1
From 81c332e29f10887c6b9deb065f81ba259f4c7e03 Mon Sep 17 00:00:00 2001
2
From: Tomas Kuthan <tkuthan@gmail.com>
3
Date: Fri, 1 Aug 2014 15:25:50 +0200
4
Subject: [PATCH] Fix LDAP key data segmentation [CVE-2014-4345]
6
For principal entries having keys with multiple kvnos (due to use of
7
-keepold), the LDAP KDB module makes an attempt to store all the keys
8
having the same kvno into a single krbPrincipalKey attribute value.
9
There is a fencepost error in the loop, causing currkvno to be set to
10
the just-processed value instead of the next kvno. As a result, the
11
second and all following groups of multiple keys by kvno are each
12
stored in two krbPrincipalKey attribute values. Fix the loop to use
13
the correct kvno value.
17
In MIT krb5, when kadmind is configured to use LDAP for the KDC
18
database, an authenticated remote attacker can cause it to perform an
19
out-of-bounds write (buffer overrun) by performing multiple cpw
20
-keepold operations. An off-by-one error while copying key
21
information to the new database entry results in keys sharing a common
22
kvno being written to different array buckets, in an array whose size
23
is determined by the number of kvnos present. After sufficient
24
iterations, the extra writes extend past the end of the
25
(NULL-terminated) array. The NULL terminator is always written after
26
the end of the loop, so no out-of-bounds data is read, it is only
29
Historically, it has been possible to convert an out-of-bounds write
30
into remote code execution in some cases, though the necessary
31
exploits must be tailored to the individual application and are
32
usually quite complicated. Depending on the allocated length of the
33
array, an out-of-bounds write may also cause a segmentation fault
34
and/or application crash.
36
CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
38
[ghudson@mit.edu: clarified commit message]
39
[kaduk@mit.edu: CVE summary, CVSSv2 vector]
42
target_version: 1.12.2
45
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 ++-
46
1 file changed, 2 insertions(+), 1 deletion(-)
48
Index: krb5-1.12+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
49
===================================================================
50
--- krb5-1.12+dfsg.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2014-08-08 14:58:43.701796377 -0400
51
+++ krb5-1.12+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2014-08-08 14:58:43.693796376 -0400
56
- currkvno = key_data[i].key_data_kvno;
57
+ if (i < n_key_data - 1)
58
+ currkvno = key_data[i + 1].key_data_kvno;
61
ret[num_versions] = NULL;