Skip to content

Commit

Permalink
CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
Browse files Browse the repository at this point in the history
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
  • Loading branch information
jaltman committed Jul 10, 2017
1 parent 0fc03c5 commit 6dd3eb8
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions lib/krb5/ticket.c
Original file line number Diff line number Diff line change
Expand Up @@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
/* check server referral and save principal */
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
rep->kdc_rep.ticket.sname,
rep->kdc_rep.ticket.realm);
rep->enc_part.sname,
rep->enc_part.srealm);
if (ret)
goto out;
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
Expand Down

0 comments on commit 6dd3eb8

Please sign in to comment.