-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2009-002

MIT krb5 Security Advisory 2009-002
Original release: 2009-04-07
Last update: 2009-04-07

Topic: ASN.1 decoder frees uninitialized pointer

[CVE-2009-0846]
ASN.1 GeneralizedTime decoder can free uninitialized pointer

CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      10

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7.8

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

[CVE-2009-0846]

An ASN.1 decoder can free an uninitialized pointer when decoding an
invalid encoding.  This can cause a Kerberos application to crash, or,
under theoretically possible but unlikely circumstances, execute
arbitrary malicious code.  No exploit is known to exist that would
cause arbitrary code execution.

This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.

IMPACT
======

[CVE-2009-0846] An unauthenticated, remote attacker could cause a
Kerberos application, including the Kerberos administration daemon
(kadmind) or the KDC to crash, and possibly to execute arbitrary code.

Compromise of the KDC or kadmind can compromise the Kerberos key
database and host security on the KDC host.  (The KDC and kadmind
typically run as root.)  We believe this scenario is highly unlikely,
given the details of the vulnerability.

Third-party applications using MIT krb5 may also be vulnerable.

MITIGATING FACTORS
==================

While it is theoretically possible for an attacker to execute
arbitrary code by exploiting this vulnerability, it is believed to be
more difficult than exploiting other sorts of memory management flaws
such as double-free or heap buffer overflow events.  Also, in order to
exploit this vulnerability to remotely execute code, an attacker must
ensure that the uninitialized pointer points to valid address space,
otherwise a null-dereference crash will typically occur.

Some operating systems have hardened malloc implementations that are
not susceptible to this problem.  These operating systems are still
vulnerable to a denial of service if the uninitialized pointer points
to invalid address space.

AFFECTED SOFTWARE
=================

* All MIT krb5 releases

* Third-party software using the krb5 library from MIT krb5 releases

FIXES
=====

* The upcoming krb5-1.7 and krb5-1.6.4 releases will contain fixes for
  this vulnerability.

* Apply the patch

diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c
index aa4be32..5f7461d 100644
- --- a/src/lib/krb5/asn.1/asn1_decode.c
+++ b/src/lib/krb5/asn.1/asn1_decode.c
@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
 
   if(length != 15) return ASN1_BAD_LENGTH;
   retval = asn1buf_remove_charstring(buf,15,&s);
+  if (retval) return retval;
   /* Time encoding: YYYYMMDDhhmmssZ */
   if(s[14] != 'Z') {
       free(s);
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index 0ff9343..1c427d1 100644
- --- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -485,6 +485,22 @@ int main(argc, argv)
     ktest_destroy_keyblock(&(ref.subkey));
     ref.seq_number = 0;
     decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+
+    retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
+    if (retval) {
+  com_err("krb5_decode_test", retval, "while parsing");
+  exit(1);
+    }
+    retval = decode_krb5_ap_rep_enc_part(&code, &var);
+    if (retval != ASN1_OVERRUN) {
+  printf("ERROR: ");
+    } else {
+  printf("OK: ");
+    }
+    printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
+    krb5_free_data_contents(test_context, &code);
+    krb5_free_ap_rep_enc_part(test_context, var);
+
     ktest_empty_ap_rep_enc_part(&ref);
   }
   
  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2009-002-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2009-002-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-002.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2009-0846
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846

CERT: VU#662091
http://www.kb.cert.org/vuls/id/662091

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/D9058C24 2009-01-26 [expires: 2010-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

The asn1_decode_generaltime() function, which decodes DER encodings of
the ASN.1 type "GeneralizedTime", can free an uninitialized pointer.
This can cause a Kerberos application to crash, or, under
theoretically possible but unlikely circumstances, execute arbitrary
malicious code.  No exploit is known to exist that would cause
arbitrary code execution.

REVISION HISTORY
================

2009-04-07      original release

Copyright (C) 2009 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iQCVAgUBSduVcabDgE/zdoE9AQI+OgQApBBzBcQYG2GfuPIvZhwhJlvaWzSAQpb4
lYgScNNihKVs+xQF8vE5omSXSC/uaRkb5pGd0sa+LAmNCCjwNGT13f5TB6fAKTwS
MRxmJ6whZGTz+3myihBa/pac14hE0q4XTRw/BgCv4lL1B94/K9FyAFSsAWkkV/Mr
H1P8smh5svk=
=z9B1
-----END PGP SIGNATURE-----