unauthenticated attacker could execute the attack if anonymous PKINIT is enabled. CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C [tlyu@mit.edu: reformat comment and edit log message] ticket: 7506 (new) target_version: 1.11 tags: pullup --- diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index dcfda894bc..132eef6653 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -1026,8 +1026,9 @@ pkinit_server_return_padata(krb5_context context, rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { - /* If mutually supported KDFs were found, use the alg agility KDF */ - if (rep->u.dh_Info.kdfID) { + /* If we're not doing draft 9, and mutually supported KDFs were found, + * use the algorithm agility KDF. */ + if (rep != NULL && rep->u.dh_Info.kdfID) { secret.data = (char *)server_key; secret.length = server_key_len;