Bug 1117963 - CVE-2014-4343: use-after-free crash in SPNEGO
Summary: CVE-2014-4343: use-after-free crash in SPNEGO
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1121789
TreeView+ depends on / blocked
 
Reported: 2014-07-09 17:32 UTC by David Woodhouse
Modified: 2014-08-07 15:32 UTC (History)
3 users (show)

Fixed In Version: krb5-1.11.5-10.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1121789 (view as bug list)
Environment:
Last Closed: 2014-08-07 15:26:57 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description David Woodhouse 2014-07-09 17:32:06 UTC 
I'm trying to use firefox to authenticate to an internal web site. Like *many* internal web sites, this one doesn't have correct reverse DNS so Kerberos doesn't get the right SPN and fails to get a ticket for it.

That doesn't stop it from trying *something*, and screwing up my NTLM auth that would have succeeded....

First it sends a request with no Authorization: header, gets back a 401 with
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM


Then it sends this:Authorization: Negotiate YIIP1wYGKwYBBQUCoIIPyzCCD8egFjAUBgYrBgEFAgUGCisGAQQBgjcCAgqigg+rBIIPp2CCD6MGBisGAQUCBQUBMBahFAQSR0VSLkNPUlAuSU5URUwuQ09NbIIPfTCCD3mhAwIBBaIDAgEMo4IO/jCCDvowgg4eoQMCAQGigg4VBIIOEW6CDg0wgg4JoAMCAQWhAwIBDqIHAwUAAAAAAKOCDT1hgg05MIINNaADAgEFoRQbEkdFUi5DT1JQLklOVEVMLkNPTaInMCWgAwIBAqEeMBwbBmtyYnRndBsSR0VSLkNPUlAuSU5URUwuQ09No4IM7TCCDOmgAwIBEqEDAgEDooIM2wSCDNfbtGw91WzeppZocKMxPM6j9iV1ywUjWzxqgYrbE+lo/p8ps90ADV7VfCrFV6UJZWJjp8FNVjYpo2MA/Uj+i2jO8nR8RAOOP+iYCrDgWaGKNZsrpZeUdDQo2Iiwf8lGUrz3GG5tG1+ix7qXcngiU5iEr++8T4ArR12LF1SwRePQd0KXGwXALpu1lPg0DwVRlkOHj8RkkSgERb/mIyGzc1CNgLrKFTWqVgEys+LoI7HV/XasehCgrtU/Ep2P/cb3lfa2OYpzu21mEp0XOueEqOcxR3pGo8namZIiLY1glOa5mimJ4rvBC7Y/M9lEiMx3DyDR/ezbeZnHt64O6VoUHRaseYjNPzHFxduwZBgPRQZcplSY+g4lj38zp6TstQ81JfB10w9tMR/x8lw6JjFGXgau+etl7M9wkYx8hVf+YP5JYTiV5p3TTdRAqKSF+0JQQ+qkAGzn4bl7kwT9YzBbzUwx5q4TQKjgtH6Uk1rFFR1J5k+i8qzjptJaymXLYks+fslYEfNjqJsadi6oCji3l0+ZcHQJOYINy7B6TuBdFLe1xwZgzytxOE60znUXE+zEKGX6PUd3aCIU333fc+