Greg Hudson [Thu, 26 Mar 2015 16:47:06 +0000 (12:47 -0400)]
Disable principal renames for LDAP
The current principal rename procedure does not work with the LDAP KDB
module, instead having the effect of deleting the principal. The fix
is not easy and requires amending the DAL (see issue #8065). For now,
detect LDAP and error out when a rename operation is attempted.
Greg Hudson [Fri, 13 Mar 2015 17:30:49 +0000 (13:30 -0400)]
Log invalid restrictions strings
In kadm5int_acl_parse_restrictions(), output a log message if we break
out of the parsing loop with an error. The current structure of the
loop makes it difficult to pinpoint the bad restrictions field, so
just output the whole string.
Greg Hudson [Fri, 13 Mar 2015 16:45:27 +0000 (12:45 -0400)]
Document correct flag names for kadm5.acl
kadm5.acl entries can include restrictions which can force flag values
on or off. These flag values are parsed with krb5_string_to_flags(),
which means the flag names are the ones for default_principal_flags,
not the ones for kadmin addprinc/modprinc.
Greg Hudson [Thu, 12 Mar 2015 20:36:33 +0000 (16:36 -0400)]
Fix scope of kadmind ACL wildcard back-references
In kadm5int_acl_find_entry(), clear the wildcard back-references list
for each acl entry. Otherwise the wildcards we process can affect
back-references for later entries.
Solly Ross [Thu, 5 Mar 2015 18:22:58 +0000 (13:22 -0500)]
Import names immediately with COMPOSITE_EXPORT
RFC 6680 specifies that GSS_Export_name_composite() "outputs a token that
"can be imported with GSS_Import_name(), using GSS_C_NT_COMPOSITE_EXPORT
as the name type...". Therefore, in the gss_import_name mechglue, we
should perform the import process imediately when either
GSS_C_NT_COMPOSITE_EXPORT or GSS_C_NT_EXPORT_NAME are used (not just
for the later, as is the current functionality).
The naming extension test was also updated to display the result
of importing with GSS_C_NT_COMPOSITE_EXPORT in addition to
GSS_C_NT_EXPORT_NAME.
Greg Hudson [Tue, 9 Dec 2014 17:37:44 +0000 (12:37 -0500)]
Fix krb5_read_message handling [CVE-2014-5355]
In recvauth_common, do not use strcmp against the data fields of
krb5_data objects populated by krb5_read_message(), as there is no
guarantee that they are C strings. Instead, create an expected
krb5_data value and use data_eq().
In the sample user-to-user server application, check that the received
client principal name is null-terminated before using it with printf
and krb5_parse_name.
CVE-2014-5355:
In MIT krb5, when a server process uses the krb5_recvauth function, an
unauthenticated remote attacker can cause a NULL dereference by
sending a zero-byte version string, or a read beyond the end of
allocated storage by sending a non-null-terminated version string.
The example user-to-user server application (uuserver) is similarly
vulnerable to a zero-length or non-null-terminated principal name
string.
The krb5_recvauth function reads two version strings from the client
using krb5_read_message(), which produces a krb5_data structure
containing a length and a pointer to an octet sequence. krb5_recvauth
assumes that the data pointer is a valid C string and passes it to
strcmp() to verify the versions. If the client sends an empty octet
sequence, the data pointer will be NULL and strcmp() will dereference
a NULL pointer, causing the process to crash. If the client sends a
non-null-terminated octet sequence, strcmp() will read beyond the end
of the allocated storage, possibly causing the process to crash.
uuserver similarly uses krb5_read_message() to read a client principal
name, and then passes it to printf() and krb5_parse_name() without
verifying that it is a valid C string.
The krb5_recvauth function is used by kpropd and the Kerberized
versions of the BSD rlogin and rsh daemons. These daemons are usually
run out of inetd or in a mode which forks before processing incoming
connections, so a process crash will generally not result in a
complete denial of service.
Tom Yu [Wed, 4 Feb 2015 22:01:14 +0000 (17:01 -0500)]
Avoid uninitialized data in t_prf.c
In t_prf.c, make sure that the partially initialized, faked-up
structures gss_union_ctx_id_desc and krb5_gss_ctx_id_rec are zeroed.
