Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix kpasswd UDP ping-pong [CVE-2002-2443]
The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.

Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.

Thanks to Vincent Danen for alerting us to this issue.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C

ticket: 7637 (new)
target_version: 1.11.3
tags: pullup
  • Loading branch information
tlyu committed May 13, 2013
1 parent 0a97afb commit cf1a0c4
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions src/kadmin/server/schpw.c
Expand Up @@ -52,7 +52,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
ret = KRB5KRB_AP_ERR_MODIFIED;
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Request was truncated", sizeof(strresult));
goto chpwfail;
goto bailout;
}

ptr = req->data;
Expand All @@ -67,7 +67,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Request length was inconsistent",
sizeof(strresult));
goto chpwfail;
goto bailout;
}

/* verify version number */
Expand All @@ -80,7 +80,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
numresult = KRB5_KPASSWD_BAD_VERSION;
snprintf(strresult, sizeof(strresult),
"Request contained unknown protocol version number %d", vno);
goto chpwfail;
goto bailout;
}

/* read, check ap-req length */
Expand All @@ -93,7 +93,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Request was truncated in AP-REQ",
sizeof(strresult));
goto chpwfail;
goto bailout;
}

/* verify ap_req */
Expand Down

0 comments on commit cf1a0c4

Please sign in to comment.