Browse files

Multi-realm KDC null deref [CVE-2013-1418]

If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC.

CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

A related but more minor vulnerability requires authentication to
exploit, and is only present if a third-party KDC database module can
dereference a null pointer under certain conditions.

ticket: 7755 (new)
target_version: 1.12
tags: pullup
  • Loading branch information...
1 parent bcc91c8 commit 5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf @tlyu tlyu committed Nov 4, 2013
Showing with 3 additions and 0 deletions.
  1. +3 −0 src/kdc/main.c
View
3 src/kdc/main.c
@@ -124,6 +124,9 @@ setup_server_realm(struct server_handle *handle, krb5_principal sprinc)
kdc_realm_t **kdc_realmlist = handle->kdc_realmlist;
int kdc_numrealms = handle->kdc_numrealms;
+ if (sprinc == NULL)
+ return NULL;
+
if (kdc_numrealms > 1) {
if (!(newrealm = find_realm_data(handle, sprinc->realm.data,
(krb5_ui_4) sprinc->realm.length)))

0 comments on commit 5d2d9a1

Please sign in to comment.