Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] MIT Kerberos ASN.1 Decoder DoS

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] MIT Kerberos ASN.1 Decoder DoS
Date: 2 Sep 2004 14:20:31 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  MIT Kerberos ASN.1 Decoder DoS
------------------------------------------------------------------------


SUMMARY

The ASN.1 decoder library in the MIT Kerberos 5 distribution is vulnerable 
to a denial-of-service attack causing an infinite loop in the decoder. The 
KDC is vulnerable to this attack.

DETAILS

Affected Software:
 * KDC software and applications from MIT Kerberos 5 releases krb5-1.2.2 
through krb5-1.3.4.

 * Applications using the MIT krb5 libraries from the above releases.

Details:
The ASN.1 decoder in the MIT krb5 library handles indefinite-length BER 
encodings for the purpose of backwards compatibility with some 
non-conformant implementations. The ASN.1 decoders call asn1buf_sync() to 
skip any trailing unrecognized fields in the encoding of a SEQUENCE type. 
asn1buf_sync() calls asn1buf_skiptail() if the ASN.1 SEQUENCE type being 
decoded was encoded with an indefinite length. asn1buf_sync() is provided 
with a prefetched BER tag; a placeholder tag is provided by the 
prefetching code in the case where there is are no more octets in a 
sub-encoding.

The loop in asn1buf_skiptail() which attempts to skip trailing 
sub-encodings of an indefinite-length SEQUENCE type does not properly 
check for end-of-subbuffer conditions or for the placeholder tag, leading 
to an infinite loop. Valid BER encodings cannot cause this condition; 
however, it is trivial to construct a corrupt encoding which will trigger 
the infinite loop.

Impact:
 * An unauthenticated remote attacker can cause a KDC or application 
server to hang inside an infinite loop. [CAN-2004-0644]

 * An attacker impersonating a legitimate KDC or application server may 
cause a client program to hang inside an infinite loop. [CAN-2004-0644]

Fixes:
* The upcoming krb5-1.3.5 release will contain fixes for these problems.

* Apply the appropriate patch referenced below, and rebuild the software.

Patches available:
* Patch against krb5-1.3.4 (should apply to earlier krb5-1.3.x releases)

* Patch against krb5-1.2.8 (should apply to releases krb5-1.2.2 through 
krb5-1.2.7 as well)

Patch Against krb5-1.3.4:
* This patch was generated against krb5-1.3.4; it may apply, with some 
offset, to earlier krb5-1.3.x releases.

This patch may also be found at:
 <http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt> 
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt

The associated detached PGP signature is at:
 <http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt.asc> 
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt.asc

Index: src/lib/krb5/asn.1/asn1buf.c
 ===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.24
*** src/lib/krb5/asn.1/asn1buf.c 12 Mar 2003 04:33:30 -0000 5.24
--- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:43:47 -0000
***************
*** 122,127 ****
--- 122,129 ----
        return ASN1_OVERRUN;
    }
    while (nestlevel > 0) {
+ if (buf->bound - buf->next + 1 <= 0)
+ return ASN1_OVERRUN;
      retval = asn1_get_tag_2(buf, &t);
      if (retval) return retval;
      if (!t.indef) {

Patch Against krb5-1.2.8:
* This patch was generated against krb5-1.2.8; it may apply, with some 
offset, to releases krb5-1.2.2 through krb5-1.2.7. You are strongly 
encouraged to update to a release from the krb5-1.3.x series.

This patch may also be found at:
 <http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt> 
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt

The associated detached PGP signature is at:
 <http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt.asc> 
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt.asc

Index: src/lib/krb5/asn.1/asn1buf.c
 ===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.19.2.1
diff -c -r5.19.2.1 asn1buf.c
*** src/lib/krb5/asn.1/asn1buf.c 31 Jan 2001 18:00:12 -0000 5.19.2.1
--- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:54:50 -0000
***************
*** 140,145 ****
--- 140,147 ----
        return ASN1_OVERRUN;
    }
    while (nestlevel > 0) {
+ if (buf->bound - buf->next + 1 <= 0)
+ return ASN1_OVERRUN;
      retval = asn1_get_tag_indef(buf, &class, &construction, &tagnum,
                                &taglen, &tagindef);
      if (retval) return retval;


ADDITIONAL INFORMATION

The information has been provided by Will Fiveash and Nico Williams.
The original article can be found at:  
<http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt> 
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] MIT Kerberos ASN.1 Decoder DoS, SecuriTeam <=
Previous by Date:  [UNIX] OpenBSD Kernel Panic While Processing IPSec Link2 Option, SecuriTeam
Next by Date:  [NEWS] Cisco VPN 3000 Kerberos Authentication Implementation Remote Code Execution And DoS, SecuriTeam
Previous by Thread:  [UNIX] OpenBSD Kernel Panic While Processing IPSec Link2 Option, SecuriTeam
Next by Thread:  [NEWS] Cisco VPN 3000 Kerberos Authentication Implementation Remote Code Execution And DoS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]