Skip to content
This repository
Browse code

Fix kpasswd UDP ping-pong [CVE-2002-2443]

The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.

Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.

Thanks to Vincent Danen for alerting us to this issue.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C

ticket: 7637 (new)
target_version: 1.11.3
tags: pullup
commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c 1 parent 0a97afb
Tom Yu authored

Showing 1 changed file with 4 additions and 4 deletions. Show diff stats Hide diff stats

  1. 8  src/kadmin/server/schpw.c
8  src/kadmin/server/schpw.c
@@ -52,7 +52,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
52 52
         ret = KRB5KRB_AP_ERR_MODIFIED;
53 53
         numresult = KRB5_KPASSWD_MALFORMED;
54 54
         strlcpy(strresult, "Request was truncated", sizeof(strresult));
55  
-        goto chpwfail;
  55
+        goto bailout;
56 56
     }
57 57
 
58 58
     ptr = req->data;
@@ -67,7 +67,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
67 67
         numresult = KRB5_KPASSWD_MALFORMED;
68 68
         strlcpy(strresult, "Request length was inconsistent",
69 69
                 sizeof(strresult));
70  
-        goto chpwfail;
  70
+        goto bailout;
71 71
     }
72 72
 
73 73
     /* verify version number */
@@ -80,7 +80,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
80 80
         numresult = KRB5_KPASSWD_BAD_VERSION;
81 81
         snprintf(strresult, sizeof(strresult),
82 82
                  "Request contained unknown protocol version number %d", vno);
83  
-        goto chpwfail;
  83
+        goto bailout;
84 84
     }
85 85
 
86 86
     /* read, check ap-req length */
@@ -93,7 +93,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
93 93
         numresult = KRB5_KPASSWD_MALFORMED;
94 94
         strlcpy(strresult, "Request was truncated in AP-REQ",
95 95
                 sizeof(strresult));
96  
-        goto chpwfail;
  96
+        goto bailout;
97 97
     }
98 98
 
99 99
     /* verify ap_req */

0 notes on commit cf1a0c4

Please sign in to comment.
Something went wrong with that request. Please try again.