Skip to content

Commit

Permalink
Fix IAKERB context aliasing bugs [CVE-2015-2696]
Browse files Browse the repository at this point in the history 
The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment.  This
assumption is incorrect, and can lead to aliasing violations for some
programs.  Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type.  Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.

CVE-2015-2696:

In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  Java server applications using the
native JGSS provider are vulnerable to this bug.  A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]

ticket: 8244
target_version: 1.14
tags: pullup
  • Loading branch information
@nicowilliams @greghudson
nicowilliams authored and greghudson committed Oct 26, 2015
1 parent b51b33f commit e04f028
Show file tree
Hide file tree
Showing 3 changed files with 529 additions and 41 deletions.
114 changes: 114 additions & 0 deletions src/lib/gssapi/krb5/gssapiP_krb5.h
View file
Expand Up @@ -621,6 +621,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext
);
#endif /* LEAN_CLIENT */

OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid
(OM_uint32*, /* minor_status */
const gss_ctx_id_t,
/* context_handle */
const gss_OID, /* desired_object */
gss_buffer_set_t* /* data_set */
);

OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option
(OM_uint32*, /* minor_status */
gss_ctx_id_t*, /* context_handle */
const gss_OID, /* desired_object */
const gss_buffer_t/* value */
);

OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token
(OM_uint32*, /* minor_status */
gss_ctx_id_t, /* context_handle */
Expand Down Expand Up @@ -1302,6 +1317,105 @@ OM_uint32 KRB5_CALLCONV
krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token,
gss_cred_id_t *cred_handle);

OM_uint32 KRB5_CALLCONV
iakerb_gss_process_context_token(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t token_buffer);

OM_uint32 KRB5_CALLCONV
iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
OM_uint32 *time_rec);

OM_uint32 KRB5_CALLCONV
iakerb_gss_inquire_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle, gss_name_t *src_name,
gss_name_t *targ_name, OM_uint32 *lifetime_rec,
gss_OID *mech_type, OM_uint32 *ctx_flags,
int *locally_initiated, int *opened);

OM_uint32 KRB5_CALLCONV
iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
gss_qop_t qop_req, gss_buffer_t message_buffer,
gss_buffer_t message_token);

OM_uint32 KRB5_CALLCONV
iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
gss_qop_t qop_req, gss_iov_buffer_desc *iov,
int iov_count);

OM_uint32 KRB5_CALLCONV
iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
gss_ctx_id_t context_handle, gss_qop_t qop_req,
gss_iov_buffer_desc *iov, int iov_count);

OM_uint32 KRB5_CALLCONV
iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
gss_qop_t *qop_state);

OM_uint32 KRB5_CALLCONV
iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
int iov_count);

OM_uint32 KRB5_CALLCONV
iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
int conf_req_flag, gss_qop_t qop_req,
gss_buffer_t input_message_buffer, int *conf_state,
gss_buffer_t output_message_buffer);

OM_uint32 KRB5_CALLCONV
iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
int conf_req_flag, gss_qop_t qop_req, int *conf_state,
gss_iov_buffer_desc *iov, int iov_count);

OM_uint32 KRB5_CALLCONV
iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
gss_ctx_id_t context_handle, int conf_req_flag,
gss_qop_t qop_req, int *conf_state,
gss_iov_buffer_desc *iov, int iov_count);

OM_uint32 KRB5_CALLCONV
iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer, int *conf_state,
gss_qop_t *qop_state);

OM_uint32 KRB5_CALLCONV
iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
int *conf_state, gss_qop_t *qop_state,
gss_iov_buffer_desc *iov, int iov_count);

OM_uint32 KRB5_CALLCONV
iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
gss_ctx_id_t context_handle, int conf_req_flag,
gss_qop_t qop_req, OM_uint32 req_output_size,
OM_uint32 *max_input_size);

#ifndef LEAN_CLIENT
OM_uint32 KRB5_CALLCONV
iakerb_gss_export_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t interprocess_token);
#endif /* LEAN_CLIENT */

OM_uint32 KRB5_CALLCONV
iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_OID desired_object,
gss_buffer_set_t *data_set);

OM_uint32 KRB5_CALLCONV
iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_OID desired_object,
const gss_buffer_t value);

OM_uint32 KRB5_CALLCONV
iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
int prf_key, const gss_buffer_t prf_in,
ssize_t desired_output_len, gss_buffer_t prf_out);

