Skip to content

Commit 93b4a63

Browse files
committed
Fix S4U2Self KDC crash when anon is restricted
In validate_as_request(), when enforcing restrict_anonymous_to_tgt, use client.princ instead of request->client; the latter is NULL when validating S4U2Self requests. CVE-2016-3120: In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc to dereference a null pointer if the restrict_anonymous_to_tgt option is set to true, by making an S4U2Self request. CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C ticket: 8458 (new) target_version: 1.14-next target_version: 1.13-next
1 parent 560e11d commit 93b4a63

File tree

2 files changed

+6
-1
lines changed

2 files changed

+6
-1
lines changed

Diff for: src/kdc/kdc_util.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -739,7 +739,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
739739
return(KDC_ERR_MUST_USE_USER2USER);
740740
}
741741

742-
if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
742+
if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
743743
*status = "ANONYMOUS NOT ALLOWED";
744744
return(KDC_ERR_POLICY);
745745
}

Diff for: src/tests/t_pkinit.py

+5
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,11 @@
9393
if 'KDC policy rejects request' not in out:
9494
fail('Wrong error for restricted anonymous PKINIT')
9595

96+
# Regression test for #8458: S4U2Self requests crash the KDC if
97+
# anonymous is restricted.
98+
realm.kinit(realm.host_princ, flags=['-k'])
99+
realm.run([kvno, '-U', 'user', realm.host_princ])
100+
96101
# Go back to a normal KDC and disable anonymous PKINIT.
97102
realm.stop_kdc()
98103
realm.start_kdc()

0 commit comments

Comments
 (0)