AOH :: HP Unsorted A :: VA3093.HTM

ASN.1 decoder frees uninitialized pointer



MITKRB5-SA-2009-002: ASN.1 decoder frees uninitialized pointer
MITKRB5-SA-2009-002: ASN.1 decoder frees uninitialized pointer



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2009-002

MIT krb5 Security Advisory 2009-002
Original release: 2009-04-07
Last update: 2009-04-07

Topic: ASN.1 decoder frees uninitialized pointer

[CVE-2009-0846]
ASN.1 GeneralizedTime decoder can free uninitialized pointer

CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      10

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7.8

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
======
[CVE-2009-0846]

An ASN.1 decoder can free an uninitialized pointer when decoding an
invalid encoding.  This can cause a Kerberos application to crash, or,
under theoretically possible but unlikely circumstances, execute
arbitrary malicious code.  No exploit is known to exist that would
cause arbitrary code execution.

This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.

IMPACT
=====
[CVE-2009-0846] An unauthenticated, remote attacker could cause a
Kerberos application, including the Kerberos administration daemon
(kadmind) or the KDC to crash, and possibly to execute arbitrary code.

Compromise of the KDC or kadmind can compromise the Kerberos key
database and host security on the KDC host.  (The KDC and kadmind
typically run as root.)  We believe this scenario is highly unlikely,
given the details of the vulnerability.

Third-party applications using MIT krb5 may also be vulnerable.

MITIGATING FACTORS
=================
While it is theoretically possible for an attacker to execute
arbitrary code by exploiting this vulnerability, it is believed to be
more difficult than exploiting other sorts of memory management flaws
such as double-free or heap buffer overflow events.  Also, in order to
exploit this vulnerability to remotely execute code, an attacker must
ensure that the uninitialized pointer points to valid address space,
otherwise a null-dereference crash will typically occur.

Some operating systems have hardened malloc implementations that are
not susceptible to this problem.  These operating systems are still
vulnerable to a denial of service if the uninitialized pointer points
to invalid address space.

AFFECTED SOFTWARE
================
* All MIT krb5 releases

* Third-party software using the krb5 library from MIT krb5 releases

FIXES
====
* The upcoming krb5-1.7 and krb5-1.6.4 releases will contain fixes for
  this vulnerability.

* Apply the patch

diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c
index aa4be32..5f7461d 100644
- --- a/src/lib/krb5/asn.1/asn1_decode.c
+++ b/src/lib/krb5/asn.1/asn1_decode.c
@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
 
   if(length != 15) return ASN1_BAD_LENGTH;
   retval = asn1buf_remove_charstring(buf,15,&s);
+  if (retval) return retval;
   /* Time encoding: YYYYMMDDhhmmssZ */
   if(s[14] != 'Z') {
       free(s);
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index 0ff9343..1c427d1 100644
- --- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -485,6 +485,22 @@ int main(argc, argv)
     ktest_destroy_keyblock(&(ref.subkey));
     ref.seq_number = 0;
     decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+
+    retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
+    if (retval) {
+	com_err("krb5_decode_test", retval, "while parsing");
+	exit(1);
+    }
+    retval = decode_krb5_ap_rep_enc_part(&code, &var);
+    if (retval != ASN1_OVERRUN) {
+	printf("ERROR: ");
+    } else {
+	printf("OK: ");
+    }
+    printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
+    krb5_free_data_contents(test_context, &code);
+    krb5_free_ap_rep_enc_part(test_context, var);
+
     ktest_empty_ap_rep_enc_part(&ref);
   }
   
  This patch is also available at

http://web.mit.edu/kerberos/advisories/2009-002-patch.txt 

  A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2009-002-patch.txt.asc 

REFERENCES
=========
This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-002.txt 

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html 

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html 

CVSSv2:

http://www.first.org/cvss/cvss-guide.html 
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 

CVE: CVE-2009-0846
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846 

CERT: VU#662091
http://www.kb.cert.org/vuls/id/662091 

CONTACT
======
The MIT Kerberos Team security contact address is
. When sending sensitive information, 
please PGP-encrypt it using the following key:

pub   2048R/D9058C24 2009-01-26 [expires: 2010-02-01]
uid MIT Kerberos Team Security Contact  

DETAILS
======
The asn1_decode_generaltime() function, which decodes DER encodings of
the ASN.1 type "GeneralizedTime", can free an uninitialized pointer.
This can cause a Kerberos application to crash, or, under
theoretically possible but unlikely circumstances, execute arbitrary
malicious code.  No exploit is known to exist that would cause
arbitrary code execution.

REVISION HISTORY
===============
2009-04-07      original release

Copyright (C) 2009 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iQCVAgUBSduVcabDgE/zdoE9AQI+OgQApBBzBcQYG2GfuPIvZhwhJlvaWzSAQpb4
lYgScNNihKVs+xQF8vE5omSXSC/uaRkb5pGd0sa+LAmNCCjwNGT13f5TB6fAKTwS
MRxmJ6whZGTz+3myihBa/pac14hE0q4XTRw/BgCv4lL1B94/K9FyAFSsAWkkV/Mr
H1P8smh5svk=z9B1
-----END PGP SIGNATURE-----

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.