Bug 1121789

Summary: CVE-2014-4343: use-after-free crash in SPNEGO
Product: Red Hat Enterprise Linux 7 Reporter: Nalin Dahyabhai <nalin>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dpal, dwmw2, extras-qa, nalin, nathaniel, pkis, rmainz, ssorce
Target Milestone: rcKeywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.12.2-7.el7 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 1117963 Environment:
Last Closed: 2015-03-05 10:01:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1117963    
Bug Blocks: 1121876    

Description Nalin Dahyabhai 2014-07-21 21:23:29 UTC 
+++ This bug was initially created as a clone of Bug #1117963 +++

I'm trying to use firefox to authenticate to an internal web site. Like *many* internal web sites, this one doesn't have correct reverse DNS so Kerberos doesn't get the right SPN and fails to get a ticket for it.

That doesn't stop it from trying *something*, and screwing up my NTLM auth that would have succeeded....

First it sends a request with no Authorization: header, gets back a 401 with
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM


Then it sends this:Authorization: Negotiate YIIP1wYGKwYBBQUCoIIPyzCCD8egFjAUBgYrBgEFAgUGCisGAQQBgjcCAgqigg+rBIIPp2CCD6MGBisGAQUCBQUBMBahFAQSR0VSLkNPUlAuSU5URUwuQ09NbIIPfTCCD3mhAwIBBaIDAgEMo4IO/jCCDvowgg4eoQMCAQGigg4VBIIOEW6CDg0wgg4JoAMCAQWhAwIBDqIHAwUAAAAAAKOCDT1hgg05MIINNaADAgEFoRQbEkdFUi5DT1JQLklOVEVMLkNPTaInMCWgAwIBAqEeMBwbBmtyYnRndBsSR0VSLkNPUlAuSU5URUwuQ09No4IM7TCCDOmgAwIBEqEDAgEDooIM2wSCDNfbtGw91WzeppZocKMxPM6j9iV1ywUjWzxqgYrbE+lo/p8ps90ADV7VfCrFV6UJZWJjp8FNVjYpo2MA/Uj+i2jO8nR8RAOOP+iYCrDgWaGKNZsrpZeUdDQo2Iiwf8lGUrz3GG5tG1+ix7qXcngiU5iEr++8T4ArR12LF1SwRePQd0KXGwXALpu1lPg0DwVRlkOHj8RkkSgERb/mIyGzc1CNgLrKFTWqVgEys+LoI7HV/XasehCgrtU/Ep2P/cb3lfa2OYpzu21mEp0XOueEqOcxR3pGo8namZIiLY1glOa5mimJ4rvBC7Y/M9lEiMx3DyDR/ezbeZnHt64O6VoUHRaseYjNPzHFxduwZBgPRQZcplSY+g4lj38zp6TstQ81JfB10w9tMR/x8lw6JjFGXgau+etl7M9wkYx8hVf+YP5JYTiV5p3TTdRAqKSF+0JQQ+qkAGzn4bl7kwT9YzBbzUwx5q4TQKjgtH6Uk1rFFR1J5k+i8qzjptJaymXLYks+fslYEfNjqJsadi6oCji3l0+ZcHQJOYINy7B6TuBdFLe1xwZgzytxOE60znUXE+zEKGX6PUd3aCIU333fc+AcwrEL5KrkW2ieGfck1JGlcgmdI8aIIKG8biJOAWl0YuDuyyIOkSQdTcPpm6VoknUtEGdaaD7hmrlznt9r54DUYkrWdCdtHmlZlRUiNDEJIk6yu4dx1Mypa6WXlUy5N2Y3RUvy6AokMQpzEao8R3k33xskgQVnA/JIR9zAzp3fYVTI+uCQLGwFchLmlOdepXmt297gq0riVHrHIhq9M7rV9mNGuy5gUKiWYR0wSLkBSOovg5V0jigVtaaOUBfsW2mBRPdgyR697vz8GFjxQDc3D7KrK/IdaxNOe74t1oUl6VNXwGLtTAFvnn91WWnaxI2mEJkWXx7X0JlXk5LMIKOyFh0P5bcBCv17Q154q6YNHiLYrEhqMGILdprk+p/a04PDQOwxZisIhGbgamfEHOqWbxU/sPjPaip/EgOtEQrFzvaZ4w75EMFjjN4r9Lqp2yYfOftlWp+jXuHsEiV7bZT+QVsk8/SqYJIt/SKvxRVz04fzljjDgUokK7Ot6EuQrYUpQKR+AZ6KlWpx5mVCOpvvUOkaxrf0F1VvuM1cPdHTROl4quBOvKvGKagWCCfoqdpHDb7M6JM6ORjlzPXDOP6iHjd2Eo2CRYBcq0TZ5tS7Cih8Hy6Hr9S1KQa1ZFTiI0gCGxKJfBtD3W61NYVAP0PPZsNm+ecQlKDNHhO9Gyj2ub06d1PNaE2a1DCONvHvvFYi+lpW4dfX5NDt/udBVxkWmuh1iw2jHuh7u4MQmXNSglUb3CySZGDx7vf/uEZ4M+TRx8sQG1tlLItFiIEC9RC2CWAJHohOK4PykwvFS1/mWagwNRqFCXoC5294Z8ZackvWvsw8vfy0X4HVNP1G3zSt62cQ3PteWuiTJmRe/687xMbsxkiElk9p1PMQYkQ7093CU7OLV/Zp7eh4QoM+/QajOVJRZ+y9VlOLO3GiU0Lt5gEdwa0ewFW/NnvpdxSBEpihAk0jAFCiTjYQRkxKzsynpeZ3VchknuicI62wGiH2SlNgtaGdmByoahWdEQQ6725IcTGvoJh1H/lzwWlDh3QSHXVxf0Km8bOQas35a9Vk7bLObW0kiaKchZgkeVjbpHWNzdNmqYFElj4Itokhtp8yLBdVavRHk0H3tuKUjDMceRruRlCH8d0o48G/C8dsv9uUoWy/jF2/0HxIOelJKtAPDwasUMa+hfbW0aoUBOuco4DkBgzH8YqygBcyCfnp0+NLGqGoe8PWLfV2HDU9DS+22O9oEZ7Zu3sddkS3QhE4B1cTimUFWtfgRGRv3EJj+0U/MKmSBkjh/uZHkQEdcva6dNqXG776qb1i5nTMcmtmdWpquUUzdeTcLtuf+e/+Zl3+oHNcv0+3OuYqtNg6GwsMxu45YdsEQs2F5Q0k2A2uIRwJ0Mh4bT+bP/KaA+lOBspUQc2j3q1UVCoVAL/4QieKEeMcg29sWm7YsQ2k5HEyzC4MhDE5idwTsMcTGf8wyqAXnMmf8i7dDtraYSuUUqogKAdowOyzVtQaBoz2XuiGQ2hhwoo9fjV9oKP6JAyhRC64xQCLeNGDvk0iR7zosaCIE+mz2nbDSCn8YOKmomkBxPVCSnqlqrqItdD2z+ZzhoeQhckkfYMk1jWgnZ6ROnxLnCqj8kIyb2M50igMwq7YMvDIBJWAJAHXoXlSkyUv97YnsfGchD9aJmf9o0Yky35/1cxWaWVk3Bj1nKQVm4Vt8KcaDtIxZ7xAZCx7OlTIJph/d5DLCIeYLuXHRVoMNTqwdoWATjbmY/Ww+DDKCCZuEJ6JocD5IEXrOJADYF5VsClZZQr1UnAtYPNXhyW7eZg6IKcEzE470/daY9TZ3m+1sOMdqOdOActopZ2XS33KLJltIx7WcSJm5BaBVq1PeswB9M8NrHr7jKfyv7jQltR2m3s8XcQpUYdvaO9gAvMqrRbYsu3Lb2abj7TcLo8b44MNYO4YX0kdsIzyxJ6KJczMg4QEch59eOfRRy2IWjHJcBcji58O5hlPIcdKP+WA+THN+GPMhFFa7XGBw/TrVjeAkn1yDoeKkwM2+eeNNj7pOw6tT3Hib1A/EKhkSJoAkKp0RB4tNNYwekEfuDsbvG4EUhk2hGsgXzyuSF1TJu9mKxopBMI/oS1CjzwQPhCMfgNXGFGbfqVSkWeDEYBovsj6+NbJUUJOUXn663P9i45Mg3MAMTAIjyHXBzYd1sZIIqypbFPfzpovA8vKWPkNdKf6wGuEYLY7VVSnNaVzsCtzuL/x2l6thtbIRkrSFlRP1JWoIaw4X7Hj1GTGeoCOZBfnQZT8AnkLVWI0Osj+rRAnxKQVNy6DWPhADrsjA6G+u7ZSCPmRqgC3YBLNq/A2nEjISCcVE9rEW/wTctUJqk3OU0quexffElIyWPSNLvUC3J2xPkBCVSxlCTdpefZzWkU/HAmSKMD+8HbKSVwp+tjSyohUjEEBZ+7yg/3gFZ6cfPcsqp9ScLwNlmbFR3OWJWrhTQpGH8NeanL4cxE7axnlA03Ds5Kw8696vPjI3umsPIdgzds8kNtOlCaN2R58yQ1f+NRQ6Huad3q77shBDgzVIGJyC1RjWrVm2eurVMxfhGe9dKKEizw9w5hYRI8zRfJhR27YA+8nle4ho980BgWQvjXC/lW1IswG4s4GWxN2aR76sBdUUeE1bFwUtfgo5ni2dOcjJttGk0G8T3Ne8oIAoLqhp470P0ny1Ji+WkeEYHE3quFlyT0YsPDAuBmUb265fZFM68+UDNCg6n2GhAPA3Mdf5xbCuzkTWlkqIxQYFf0HUnprH/9c91r9snhnIjx0/YU0LJ/Zqw9yWSPtzC/+KV4yx+K/oEAMoPiFDbdQw3L/KU4VgxeS4dF6+n1ZkzqLUaT1vXFMvXSlvH0yS8YGltFcX5sH9/ng/SgVC5dU+PXnl/VQvwSgH3RksPY/58O8INqsK7KvU/l0B8W06oXg5YatKtJLWUvcTa2ydKbD/gGRLiU6WYMSc8uNG5raPpbs7Zw1w5uJIH8ww+SvAW3SX9LLrm1dfiO4Nyabt9L0680DQlFTAFTJ4k2KewFRI5W2GrlGdPJ4oW8M7ybcdAi99thHuAaTNAuUnJPzjjGJPVWbYw+hIIX/1ss9xVhDdABuwO665feNTQF1PsTLjgdyEyo9gi7hGfNxIu8kYwlTrfH/VEzNQ4jEE0oRQ003Ndytl8T8HcKBwNGLozHiKAozvoJ+bJXqLK4uIAyFB9HkEIk4yxO00NKtL9GyiSgJncT5ZOQwHO27u5WWj6iMrnIEUn00mLM81+Qy9IxVuceI0UMnnYoiv0cLCFkaE9ymt2jYbxK55Oezu0WAAp2QgfNkSJtduTMOOf3l7xLRhbL58MOPJSWCKIk99pZdk4rszh4vtS7MhJRTAf/hVT6c91fIese8eUdRQyk3L4LiBf99Y77cJq7/GmZY/uyJrTpARsQITqgNDYC4pRVUT6pD/sDz1rkGQ/Q5VB0ZdfMmVgeXNO2iPXKe4luj+TK+yfGxCu/AynLjMjFHVFoJvox9G/l1yPXJb74YKJ8CYgJNSD9TrZ6RDlcep7maPdoSpM0UD5q5jsek7tMkmelwf0cnkpIFXg4II7Kt7DTaJBzR9Une8fXnTA58qn20d1QBn7Ss195Q4XvvAbUKn8praovJ4Vg5fAtQCMUkjT6pF3Ro7sD1d4n6TL11c0XrByZWHBqZKrPq+Id3PD1SV1yeFr6x1Z4UNa0Iem49dy67oA5KOOfvNK9t5iC3wmJE+j5Mytc1GMBuV4fuEPmsxpAzcaqlaRy/CinIZoAnD0lH7pSJnKSBsjCBr6ADAgEXooGnBIGkgmnTkGllzZBFGWV3pWc98ZBGjB++DfhR7hrUQkHaqnMfesVwHUK8hQgKsym35KWZy8klVyZB/ge3sUhKJl6a0hzaRsSsNExSh9dghKUPBd0KZ8pZ1oTzj4p7HZyxUVaKURiA7I3z+s3ZCvYDS/vnettKwIqkheHRUfB2lbpGgTDYr4EBtO+VgIaYTTyF3VT9ws2+UrZGODyFl/uiyrk1Q3P/b94wgdWhBAICAIiigcwEgcmggcYwgcOhHDAaoAQCAv92oRIEENADzN17cScXJnKzdJyjGBCigaIwgZ+gAwIBF6KBlwSBlIIMyrP7cBbJSj1HU7FXB6OJ6ma0zfFHMFcbqgkFEFF80jCR3l5dBqowhICpHABMiONBF3otaGqffIwxI7SBvBB3S4M8K8eMC4Qjxqj77+qKqGgd14+bre3ryM1qN58szG+FQIBqAS9dwWpE1LMQsp5Lk+IQLMZ/3NPPjwx6iePRerY5+E/4pjJHkCIXvGdrc0QB2n2kazBpoAcDBQBAgQAAohQbEkdFUi5DT1JQLklOVEVMLkNPTaMgMB6gAwIBA6EXMBUbBEhUVFAbDW90cC5pbnRlbC5jb22lERgPMjAxNDA3MTAwMzE3MDhapwYCBFO9eUSoCzAJAgEXAgEDAgEB

