kdc: CVE-2019-14870 Validate client attributes in protocol-transition

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
heimdal · Nov 4, 2022 · fd43016 · fd43016
1 parent bdd1d02
commit fd43016
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
@@ -2125,6 +2125,17 @@ tgs_build_reply(krb5_context context,
 		goto out;
 	    }
 
+	    /* Ignore require_pwchange and pw_end attributes (as Windows does),
+	     * since S4U2Self is not password authentication. */
+	    s4u2self_impersonated_client->entry.flags.require_pwchange = FALSE;
+	    free(s4u2self_impersonated_client->entry.pw_end);
+	    s4u2self_impersonated_client->entry.pw_end = NULL;
+
+	    ret = kdc_check_flags(context, config, s4u2self_impersonated_client, tpn,
+				  NULL, NULL, FALSE);
+	    if (ret)
+		goto out;
+
 	    /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
 	    if(rspac.data) {
 		krb5_pac p = NULL;

diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
@@ -811,6 +811,14 @@ echo "test impersonate unknown client"; > messages.log
 ${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \
 	{ ec=1 ; eval "${testfailed}"; }
 
+echo "test impersonate account-expired client"; > messages.log
+${kgetcred_imp} --forward --impersonate=account-expired@${R} ${ps} && \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "test impersonate pw-expired client"; > messages.log
+${kgetcred_imp} --forward --impersonate=pw-expired@${R} ${ps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+
 echo "test delegate sensitive client"; > messages.log
 ${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \
 	{ ec=1 ; eval "${testfailed}"; }