This avoids uninitialized reads in gss_pseudo_random(), which can
cause intermittent test failures on some platforms.
Greg Hudson [Wed, 4 Feb 2015 18:03:20 +0000 (13:03 -0500)]
Bump DAL major version for iterate change
Commit ab009b8568d9b64b7e992ecdb98114e895b4a7ff for issue #7977
changed the signature of krb5_db_iterate() and properly bumped
KRB5_KDB_API_VERSION from 7 to 8. It also changed the signature of
the DAL iterate() function, but did not bump
KRB5_KDB_DAL_MAJOR_VERSION. Bump that version from 4 to 5 now.
Greg Hudson [Mon, 29 Dec 2014 18:17:56 +0000 (13:17 -0500)]
Fix gssrpc data leakage [CVE-2014-9423]
[MITKRB5-SA-2015-001] In svcauth_gss_accept_sec_context(), do not copy
bytes from the union context into the handle field we send to the
client. We do not use this handle field, so just supply a fixed
string of "xxxx".
In gss_union_ctx_id_struct, remove the unused "interposer" field which
was causing part of the union context to remain uninitialized.
Greg Hudson [Mon, 29 Dec 2014 18:27:42 +0000 (13:27 -0500)]
Fix kadmind server validation [CVE-2014-9422]
[MITKRB5-SA-2015-001] In kadmind's check_rpcsec_auth(), use
data_eq_string() instead of strncmp() to check components of the
server principal, so that we don't erroneously match left substrings
of "kadmin", "history", or the realm.
Greg Hudson [Sat, 27 Dec 2014 19:16:13 +0000 (14:16 -0500)]
Fix kadm5/gssrpc XDR double free [CVE-2014-9421]
[MITKRB5-SA-2015-001] In auth_gssapi_unwrap_data(), do not free
partial deserialization results upon failure to deserialize. This
responsibility belongs to the callers, svctcp_getargs() and
svcudp_getargs(); doing it in the unwrap function results in freeing
the results twice.
In xdr_krb5_tl_data() and xdr_krb5_principal(), null out the pointers
we are freeing, as other XDR functions such as xdr_bytes() and
xdr_string().
Greg Hudson [Wed, 5 Nov 2014 16:58:04 +0000 (11:58 -0500)]
Fix gss_process_context_token() [CVE-2014-5352]
[MITKRB5-SA-2015-001] The krb5 gss_process_context_token() should not
actually delete the context; that leaves the caller with a dangling
pointer and no way to know that it is invalid. Instead, mark the
context as terminated, and check for terminated contexts in the GSS
functions which expect established contexts. Also add checks in
export_sec_context and pseudo_random, and adjust t_prf.c for the
pseudo_random check.
Simo Sorce [Tue, 20 Jan 2015 18:48:34 +0000 (13:48 -0500)]
Do not loop on principal unknown errors
If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
Check that this is really a referral by testing that the returned
client realm differs from the requested one.
[ghudson@mit.edu: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]
Greg Hudson [Wed, 14 Jan 2015 18:10:39 +0000 (13:10 -0500)]
Check for null *iter_p in profile_iterator()
In profile_iterator(), return PROF_MAGIC_ITERATOR if *iter_p is NULL,
instead of dereferencing a null pointer, as we did prior to 1.10.
Correct calling code will not trigger this case, but incorrect code
has been reported in the field.
Ben Kaduk [Wed, 19 Nov 2014 17:04:46 +0000 (12:04 -0500)]
Support keyless principals in LDAP [CVE-2014-5354]
Operations like "kadmin -q 'addprinc -nokey foo'" or
"kadmin -q 'purgekeys -all foo'" result in principal entries with
no keys present, so krb5_encode_krbsecretkey() would just return
NULL, which then got unconditionally dereferenced in
krb5_add_ber_mem_ldap_mod().
Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key
principals better, correct the test for an allocation failure, and
slightly restructure the cleanup handler to be shorter and more
appropriate for the usage. Once it no longer short-circuits when
n_key_data is zero, it will produce an array of length two with both
entries NULL, which is treated as an empty list by the LDAP library,
the correct behavior for a keyless principal.
However, attributes with empty values are only handled by the LDAP
library for Modify operations, not Add operations (which only get
a sequence of Attribute, with no operation field). Therefore, only
add an empty krbprincipalkey to the modlist when we will be performing a
Modify, and not when we will be performing an Add, which is conditional
on the (misspelled) create_standalone_prinicipal boolean.
CVE-2014-5354:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL
dereference by inserting into the database a principal entry which
contains no long-term keys.
In order for the LDAP KDC backend to translate a principal entry
from the database abstraction layer into the form expected by the
LDAP schema, the principal's keys are encoded into a
NULL-terminated array of length-value entries to be stored in the
LDAP database. However, the subroutine which produced this array
did not correctly handle the case where no keys were present,
returning NULL instead of an empty array, and the array was
unconditionally dereferenced while adding to the list of LDAP
operations to perform.
Versions of MIT krb5 prior to 1.12 did not expose a way for
principal entries to have no long-term key material, and
therefore are not vulnerable.
Greg Hudson [Fri, 5 Dec 2014 19:01:39 +0000 (14:01 -0500)]
Fix LDAP misused policy name crash [CVE-2014-5353]
In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
successfully with no results, return KRB5_KDB_NOENTRY instead of
returning success with a zeroed-out policy object. This fixes a null
dereference when an admin attempts to use an LDAP ticket policy name
as a password policy name.
CVE-2014-5353:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal. The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals.
Queries to LDAP scoped to the krbPwdPolicy object class will correctly
not return entries of other classes, such as ticket policy objects, but
may return success with no returned elements if an object with the
requested DN exists in a different object class. In this case, the
routine to retrieve a password policy returned success with a password
policy object that consisted entirely of zeroed memory. In particular,
accesses to the policy name will dereference a NULL pointer. KDC
operation does not access the policy name field, but most kadmin
operations involving the principal with incorrect password policy
will trigger the crash.
Greg Hudson [Mon, 8 Dec 2014 20:30:25 +0000 (15:30 -0500)]
Fix LDAP tests when sasl.h not found
Do not try to run the SASL EXTERNAL auth test if we could not define a
useful interact function. With current libraries the interact
function is asked for an authorization name, and the bind fails if it
gets an unsuccessful result or if no interaction function is defined.
Ben Kaduk [Thu, 20 Nov 2014 20:44:04 +0000 (15:44 -0500)]
Avoid infinite loop on duplicate keysalts
When duplicate suppression was requested, we would enter an
infinite loop upon encountering a duplicate entry, a bug
introduced in commit 0918990bf1d8560d74473fc0e41d08d433da1a15
and thus present in release 1.13.
Rework the conditional to avoid the loop, at the expense of
additional indentation for some of the code.
Greg Hudson [Wed, 5 Nov 2014 19:12:35 +0000 (14:12 -0500)]
Fix input race condition in t_skew.py
In two of the kinit tests run by t_skew.py, we expect kinit to exit
before reading the password. If we supply a password input for those
commands, we can fail with a broken pipe exception if the master
process tries to write the password after the slave process exits.
Also correctly check the output of the last kinit invocation.
Greg Hudson [Wed, 29 Oct 2014 16:16:40 +0000 (12:16 -0400)]
Remove length limit on PKINIT PKCS#12 prompt
Long pathnames can trigger the 128-byte prompt length limit in
pkinit_get_certs_pkcs12. Use asprintf instead of snprintf. Also
check the result of the prompter invocation.
Greg Hudson [Mon, 20 Oct 2014 16:52:45 +0000 (12:52 -0400)]
Report output ccache errors getting initial creds
In init_creds_step_reply, if we get an error storing output
credentials, do set ctx->complete (since retrieving creds or times
will work at this point) but don't suppress the error code.
Tom Yu [Thu, 16 Oct 2014 19:40:33 +0000 (15:40 -0400)]
Parse "ktadd -norandkey" in remote kadmin client
The remote kadmin client would not parse the "-norandkey" option to
the ktadd subcommand, terminating option parsing and possibly causing
options to be interpreted as principal names.
Greg Hudson [Wed, 8 Oct 2014 00:22:52 +0000 (20:22 -0400)]
Use gssalloc_malloc for GSS error tokens
In kg_accept_krb5, use gssalloc_malloc when allocating space for the
error token, since it will be freed with gssalloc_free. Using malloc
can cause heap corruption on Windows. This bug was masked by #1445
before 1.12.