...and gets a 401 back with this:

WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=


If I 'kdestroy' and try again, authentication works just fine with NTLM (via gss-ntlmssp):

Authorization: Negotiate YFEGBisGAQUFAqBHMEWgDjAMBgorBgEEAYI3AgIKojMEMU5UTE1TU1AAAQAAABWyCKADAAMAIAAAAA4ADgAjAAAAR0VSRFdPT0RIT1UtTElOVVg=
WWW-Authenticate: Negotiate oYIBHDCCARigAwoBAaEMBgorBgEEAYI3AgIKooIBAQSB/k5UTE1TU1AAAgAAAAYABgA4AAAAFYKJor3g82gBoEOnAAAAAAAAAADAAMAAPgAAAAYAchcAAAAPQQBNAFIAAgAGAEEATQBSAAEAGABGAE0AUwBQAFMATQBTAE8AVABQADAAMwAEACQAYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0AAwA+AEYATQBTAFAAUwBNAFMATwBUAFAAMAAzAC4AYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0ABQAcAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAHAAgAy44uzpmbzwEAAAAA
Authorization: Negotiate oYIBhzCCAYOgAwoBAaKCAXoEggF2TlRMTVNTUAADAAAAGAAYAEAAAADsAOwAWAAAAAYABgBEAQAAEAAQAEoBAAAcABwAWgEAAAAAAAB2AQAAFbKJoqmg54V6175b3F8hAp4O98G18JGf7OmnH1KOzKkxo6efI32UX5QveQQBAQAAAAAAAICNRc6Zm88BMnur5cIRXIAAAAAAAgAGAEEATQBSAAEAGABGAE0AUwBQAFMATQBTAE8AVABQADAAMwAEACQAYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0AAwA+AEYATQBTAFAAUwBNAFMATwBUAFAAMAAzAC4AYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0ABQAcAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAHAAgAy44uzpmbzwEAAAAARwBFAFIAZAB3AG8AbwBkAGgAbwB1AEQAVwBPAE8ARABIAE8AVQAtAEwASQBOAFUAWAA=


Quite why firefox doesn't try actual NTLM auth (as opposed to NTLM-in-SPNEGO) after GSSAPI auth fails, I don't know. That should have worked too.

--- Additional comment from David Woodhouse on 2014-07-10 03:24:59 EDT ---

Is there a way to easily use wireshark's dissectors (or something else) to interpret SPNEGO packets? Other than faking a real Ethernet packet capture of an HTTP exchange by using 'nc' and 'nc -l'...

The first request is:
    [truncated] Authorization: Negotiate YIIP1wYGKwYBBQUCoIIPyzCCD8egF...
        GSS-API Generic Security Service Application Program Interface
            OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
            Simple Protected Negotiation
                negTokenInit
                    mechTypes: 2 items
                        MechType: 1.3.6.1.5.2.5 (iso.3.6.1.5.2.5)
                        MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                    mechToken: 60820fa306062b060105020505013016a11404124745522e...


The response from the server (after which we give up) is:

    WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=\r\n
        GSS-API Generic Security Service Application Program Interface
            Simple Protected Negotiation
                negTokenTarg
                    negResult: Unknown (3)
                    supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)

It's *telling* us to try NTLMSSP. Why didn't we?

That 'unknown' negResult is, if I'm reading RFC4178 correctly, 'request-mic'. Is that the problem? I see recent changes in gssntlmssp and krb5 to handle MIC generation...

(Simo, note that I'm testing this with the unhacked package in Fedora and $NTLM_USER_FILE set; not my patches to make it use winbind which don't support MIC generation).

--- Additional comment from David Woodhouse on 2014-07-10 13:18:38 EDT ---

Fixed (slightly unexpectedly) by http://david.woodhou.se/krb5-fix-spnego-double-free.patch

In trying to reproduce, I could only get a crash in gss_delete_sec_context(). And once that was fixed, so was this.

--- Additional comment from David Woodhouse on 2014-07-14 11:31:46 EDT ---

==31436== Invalid free() / delete / delete[] / realloc()
==31436==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31436==    by 0x3AE900D6A7: generic_gss_release_oid_set (gssapi_alloc.h:93)
==31436==    by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895)
==31436==    by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164)
==31436==    by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90)
==31436==  Address 0x4fb55a0 is 0 bytes inside a block of size 9 free'd
==31436==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31436==    by 0x3AE900C881: generic_gss_release_oid (oid_ops.c:102)
==31436==    by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792)
==31436==    by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210)

http://mailman.mit.edu/pipermail/krbdev/2014-July/012079.html

--- Additional comment from Fedora Update System on 2014-07-17 11:37:05 EDT ---

krb5-1.11.5-9.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/FEDORA-2014-8189/krb5-1.11.5-9.fc20

--- Additional comment from Fedora Update System on 2014-07-17 11:40:02 EDT ---

krb5-1.11.3-23.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-23.fc19

--- Additional comment from Fedora Update System on 2014-07-19 01:54:52 EDT ---

Package krb5-1.11.3-23.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.11.3-23.fc19'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-23.fc19
then log in and leave karma (feedback).
Comment 4 errata-xmlrpc 2015-03-05 10:01:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0439.html