[Bug 267097] NULL dereference in telnet kerberos5_reply()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 15 Oct 2022 18:20:27 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267097
Bug ID: 267097
Summary: NULL dereference in telnet kerberos5_reply()
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Attachment #237350 text/plain
mime type:
Created attachment 237350
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237350&action=edit
Fake telnet server that causes telnet to dereference NULL in kerberos5_reply()
In this code in kerberos5_reply() in contrib/telnet/libtelnet/kerberos5.c:
ret = krb5_auth_con_getlocalsubkey (context,
auth_context,
&keyblock);
if(ret) {
...;
return;
}
...;
skey.data = keyblock->keyvalue.data;
krb5_auth_con_getlocalsubkey() returns 0 (success) if
auth_context->local_subkey is NULL, but also sets keyblock to NULL. So
the subsequent keyblock->keyvalue crashes. This can happen if the
server sends IAC SB AUTHENTICATION messages in an unexpected order.
Here's a toy server that demonstrates the problem:
% cc telnet17b.c
% sudo ./a.out &
% telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
[ Trying KERBEROS5 (host/localhost@EXAMPLE.ORG)... ]
Kerberos V5: mk_req failed (open(/tmp/krb5cc_5272): No such file or directory)
[ Kerberos V5 accepts you ]
Segmentation fault
(gdb) where
#0 0x0000000001042d35 in kerberos5_reply (ap=0x1048258 <authenticators+56>,
data=<optimized out>, cnt=<optimized out>)
at /usr/src/contrib/telnet/libtelnet/kerberos5.c:634
#1 0x000000000103f776 in auth_reply (data=<optimized out>,
cnt=<optimized out>) at /usr/src/contrib/telnet/libtelnet/auth.c:491
#2 0x0000000001039a51 in suboption ()
at /usr/src/contrib/telnet/telnet/telnet.c:944
#3 0x000000000103900d in telrcv ()
at /usr/src/contrib/telnet/telnet/telnet.c:1885
#4 0x0000000001039f03 in Scheduler (block=block@entry=1)
at /usr/src/contrib/telnet/telnet/telnet.c:2098
#5 0x0000000001039daa in telnet (user=user@entry=0x7fffffffec10 "rtm")
at /usr/src/contrib/telnet/telnet/telnet.c:2163
#6 0x0000000001033043 in tn (argc=<optimized out>, argc@entry=2,
argv=<optimized out>, argv@entry=0x7fffffffe760)
at /usr/src/contrib/telnet/telnet/commands.c:2492
#7 0x0000000001036062 in main (argc=1, argv=<optimized out>)
at /usr/src/contrib/telnet/telnet/main.c:370
--
You are receiving this mail because:
You are the assignee for the bug.