Greg Hudson [Thu, 21 Aug 2014 17:52:07 +0000 (13:52 -0400)]
Return only new keys in randkey [CVE-2014-5351]
In kadmind's randkey operation, if a client specifies the keepold
flag, do not include the preserved old keys in the response.
CVE-2014-5351:
An authenticated remote attacker can retrieve the current keys for a
service principal when generating a new set of keys for that
principal. The attacker needs to be authenticated as a user who has
the elevated privilege for randomizing the keys of other principals.
Normally, when a Kerberos administrator randomizes the keys of a
service principal, kadmind returns only the new keys. This prevents
an administrator who lacks legitimate privileged access to a service
from forging tickets to authenticate to that service. If the
"keepold" flag to the kadmin randkey RPC operation is true, kadmind
retains the old keys in the KDC database as intended, but also
unexpectedly returns the old keys to the client, which exposes the
service to ticket forgery attacks from the administrator.
A mitigating factor is that legitimate clients of the affected service
will start failing to authenticate to the service once they begin to
receive service tickets encrypted in the new keys. The affected
service will be unable to decrypt the newly issued tickets, possibly
alerting the legitimate administrator of the affected service.
If gss_acquire_cred_impersonate_name is called using an
impersonator_cred_handle acquired with GSS_C_ACCEPT, we could
dereference null fields of the cred handle and crash. Fix this by
checking the impersonator_cred_handle usage and returning
GSS_S_NO_CRED if it isn't what we expect, just as we do in
init_sec_context.
Based on a patch from Solly Ross <sross@redhat.com>.
If two processes try to initialize the same replay cache at the same
time, krb5_rc_io_creat can race between unlink and open, leading to a
KRB5_RC_IO_PERM error. When this happens, make the losing process
retry so that it can continue.
This does not solve the replay cache creation race, nor is that the
only replay cache race issue. It simply prevents the race from
causing a spurious failure.
Restore providing password TGTs for the ksu target
The use of "stored" was originally for marking whether or not creds
had been found in the source cache and copied to the target. If it was
false, the obtain-a-TGT-using-a-password path would be triggered and
it would populate the target ccache directly.
When the intermediate cache was introduced (in commit dccc80a), the
variable started marking whether or not creds had been copied to the
intermediate cache, and this was then used to decide whether or not to
copy creds to the target cache.
The obtain-a-TGT-using-a-password path began storing its creds in the
temporary cache as well, but neglected to set the flag so that the
creds would be copied to the target cache later, so the target ccache
would never be created and populated with the newly-obtained TGT.
In order to allow ksu to use any locally-present service key for
verifying creds, the previous change to ksu switched from using a
retrieved or obtained TGT to fetch creds for the local "host" service,
and then passing those creds to krb5_verify_init_creds(), to passing the
retrieved TGT directly to krb5_verify_init_creds().
It did not take care to retrieve the TGT from the temporary ccache if it
had obtained them, and in those cases it would attempt to verify NULL
creds.
Modify the krb5_get_tkt_via_passwd() function to call
krb5_get_init_creds_password(), to pass back the freshly-obtained creds,
to take a "krb5_get_init_creds_opt" pointer instead of a locally-defined
options structure, and rename it to ksu_get_tgt_via_passwd().
Ben Kaduk [Thu, 21 Aug 2014 22:56:24 +0000 (18:56 -0400)]
Let libgssapi see TGTs in the MSLSA cache
When the current user is a local administrator of a windows machine
where User Account Control (UAC) is enabled, the Windows LSA will
return a block of zeros as the session key for any TGT entry in the
MSLSA: cache. The lcc_retrieve() implementation checks for such
"null" session keys and prevents them from escaping to callers (as
attempts to use them would encounger strange errors). However,
when the TGT is the only entry in the cache, this filtering prevents
scan_ccache() from detecting that the cache contains non-expired
credentials (and that there is a TGT present).
Since scan_ccache() is only looking at metadata in the cache entries,
and does not need to actually use any tickets or session keys, set
the KRB5_TC_NOTICKET flag on the ccache before scanning it. This
will allow the MSLSA implementation to return a cred for the TGT
entry and cause the GSSAPI credential selection algorithm to function
properly.
