Bug 1117963
Summary: | CVE-2014-4343: use-after-free crash in SPNEGO | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Woodhouse <dwmw2> | |
Component: | krb5 | Assignee: | Nalin Dahyabhai <nalin> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 20 | CC: | nalin, nathaniel, ssorce | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | krb5-1.11.5-10.fc20 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1121789 (view as bug list) | Environment: | ||
Last Closed: | 2014-08-07 15:26:57 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1121789 |
Description
David Woodhouse
2014-07-09 17:32:06 UTC
Is there a way to easily use wireshark's dissectors (or something else) to interpret SPNEGO packets? Other than faking a real Ethernet packet capture of an HTTP exchange by using 'nc' and 'nc -l'... The first request is: [truncated] Authorization: Negotiate YIIP1wYGKwYBBQUCoIIPyzCCD8egF... GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 2 items MechType: 1.3.6.1.5.2.5 (iso.3.6.1.5.2.5) MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) mechToken: 60820fa306062b060105020505013016a11404124745522e... The response from the server (after which we give up) is: WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=\r\n GSS-API Generic Security Service Application Program Interface Simple Protected Negotiation negTokenTarg negResult: Unknown (3) supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) It's *telling* us to try NTLMSSP. Why didn't we? That 'unknown' negResult is, if I'm reading RFC4178 correctly, 'request-mic'. Is that the problem? I see recent changes in gssntlmssp and krb5 to handle MIC generation... (Simo, note that I'm testing this with the unhacked package in Fedora and $NTLM_USER_FILE set; not my patches to make it use winbind which don't support MIC generation). Fixed (slightly unexpectedly) by http://david.woodhou.se/krb5-fix-spnego-double-free.patch In trying to reproduce, I could only get a crash in gss_delete_sec_context(). And once that was fixed, so was this. ==31436== Invalid free() / delete / delete[] / realloc() ==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31436== by 0x3AE900D6A7: generic_gss_release_oid_set (gssapi_alloc.h:93) ==31436== by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895) ==31436== by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164) ==31436== by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90) ==31436== Address 0x4fb55a0 is 0 bytes inside a block of size 9 free'd ==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31436== by 0x3AE900C881: generic_gss_release_oid (oid_ops.c:102) ==31436== by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792) ==31436== by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210) http://mailman.mit.edu/pipermail/krbdev/2014-July/012079.html krb5-1.11.5-9.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/FEDORA-2014-8189/krb5-1.11.5-9.fc20 krb5-1.11.3-23.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-23.fc19 Package krb5-1.11.3-23.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing krb5-1.11.3-23.fc19' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-23.fc19 then log in and leave karma (feedback). krb5-1.11.3-24.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. krb5-1.11.5-10.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |