[Bug 268002] kadmind kadm_chpass_with_key crash if client sends bogus KRB5_NT_ENTERPRISE_PRINCIPAL

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 268002] kadmind kadm_chpass_with_key crash if client sends bogus KRB5_NT_ENTERPRISE_PRINCIPAL"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 26 Nov 2022 11:27:56 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268002

            Bug ID: 268002
           Summary: kadmind kadm_chpass_with_key crash if client sends
                    bogus KRB5_NT_ENTERPRISE_PRINCIPAL
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #238353 text/plain
         mime type:

Created attachment 238353
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=238353&action=edit
crash kadmind with a malformed principal

_hdb_fetch_kvno() returns error KRB5_PARSE_MALFORMED if the client
sends kadmind a kadm_chpass_with_key request with a principal type of
KRB5_NT_ENTERPRISE_PRINCIPAL but otherwise malformed:

    if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
        if (principal->name.name_string.len != 1) {
            ret = KRB5_PARSE_MALFORMED;

kadm5_s_chpass_principal_with_key() ignores that error, leaving a NULL
ent.entry.principal:

    ret = context->db->hdb_fetch_kvno(context->context, context->db, princ, 0,
                                      HDB_F_GET_ANY|HDB_F_ADMIN_DATA, &ent);
    if(ret == HDB_ERR_NOENTRY)
        goto out;

Later, _hdb_store() &c try to use that NULL principal and crash.

I've attached a demo. It requires the user to have run kinit, and to
have "all" permissions in /var/heimdal/kadmind.acl.

# cc kadmind17b.c -lkrb5
# ./a.out

#0  copy_NAME_TYPE (from=0x0, to=0x7be685f78) at asn1_krb5_asn1.c:98
#1  0x00000007c593a638 in copy_PrincipalName (from=0x0, to=0x7be685f78)
    at asn1_krb5_asn1.c:1007
#2  0x00000007c593aa42 in copy_Principal (from=0x0, to=0x7be685f78)
    at asn1_krb5_asn1.c:1152
#3  0x00000007c1f82a86 in hdb_principal2key (context=0x7cd4bee10, p=0x0, 
    key=0x7be685fd0) at /usr/rtm/symbsd/src/crypto/heimdal/lib/hdb/common.c:43
#4  0x00000007c1f82f28 in _hdb_store (context=0x7cd4bee10, db=0x7cd504ab0, 
    flags=2, entry=0x7be686028)
    at /usr/rtm/symbsd/src/crypto/heimdal/lib/hdb/common.c:310
#5  0x00000007c03b6208 in kadm5_s_chpass_principal_with_key (
    server_handle=0x7cd5044c0, princ=<optimized out>, n_key_data=0, 
    key_data=0x7cd515ef0)
    at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/chpass_s.c:188
#6  0x00000007c03b627e in kadm5_chpass_principal_with_key (server_handle=0x0, 
    princ=0x7be685f78, n_key_data=0, key_data=0xfe7c1e8a54748e96)
    at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/common_glue.c:54
#7  0x000000073db669b0 in kadmind_dispatch (kadm_handlep=0x7cd5044c0, 
    initial=<optimized out>, in=<optimized out>, out=0x7be6862f8)
    at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:324
#8  0x000000073db65f9e in v5_loop (contextp=<optimized out>,

-- 
You are receiving this mail because:
You are the assignee for the bug.