Ben Kaduk [Thu, 21 Aug 2014 21:33:11 +0000 (17:33 -0400)]
Add some KDC entries to the registry via WiX
Though our library happily uses DNS, I can't get Windows to
successfully contact KDCs found through the SRV records.
So, we do need to stay in the business of shipping around
KDC entries, after all.
In ksu, handle typeless default_ccache_name values
When a configured or compiled-in default ccache name doesn't contain a
cache type and ':' as a prefix, add one to the writeable value that we
construct when we go to look it up. This lets the rest of the
application always assume that it'll be there.
Greg Hudson [Mon, 25 Aug 2014 16:48:14 +0000 (12:48 -0400)]
Re-encrypt preserved key data in new master key
When we are preserving old key data in kdb_cpw.c, ensure that it is
encrypted with the same master key as the new key data. This ensures
that the KRB5_TL_MKVNO tl-data on the principal entry applies to all
of the key data, not just some of it.
Benjamin Kaduk [Wed, 3 Sep 2014 02:16:51 +0000 (22:16 -0400)]
Update NOTICE with new changes for 1.13
The KCM RPC definitions are copyright KTH/Apple, since it is present
for interoperability with OS X.
Add MS-KKDCP client copyright; alas, it does not match the existing
Red Hat copyrights, since the new code is a 2-clause BSD license, and
there was only a 3-clause Red Hat copyright block present already.
The actual Sphinx output for NOTICE would adjust the wrapping and
indentation of some existing content, but those changes were removed
by hand, so this commit only reflects new added content.
Tom Yu [Tue, 26 Aug 2014 22:18:02 +0000 (18:18 -0400)]
Allow logger.c to work with redirected stderr
In lib/kadm5/logger.c:krb5_klog_init(), if the configuration requests
STDERR logging, call fdopen() using mode "w" instead of "a+", to avoid
errors when stderr happens to be opened for write only.
Ben Kaduk [Thu, 28 Aug 2014 21:54:39 +0000 (17:54 -0400)]
Map .hin files to the C language for doxygen
In Debian unstable, the current version of doxygen is unhappy with
our generated Doxyfile, and does not handle krb5.hin in the expected
fashion (as a C header). Work around this issue by explicitly
specifying that files with the .hin extension are to be treated
as C language files.
Ben Kaduk [Fri, 29 Aug 2014 02:58:49 +0000 (22:58 -0400)]
Export gssrpc_bindresvport_sa
It was added in commit 0d04b60d159ab83b943e43802b1449a3b074bc83, but
was not added to the library export symbol list, and thus was unusable
on systems that enforced library export lists.
Greg Hudson [Mon, 18 Aug 2014 19:09:41 +0000 (15:09 -0400)]
Make randkey update principal mkvno
In kadm5_randkey_principal_3, after updating the principal's keys,
update its mkvno tl-data to indicate the master key version we
encrypted the new keys with.
Tomas Kuthan [Wed, 28 May 2014 13:24:20 +0000 (15:24 +0200)]
kadm5_randkey_principal interop with Solaris KDC
When kadm5_randkey_principal is called on Solaris kadmind (as opposed
to kadm5_randkey_principal_3), the KDC assumes the peer is a Solaris 9
system, and only creates DES keys.
For better interoperability, always call kadm5_randkey_principal_3
first. If this procedure is not present on the remote server, fall
back to calling kadm5_randkey_principal if possible.
Nalin Dahyabhai [Tue, 19 Aug 2014 18:07:26 +0000 (14:07 -0400)]
Simplify and improve ksu cred verification
When verifying the user's initial credentials, don't compute a server
name and preemptively obtain creds for it. This change allows
krb5_verify_init_creds to use any host key in the keytab, and not just
the one for the canonicalized local hostname.
Michael Osipov [Fri, 15 Aug 2014 12:20:10 +0000 (14:20 +0200)]
Fix test syntax in configure.in
Commits 1e4bdcfe and 8df1965d used the wrong test equality operator.
Some versions of test allow == for equality, but others (such as the
HP-UX version) do not. Use a single = for correctness.
Michael Osipov [Thu, 14 Aug 2014 13:48:11 +0000 (15:48 +0200)]
Fix HP-UX build support
Rename hpux10.exports to hpux.exports. In the HP-UX section of
shlib.conf, remove '+s' because it just specifies a default, add a
MAKE_SHLIB_COMMAND, and set SHLIBEXT based on the host CPU.