/* Magic string to identify exported krb5 GSS credentials. Increment this if
* the format changes. */
#define CRED_EXPORT_MAGIC "K5C1"
Expand Down
105 changes: 94 additions & 11 deletions src/lib/gssapi/krb5/gssapi_krb5.c
View file
Expand Up @@ -351,7 +351,7 @@ static struct {
}
};

static OM_uint32 KRB5_CALLCONV
OM_uint32 KRB5_CALLCONV
krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_OID desired_object,
Expand Down Expand Up @@ -465,7 +465,7 @@ static struct {
};
#endif

static OM_uint32 KRB5_CALLCONV
OM_uint32 KRB5_CALLCONV
krb5_gss_set_sec_context_option (OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_OID desired_object,
Expand Down Expand Up @@ -929,20 +929,103 @@ static struct gss_config krb5_mechanism = {
krb5_gss_get_mic_iov_length,
};

/* Functions which use security contexts or acquire creds are IAKERB-specific;
* other functions can borrow from the krb5 mech. */
static struct gss_config iakerb_mechanism = {
{ GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
NULL,
iakerb_gss_acquire_cred,
krb5_gss_release_cred,
iakerb_gss_init_sec_context,
#ifdef LEAN_CLIENT
NULL,
#else
iakerb_gss_accept_sec_context,
#endif
iakerb_gss_process_context_token,
iakerb_gss_delete_sec_context,
iakerb_gss_context_time,
iakerb_gss_get_mic,
iakerb_gss_verify_mic,
#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE)
NULL,
#else
iakerb_gss_wrap,
#endif
#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE)
NULL,
#else
iakerb_gss_unwrap,
#endif
krb5_gss_display_status,
krb5_gss_indicate_mechs,
krb5_gss_compare_name,
krb5_gss_display_name,
krb5_gss_import_name,
krb5_gss_release_name,
krb5_gss_inquire_cred,
NULL, /* add_cred */
#ifdef LEAN_CLIENT
NULL,
NULL,
#else
iakerb_gss_export_sec_context,
NULL,
#endif
krb5_gss_inquire_cred_by_mech,
krb5_gss_inquire_names_for_mech,
iakerb_gss_inquire_context,
krb5_gss_internal_release_oid,
iakerb_gss_wrap_size_limit,
krb5_gss_localname,
krb5_gss_authorize_localname,
krb5_gss_export_name,
krb5_gss_duplicate_name,
krb5_gss_store_cred,
iakerb_gss_inquire_sec_context_by_oid,
krb5_gss_inquire_cred_by_oid,
iakerb_gss_set_sec_context_option,
krb5_gssspi_set_cred_option,
krb5_gssspi_mech_invoke,
NULL, /* wrap_aead */
NULL, /* unwrap_aead */
iakerb_gss_wrap_iov,
iakerb_gss_unwrap_iov,
iakerb_gss_wrap_iov_length,
NULL, /* complete_auth_token */
NULL, /* acquire_cred_impersonate_name */
NULL, /* add_cred_impersonate_name */
NULL, /* display_name_ext */
krb5_gss_inquire_name,
krb5_gss_get_name_attribute,
krb5_gss_set_name_attribute,
krb5_gss_delete_name_attribute,
krb5_gss_export_name_composite,
krb5_gss_map_name_to_any,
krb5_gss_release_any_name_mapping,
iakerb_gss_pseudo_random,
NULL, /* set_neg_mechs */
krb5_gss_inquire_saslname_for_mech,
krb5_gss_inquire_mech_for_saslname,
krb5_gss_inquire_attrs_for_mech,
krb5_gss_acquire_cred_from,
krb5_gss_store_cred_into,
iakerb_gss_acquire_cred_with_password,
krb5_gss_export_cred,
krb5_gss_import_cred,
NULL, /* import_sec_context_by_mech */
NULL, /* import_name_by_mech */
NULL, /* import_cred_by_mech */
iakerb_gss_get_mic_iov,
iakerb_gss_verify_mic_iov,
iakerb_gss_get_mic_iov_length,
};

#ifdef _GSS_STATIC_LINK
#include "mglueP.h"
static int gss_iakerbmechglue_init(void)
{
struct gss_mech_config mech_iakerb;
struct gss_config iakerb_mechanism = krb5_mechanism;

/* IAKERB mechanism mirrors krb5, but with different context SPIs */
iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context;
iakerb_mechanism.gss_init_sec_context = iakerb_gss_init_sec_context;
iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context;
iakerb_mechanism.gss_acquire_cred = iakerb_gss_acquire_cred;
iakerb_mechanism.gssspi_acquire_cred_with_password
= iakerb_gss_acquire_cred_with_password;

memset(&mech_iakerb, 0, sizeof(mech_iakerb));
mech_iakerb.mech = &iakerb_mechanism;
Expand Down

0 comments on commit e04f028

Please sign in to comment.