Skip to content
Permalink
Browse files

Fix S4U2Self KDC crash when anon is restricted

In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.

CVE-2016-3120:

In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.

  CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C

ticket: 8458 (new)
target_version: 1.14-next
target_version: 1.13-next
  • Loading branch information...
greghudson committed Jul 19, 2016
1 parent 560e11d commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7
Showing with 6 additions and 1 deletion.
  1. +1 −1 src/kdc/kdc_util.c
  2. +5 −0 src/tests/t_pkinit.py
@@ -739,7 +739,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
return(KDC_ERR_MUST_USE_USER2USER);
}

if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
*status = "ANONYMOUS NOT ALLOWED";
return(KDC_ERR_POLICY);
}
@@ -93,6 +93,11 @@
if 'KDC policy rejects request' not in out:
fail('Wrong error for restricted anonymous PKINIT')

# Regression test for #8458: S4U2Self requests crash the KDC if
# anonymous is restricted.
realm.kinit(realm.host_princ, flags=['-k'])
realm.run([kvno, '-U', 'user', realm.host_princ])

# Go back to a normal KDC and disable anonymous PKINIT.
realm.stop_kdc()
realm.start_kdc()

0 comments on commit 93b4a63

Please sign in to comment.
You can’t perform that action at this time.