Skip to content

Commit fc98f52

Browse files
jsutton24greghudson
authored andcommitted
Fix KDC null deref on bad encrypted challenge
The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check to avoid further processing if the armor key is NULL. However, this check is bypassed by a call to k5memdup0() which overwrites retval with 0 if the allocation succeeds. If the armor key is NULL, a call to krb5_c_fx_cf2_simple() will then dereference it, resulting in a crash. Add a check before the k5memdup0() call to avoid overwriting retval. CVE-2021-36222: In MIT krb5 releases 1.16 and later, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST. [ghudson@mit.edu: trimmed patch; added test case; edited commit message] ticket: 9007 (new) tags: pullup target_version: 1.19-next target_version: 1.18-next
1 parent f573f7f commit fc98f52

File tree

3 files changed

+49
-1
lines changed

3 files changed

+49
-1
lines changed

Diff for: src/kdc/kdc_preauth_ec.c

+2-1
Original file line numberDiff line numberDiff line change
@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
8787
}
8888

8989
/* Check for a configured FAST ec auth indicator. */
90-
realmstr = k5memdup0(realm.data, realm.length, &retval);
90+
if (retval == 0)
91+
realmstr = k5memdup0(realm.data, realm.length, &retval);
9192
if (realmstr != NULL)
9293
retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
9394
realmstr,

Diff for: src/tests/Makefile.in

+1
Original file line numberDiff line numberDiff line change
@@ -166,6 +166,7 @@ check-pytests: unlockiter s4u2self
166166
$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
167167
$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
168168
$(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
169+
$(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
169170
$(RM) au.log
170171
$(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
171172
$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \

Diff for: src/tests/t_cve-2021-36222.py

+46
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
import socket
2+
from k5test import *
3+
4+
realm = K5Realm()
5+
6+
# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
7+
# without FAST
8+
9+
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
10+
a = (hostname, realm.portbase)
11+
12+
m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE
13+
'A103' '0201' '05' # [1] pvno = 5
14+
'A203' '0201' '0A' # [2] msg-type = 10
15+
'A30E' '300C' # [3] padata = SEQUENCE OF
16+
'300A' # SEQUENCE
17+
'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE
18+
'A202' '0400' # [2] padata-value = ""
19+
'A48180' '307E' # [4] req-body = SEQUENCE
20+
'A007' '0305' '0000000000' # [0] kdc-options = 0
21+
'A120' '301E' # [1] cname = SEQUENCE
22+
'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
23+
'A117' '3015' # [1] name-string = SEQUENCE-OF
24+
'1B06' '6B7262746774' # krbtgt
25+
'1B0B' '4B5242544553542E434F4D'
26+
# KRBTEST.COM
27+
'A20D' '1B0B' '4B5242544553542E434F4D'
28+
# [2] realm = KRBTEST.COM
29+
'A320' '301E' # [3] sname = SEQUENCE
30+
'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
31+
'A117' '3015' # [1] name-string = SEQUENCE-OF
32+
'1B06' '6B7262746774' # krbtgt
33+
'1B0B' '4B5242544553542E434F4D'
34+
# KRBTEST.COM
35+
'A511' '180F' '31393934303631303036303331375A'
36+
# [5] till = 19940610060317Z
37+
'A703' '0201' '00' # [7] nonce = 0
38+
'A808' '3006' # [8] etype = SEQUENCE OF
39+
'020112' '020111') # aes256-cts aes128-cts
40+
41+
s.sendto(bytes.fromhex(m), a)
42+
43+
# Make sure kinit still works.
44+
realm.kinit(realm.user_princ, password('user'))
45+
46+
success('CVE-2021-36222 regression test')

0 commit comments

Comments
 (0)