Greg Hudson [Fri, 8 Aug 2014 17:32:51 +0000 (13:32 -0400)]
Allow SPNEGO fallback to NTLM without mechlistMIC
For interoperability with Windows Server 2003 and earlier, loosen the
initiator's enforcement of RFC 4178's mechlistMIC requirement when
falling back to NTLMSSP.
[ghudson@mit.edu: rewrote commit message, added comment to NTLMSSP
OID]
Greg Hudson [Fri, 8 Aug 2014 20:50:38 +0000 (16:50 -0400)]
Fix GSS krb5 GSS_C_DELEG_FLAG ret_flags result
The krb5 gss_accept_sec_context could erroneously return
GSS_C_DELEG_FLAG in ret_flags if either:
* The token included the GSS_C_DELEG_FLAG but did not include at least
28 bytes in the authenticator checksum.
* The initial token included the GSS_C_DELEG_FLAG but a DCE-style
exchange was performed.
When generating a suffix to append to a ccache name that will hold the
credentials for a ksu-invoked process, instead of using integers
counting up from 1, use the result of base64-encoding six randomly-
generated octets. Tweak the output alphabet just a bit to avoid using
'+' or '/' in the generated names, the latter of which could really
confuse things.
Nalin Dahyabhai [Thu, 31 Oct 2013 01:47:14 +0000 (21:47 -0400)]
Make ksu respect the default_ccache_name setting
Move the logic for resolving and initializing a cache that we're
copying creds into out of krb5_ccache_copy(), and let the caller deal
with it. Add a helper functions to select/resolve an output ccache in
the default location for the target user after we've switched to the
target user's privileges. If the destination is a collection, take
care not to change which subsidiary is its primary, and reuse a
subsidiary cache if we can. If the destination is not a collection,
append a unique value to its name to make a new ccache.
[ghudson@mit.edu: some changes to variable names and comments; move
responsibility for getting target ccache name from
resolve_target_ccache to main]
Nalin Dahyabhai [Thu, 31 Oct 2013 01:45:35 +0000 (21:45 -0400)]
Use an intermediate memory cache in ksu
Instead of copying source or obtained creds into the target cache and
changing ownership if everything succeeds, copy them into a MEMORY:
cache and then, if everything succeeds, create the target cache as the
target user.
We no longer need to clean up the temporary ccache when exiting in
most error cases.
Use a fake principal name ("_ksu/_ksu@_ksu") as the primary holder of
the temporary cache so that we won't accidentally select it when we
make a subsequent call to krb5_cc_cache_match() (to be added in a
later patch) to find the target location where the creds should be
stored for use while running as the target user.
Nalin Dahyabhai [Fri, 1 Nov 2013 13:48:13 +0000 (09:48 -0400)]
In ksu, don't stat() not-on-disk ccache residuals
Don't assume that ccache residual names are filenames which we can
stat() usefully. Instead, use helper functions to call the library
routines to try to read the default principal name from caches, and
use whether or not that succeeds as an indication of whether or not
there's a ccache in a given location.
In ksu, merge krb5_ccache_copy() and _restricted()
Other than whether or not they limit the creds it stores to the new
ccache based on the principal name of the client for whom the creds were
issued, there's no meaningful difference between what these two
functions do. Merge them.
Tomas Kuthan [Fri, 1 Aug 2014 13:25:50 +0000 (15:25 +0200)]
Fix LDAP key data segmentation [CVE-2014-4345]
For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno. As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values. Fix the loop to use
the correct kvno value.
CVE-2014-4345:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations. An off-by-one error while copying key
information to the new database entry results in keys sharing a common
kvno being written to different array buckets, in an array whose size
is determined by the number of kvnos present. After sufficient
iterations, the extra writes extend past the end of the
(NULL-terminated) array. The NULL terminator is always written after
the end of the loop, so no out-of-bounds data is read, it is only
written.
Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary
exploits must be tailored to the individual application and are
usually quite complicated. Depending on the allocated length of the
array, an out-of-bounds write may also cause a segmentation fault
and/or application crash.
