Skip to content

Commit e3b5a5e

Browse files
committed
Prevent requires_preauth bypass [CVE-2015-2694]
In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until the request is successfully verified. In the PKINIT kdcpreauth module, don't respond with code 0 on empty input or an unconfigured realm. Together these bugs could cause the KDC preauth framework to erroneously treat a request as pre-authenticated. CVE-2015-2694: In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C ticket: 8160 (new) target_version: 1.13.2 tags: pullup subject: requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694]
1 parent 527edfa commit e3b5a5e

File tree

2 files changed

+9
-5
lines changed

2 files changed

+9
-5
lines changed

Diff for: src/plugins/preauth/otp/main.c

+7-3
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ static krb5_preauthtype otp_pa_type_list[] =
4242
struct request_state {
4343
krb5_kdcpreauth_verify_respond_fn respond;
4444
void *arg;
45+
krb5_enc_tkt_part *enc_tkt_reply;
4546
};
4647

4748
static krb5_error_code
@@ -159,6 +160,9 @@ on_response(void *data, krb5_error_code retval, otp_response response)
159160
if (retval == 0 && response != otp_response_success)
160161
retval = KRB5_PREAUTH_FAILED;
161162

163+
if (retval == 0)
164+
rs.enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
165+
162166
rs.respond(rs.arg, retval, NULL, NULL, NULL);
163167
}
164168

@@ -263,8 +267,6 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
263267
krb5_data d, plaintext;
264268
char *config;
265269

266-
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
267-
268270
/* Get the FAST armor key. */
269271
armor_key = cb->fast_armor(context, rock);
270272
if (armor_key == NULL) {
@@ -298,12 +300,14 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
298300
goto error;
299301
}
300302

301-
/* Create the request state. */
303+
/* Create the request state. Save the response callback, and the
304+
* enc_tkt_reply pointer so we can set the TKT_FLG_PRE_AUTH flag later. */
302305
rs = k5alloc(sizeof(struct request_state), &retval);
303306
if (rs == NULL)
304307
goto error;
305308
rs->arg = arg;
306309
rs->respond = respond;
310+
rs->enc_tkt_reply = enc_tkt_reply;
307311

308312
/* Get the principal's OTP configuration string. */
309313
retval = cb->get_string(context, rock, "otp", &config);

Diff for: src/plugins/preauth/pkinit/pkinit_srv.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -301,7 +301,7 @@ pkinit_server_verify_padata(krb5_context context,
301301

302302
pkiDebug("pkinit_verify_padata: entered!\n");
303303
if (data == NULL || data->length <= 0 || data->contents == NULL) {
304-
(*respond)(arg, 0, NULL, NULL, NULL);
304+
(*respond)(arg, EINVAL, NULL, NULL, NULL);
305305
return;
306306
}
307307

@@ -313,7 +313,7 @@ pkinit_server_verify_padata(krb5_context context,
313313

314314
plgctx = pkinit_find_realm_context(context, moddata, request->server);
315315
if (plgctx == NULL) {
316-
(*respond)(arg, 0, NULL, NULL, NULL);
316+
(*respond)(arg, EINVAL, NULL, NULL, NULL);
317317
return;
318318
}
319319

0 commit comments

Comments
 (0)