Date: Sun, 02 Oct 2022 09:55:02 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 266750] telnet crash if server sends unexpected kerberos authentication message Message-ID: <bug-266750-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D266750 Bug ID: 266750 Summary: telnet crash if server sends unexpected kerberos authentication message Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #236990 text/plain mime type: Created attachment 236990 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D236990&action= =3Dedit fake telnet server that crashes telnet via unexpected kerberos5 authenticat= ion message If the telnet server sends an IAC SB OPT_AUTHENTICATE QUAL_REPLY KRB_ACCEPT without a prior QUAL_SEND, the auth_context variable in libtelnet/kerberos5.c is NULL but kerberos5_reply() passes it to krb5_auth_con_getlocalsubkey() anyway, resulting in a crash. I've attached a demo: # cc telnet7a.c # ./a.out & # telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. [ Kerberos V5 accepts you as ``xxx'' ] Segmentation fault (core dumped) (gdb) where #0 0x0000000801449004 in krb5_auth_con_getlocalsubkey () from /usr/lib/libkrb5.so.11 #1 0x0000000001042c3c in kerberos5_reply (ap=3D0x10481c8 <authenticators+5= 6>,=20 data=3D<optimized out>, cnt=3D<optimized out>) at /usr/src/contrib/telnet/libtelnet/kerberos5.c:611 #2 0x000000000103f746 in auth_reply (data=3D<optimized out>,=20 cnt=3D<optimized out>) at /usr/src/contrib/telnet/libtelnet/auth.c:491 #3 0x0000000001039a21 in suboption () at /usr/src/contrib/telnet/telnet/telnet.c:944 #4 0x0000000001038fdd in telrcv () at /usr/src/contrib/telnet/telnet/telnet.c:1885 #5 0x0000000001039ed3 in Scheduler (block=3Dblock@entry=3D1) at /usr/src/contrib/telnet/telnet/telnet.c:2098 #6 0x0000000001039d7a in telnet (user=3Duser@entry=3D0x7fffffffec17 "rtm") at /usr/src/contrib/telnet/telnet/telnet.c:2163 #7 0x0000000001033013 in tn (argc=3D<optimized out>, argc@entry=3D2,=20 argv=3D<optimized out>, argv@entry=3D0x7fffffffe780) at /usr/src/contrib/telnet/telnet/commands.c:2492 #8 0x0000000001036032 in main (argc=3D1, argv=3D<optimized out>) at /usr/src/contrib/telnet/telnet/main.c:370 FreeBSD stock14 14.0-CURRENT FreeBSD 14.0-CURRENT #3 main-n258027-c9baa9747= 17a: Thu Sep 15 20:02:51 AST 2022=20=20=20=20 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-266750-227>