Tom Yu [Wed, 6 Aug 2014 22:45:20 +0000 (18:45 -0400)]
Disallow unlocked iteration of hash databases
It's not clear whether unlocked iteration over a hash DB2 database
will omit unaffected entries if database additions or deletions occur
concurrently with the iteration. Avoid this situation by disabling
unlocked iteration in the unlikely event that someone is still using a
hash database for their KDB.
Greg Hudson [Tue, 5 Aug 2014 03:34:32 +0000 (23:34 -0400)]
Fix glob memory leak in GSS initialization
In loadConfigFiles, call globfree even if glob fails, since glob can
allocate memory and report partial results on failure. Also
initialize globbuf before calling glob; this is not strictly required,
but hedges against hypothetical libc implementation bugs which could
leave globbuf.gl_pathc or globbuf.gl_pathv uninitialized on error.
Tom Yu [Wed, 6 Aug 2014 19:03:03 +0000 (15:03 -0400)]
Fix KDC race in t_unlockiter.py
The second KDC startup in t_unlockiter.py could race with the
garbage-collected shutdown of the first, causing the second one to
fail to bind the listening port. Avoid the situation by setting
start_kdc=False, because there doesn't need to be a KDC running for
these tests anyway. Also use create_user=False and create_host=False,
because those principals aren't necessary either.
Ben Kaduk [Wed, 6 Aug 2014 16:49:52 +0000 (12:49 -0400)]
Fix OS X build
Commit 58312ae8beb0499ac3a06196164eb833e9f8975e, "Fix the build on
windows", had a typo that broke the build of KCM support on OS X.
Attempt to increment the cardinality of the set of buildable platforms,
instead of just adjusting its contents, by fixing the typo.
Ben Kaduk [Tue, 5 Aug 2014 15:11:45 +0000 (11:11 -0400)]
Fix the build on windows
Windows does not provide the glob() functionality used to implement
the /etc/gss/mechs.d/ feature, so we must avoid compiling the
relevant code for windows. (It would never have been called, anyway.)
Adjust the ccache/Makefile.in rules to not use '-' or '@' in
make variable names that are processed by nmake.
Also in ccache/Makefile.in, remove some latent leading whitespace that
had been previously hidden by the previous rule; this exposed some
flawed dependencies that are now removed.
Windows does not provide sys/socket.h or sys/un.h, so don't try
to include them in cc_kcm.c.
The commit which moved the KKDCP TLS support to a plugin left some
dangling references to checkhost.c byproducts in os/Makefile.in,
which can be safely removed.
Use k5-platform.h in support/json.c instead of a set of system includes;
this lets windows build the static inline helper functions therein.
When ksu was explicitly told to spawn a shell, a line in .k5users which
listed "*" as the allowed command would cause the principal named on the
line to be considered as a candidate for authentication.
When ksu was not passed a command to run, which implicitly meant that
the invoking user wanted to run the target user's login shell, knowledge
that the principal was a valid candidate was ignored, which could cause
a less optimal choice of the default target principal.
This doesn't impact the authorization checks which we perform later.
Tom Yu [Mon, 4 Aug 2014 16:34:24 +0000 (12:34 -0400)]
Correct includes for unlockiter.c
Some platforms (e.g., Solaris) need a declaration of memset() for the
FD_ZERO() macro to work, contrary to POSIX standards. Add an
inclusion of <string.h> to accommodate them. Also add <sys/time.h>,
possibly needed by some older platforms, and remove a spurious
inclusion of <sys/socket.h>.
Tom Yu [Sat, 2 Aug 2014 18:20:35 +0000 (14:20 -0400)]
Ignore iprop deletion of deleted princ
Now that an iprop full dump might not hold a lock around the entire
dump, it's possible that iprop will queue an incremental update while
the dump is in progress. If a principal is deleted while the dump is
in progress, the dump could omit that principal, yet the deletion
event would still be queued in the ulog. Ignore that deletion without
generating an error.
This is the same basic change as for ticket #7753.
Tom Yu [Sat, 2 Aug 2014 18:20:33 +0000 (14:20 -0400)]
Support unlocked iteration in DB2
Add support to the DB2 KDB back end to optionally release the lock
when calling the iterator callback. This prevents the blocking of
other processes when dumps of large databases are taking place.
projects / thirdparty / krb5.git / log
