Date: Sat, 26 Nov 2022 11:27:56 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 268002] kadmind kadm_chpass_with_key crash if client sends bogus KRB5_NT_ENTERPRISE_PRINCIPAL Message-ID: <bug-268002-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268002 Bug ID: 268002 Summary: kadmind kadm_chpass_with_key crash if client sends bogus KRB5_NT_ENTERPRISE_PRINCIPAL Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #238353 text/plain mime type: Created attachment 238353 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D238353&action= =3Dedit crash kadmind with a malformed principal _hdb_fetch_kvno() returns error KRB5_PARSE_MALFORMED if the client sends kadmind a kadm_chpass_with_key request with a principal type of KRB5_NT_ENTERPRISE_PRINCIPAL but otherwise malformed: if (principal->name.name_type =3D=3D KRB5_NT_ENTERPRISE_PRINCIPAL) { if (principal->name.name_string.len !=3D 1) { ret =3D KRB5_PARSE_MALFORMED; kadm5_s_chpass_principal_with_key() ignores that error, leaving a NULL ent.entry.principal: ret =3D context->db->hdb_fetch_kvno(context->context, context->db, prin= c, 0, HDB_F_GET_ANY|HDB_F_ADMIN_DATA, &ent); if(ret =3D=3D HDB_ERR_NOENTRY) goto out; Later, _hdb_store() &c try to use that NULL principal and crash. I've attached a demo. It requires the user to have run kinit, and to have "all" permissions in /var/heimdal/kadmind.acl. # cc kadmind17b.c -lkrb5 # ./a.out #0 copy_NAME_TYPE (from=3D0x0, to=3D0x7be685f78) at asn1_krb5_asn1.c:98 #1 0x00000007c593a638 in copy_PrincipalName (from=3D0x0, to=3D0x7be685f78) at asn1_krb5_asn1.c:1007 #2 0x00000007c593aa42 in copy_Principal (from=3D0x0, to=3D0x7be685f78) at asn1_krb5_asn1.c:1152 #3 0x00000007c1f82a86 in hdb_principal2key (context=3D0x7cd4bee10, p=3D0x0= ,=20 key=3D0x7be685fd0) at /usr/rtm/symbsd/src/crypto/heimdal/lib/hdb/common= .c:43 #4 0x00000007c1f82f28 in _hdb_store (context=3D0x7cd4bee10, db=3D0x7cd504a= b0,=20 flags=3D2, entry=3D0x7be686028) at /usr/rtm/symbsd/src/crypto/heimdal/lib/hdb/common.c:310 #5 0x00000007c03b6208 in kadm5_s_chpass_principal_with_key ( server_handle=3D0x7cd5044c0, princ=3D<optimized out>, n_key_data=3D0,=20 key_data=3D0x7cd515ef0) at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/chpass_s.c:188 #6 0x00000007c03b627e in kadm5_chpass_principal_with_key (server_handle=3D= 0x0,=20 princ=3D0x7be685f78, n_key_data=3D0, key_data=3D0xfe7c1e8a54748e96) at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/common_glue.c:54 #7 0x000000073db669b0 in kadmind_dispatch (kadm_handlep=3D0x7cd5044c0,=20 initial=3D<optimized out>, in=3D<optimized out>, out=3D0x7be6862f8) at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:324 #8 0x000000073db65f9e in v5_loop (contextp=3D<optimized out>, --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-268002-227>