|
| 1 | +import socket |
| 2 | +from k5test import * |
| 3 | + |
| 4 | +realm = K5Realm() |
| 5 | + |
| 6 | +# CVE-2021-36222 KDC null dereference on encrypted challenge preauth |
| 7 | +# without FAST |
| 8 | + |
| 9 | +s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) |
| 10 | +a = (hostname, realm.portbase) |
| 11 | + |
| 12 | +m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE |
| 13 | + 'A103' '0201' '05' # [1] pvno = 5 |
| 14 | + 'A203' '0201' '0A' # [2] msg-type = 10 |
| 15 | + 'A30E' '300C' # [3] padata = SEQUENCE OF |
| 16 | + '300A' # SEQUENCE |
| 17 | + 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE |
| 18 | + 'A202' '0400' # [2] padata-value = "" |
| 19 | + 'A48180' '307E' # [4] req-body = SEQUENCE |
| 20 | + 'A007' '0305' '0000000000' # [0] kdc-options = 0 |
| 21 | + 'A120' '301E' # [1] cname = SEQUENCE |
| 22 | + 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL |
| 23 | + 'A117' '3015' # [1] name-string = SEQUENCE-OF |
| 24 | + '1B06' '6B7262746774' # krbtgt |
| 25 | + '1B0B' '4B5242544553542E434F4D' |
| 26 | + # KRBTEST.COM |
| 27 | + 'A20D' '1B0B' '4B5242544553542E434F4D' |
| 28 | + # [2] realm = KRBTEST.COM |
| 29 | + 'A320' '301E' # [3] sname = SEQUENCE |
| 30 | + 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL |
| 31 | + 'A117' '3015' # [1] name-string = SEQUENCE-OF |
| 32 | + '1B06' '6B7262746774' # krbtgt |
| 33 | + '1B0B' '4B5242544553542E434F4D' |
| 34 | + # KRBTEST.COM |
| 35 | + 'A511' '180F' '31393934303631303036303331375A' |
| 36 | + # [5] till = 19940610060317Z |
| 37 | + 'A703' '0201' '00' # [7] nonce = 0 |
| 38 | + 'A808' '3006' # [8] etype = SEQUENCE OF |
| 39 | + '020112' '020111') # aes256-cts aes128-cts |
| 40 | + |
| 41 | +s.sendto(bytes.fromhex(m), a) |
| 42 | + |
| 43 | +# Make sure kinit still works. |
| 44 | +realm.kinit(realm.user_princ, password('user')) |
| 45 | + |
| 46 | +success('CVE-2021-36222 regression test') |
0 commit comments