AcwrEL5KrkW2ieGfck1JGlcgmdI8aIIKG8biJOAWl0YuDuyyIOkSQdTcPpm6VoknUtEGdaaD7hmrlznt9r54DUYkrWdCdtHmlZlRUiNDEJIk6yu4dx1Mypa6WXlUy5N2Y3RUvy6AokMQpzEao8R3k33xskgQVnA/JIR9zAzp3fYVTI+uCQLGwFchLmlOdepXmt297gq0riVHrHIhq9M7rV9mNGuy5gUKiWYR0wSLkBSOovg5V0jigVtaaOUBfsW2mBRPdgyR697vz8GFjxQDc3D7KrK/IdaxNOe74t1oUl6VNXwGLtTAFvnn91WWnaxI2mEJkWXx7X0JlXk5LMIKOyFh0P5bcBCv17Q154q6YNHiLYrEhqMGILdprk+p/a04PDQOwxZisIhGbgamfEHOqWbxU/sPjPaip/EgOtEQrFzvaZ4w75EMFjjN4r9Lqp2yYfOftlWp+jXuHsEiV7bZT+QVsk8/SqYJIt/SKvxRVz04fzljjDgUokK7Ot6EuQrYUpQKR+AZ6KlWpx5mVCOpvvUOkaxrf0F1VvuM1cPdHTROl4quBOvKvGKagWCCfoqdpHDb7M6JM6ORjlzPXDOP6iHjd2Eo2CRYBcq0TZ5tS7Cih8Hy6Hr9S1KQa1ZFTiI0gCGxKJfBtD3W61NYVAP0PPZsNm+ecQlKDNHhO9Gyj2ub06d1PNaE2a1DCONvHvvFYi+lpW4dfX5NDt/udBVxkWmuh1iw2jHuh7u4MQmXNSglUb3CySZGDx7vf/uEZ4M+TRx8sQG1tlLItFiIEC9RC2CWAJHohOK4PykwvFS1/mWagwNRqFCXoC5294Z8ZackvWvsw8vfy0X4HVNP1G3zSt62cQ3PteWuiTJmRe/687xMbsxkiElk9p1PMQYkQ7093CU7OLV/Zp7eh4QoM+/QajOVJRZ+y9VlOLO3GiU0Lt5gEdwa0ewFW/NnvpdxSBEpihAk0jAFCiTjYQRkxKzsynpeZ3VchknuicI62wGiH2SlNgtaGdmByoahWdEQQ6725IcTGvoJh1H/lzwWlDh3QSHXVxf0Km8bOQas35a9Vk7bLObW0kiaKchZgkeVjbpHWNzdNmqYFElj4Itokhtp8yLBdVavRHk0H3tuKUjDMceRruRlCH8d0o48G/C8dsv9uUoWy/jF2/0HxIOelJKtAPDwasUMa+hfbW0aoUBOuco4DkBgzH8YqygBcyCfnp0+NLGqGoe8PWLfV2HDU9DS+22O9oEZ7Zu3sddkS3QhE4B1cTimUFWtfgRGRv3EJj+0U/MKmSBkjh/uZHkQEdcva6dNqXG776qb1i5nTMcmtmdWpquUUzdeTcLtuf+e/+Zl3+oHNcv0+3OuYqtNg6GwsMxu45YdsEQs2F5Q0k2A2uIRwJ0Mh4bT+bP/KaA+lOBspUQc2j3q1UVCoVAL/4QieKEeMcg29sWm7YsQ2k5HEyzC4MhDE5idwTsMcTGf8wyqAXnMmf8i7dDtraYSuUUqogKAdowOyzVtQaBoz2XuiGQ2hhwoo9fjV9oKP6JAyhRC64xQCLeNGDvk0iR7zosaCIE+mz2nbDSCn8YOKmomkBxPVCSnqlqrqItdD2z+ZzhoeQhckkfYMk1jWgnZ6ROnxLnCqj8kIyb2M50igMwq7YMvDIBJWAJAHXoXlSkyUv97YnsfGchD9aJmf9o0Yky35/1cxWaWVk3Bj1nKQVm4Vt8KcaDtIxZ7xAZCx7OlTIJph/d5DLCIeYLuXHRVoMNTqwdoWATjbmY/Ww+DDKCCZuEJ6JocD5IEXrOJADYF5VsClZZQr1UnAtYPNXhyW7eZg6IKcEzE470/daY9TZ3m+1sOMdqOdOActopZ2XS33KLJltIx7WcSJm5BaBVq1PeswB9M8NrHr7jKfyv7jQltR2m3s8XcQpUYdvaO9gAvMqrRbYsu3Lb2abj7TcLo8b44MNYO4YX0kdsIzyxJ6KJczMg4QEch59eOfRRy2IWjHJcBcji58O5hlPIcdKP+WA+THN+GPMhFFa7XGBw/TrVjeAkn1yDoeKkwM2+eeNNj7pOw6tT3Hib1A/EKhkSJoAkKp0RB4tNNYwekEfuDsbvG4EUhk2hGsgXzyuSF1TJu9mKxopBMI/oS1CjzwQPhCMfgNXGFGbfqVSkWeDEYBovsj6+NbJUUJOUXn663P9i45Mg3MAMTAIjyHXBzYd1sZIIqypbFPfzpovA8vKWPkNdKf6wGuEYLY7VVSnNaVzsCtzuL/x2l6thtbIRkrSFlRP1JWoIaw4X7Hj1GTGeoCOZBfnQZT8AnkLVWI0Osj+rRAnxKQVNy6DWPhADrsjA6G+u7ZSCPmRqgC3YBLNq/A2nEjISCcVE9rEW/wTctUJqk3OU0quexffElIyWPSNLvUC3J2xPkBCVSxlCTdpefZzWkU/HAmSKMD+8HbKSVwp+tjSyohUjEEBZ+7yg/3gFZ6cfPcsqp9ScLwNlmbFR3OWJWrhTQpGH8NeanL4cxE7axnlA03Ds5Kw8696vPjI3umsPIdgzds8kNtOlCaN2R58yQ1f+NRQ6Huad3q77shBDgzVIGJyC1RjWrVm2eurVMxfhGe9dKKEizw9w5hYRI8zRfJhR27YA+8nle4ho980BgWQvjXC/lW1IswG4s4GWxN2aR76sBdUUeE1bFwUtfgo5ni2dOcjJttGk0G8T3Ne8oIAoLqhp470P0ny1Ji+WkeEYHE3quFlyT0YsPDAuBmUb265fZFM68+UDNCg6n2GhAPA3Mdf5xbCuzkTWlkqIxQYFf0HUnprH/9c91r9snhnIjx0/YU0LJ/Zqw9yWSPtzC/+KV4yx+K/oEAMoPiFDbdQw3L/KU4VgxeS4dF6+n1ZkzqLUaT1vXFMvXSlvH0yS8YGltFcX5sH9/ng/SgVC5dU+PXnl/VQvwSgH3RksPY/58O8INqsK7KvU/l0B8W06oXg5YatKtJLWUvcTa2ydKbD/gGRLiU6WYMSc8uNG5raPpbs7Zw1w5uJIH8ww+SvAW3SX9LLrm1dfiO4Nyabt9L0680DQlFTAFTJ4k2KewFRI5W2GrlGdPJ4oW8M7ybcdAi99thHuAaTNAuUnJPzjjGJPVWbYw+hIIX/1ss9xVhDdABuwO665feNTQF1PsTLjgdyEyo9gi7hGfNxIu8kYwlTrfH/VEzNQ4jEE0oRQ003Ndytl8T8HcKBwNGLozHiKAozvoJ+bJXqLK4uIAyFB9HkEIk4yxO00NKtL9GyiSgJncT5ZOQwHO27u5WWj6iMrnIEUn00mLM81+Qy9IxVuceI0UMnnYoiv0cLCFkaE9ymt2jYbxK55Oezu0WAAp2QgfNkSJtduTMOOf3l7xLRhbL58MOPJSWCKIk99pZdk4rszh4vtS7MhJRTAf/hVT6c91fIese8eUdRQyk3L4LiBf99Y77cJq7/GmZY/uyJrTpARsQITqgNDYC4pRVUT6pD/sDz1rkGQ/Q5VB0ZdfMmVgeXNO2iPXKe4luj+TK+yfGxCu/AynLjMjFHVFoJvox9G/l1yPXJb74YKJ8CYgJNSD9TrZ6RDlcep7maPdoSpM0UD5q5jsek7tMkmelwf0cnkpIFXg4II7Kt7DTaJBzR9Une8fXnTA58qn20d1QBn7Ss195Q4XvvAbUKn8praovJ4Vg5fAtQCMUkjT6pF3Ro7sD1d4n6TL11c0XrByZWHBqZKrPq+Id3PD1SV1yeFr6x1Z4UNa0Iem49dy67oA5KOOfvNK9t5iC3wmJE+j5Mytc1GMBuV4fuEPmsxpAzcaqlaRy/CinIZoAnD0lH7pSJnKSBsjCBr6ADAgEXooGnBIGkgmnTkGllzZBFGWV3pWc98ZBGjB++DfhR7hrUQkHaqnMfesVwHUK8hQgKsym35KWZy8klVyZB/ge3sUhKJl6a0hzaRsSsNExSh9dghKUPBd0KZ8pZ1oTzj4p7HZyxUVaKURiA7I3z+s3ZCvYDS/vnettKwIqkheHRUfB2lbpGgTDYr4EBtO+VgIaYTTyF3VT9ws2+UrZGODyFl/uiyrk1Q3P/b94wgdWhBAICAIiigcwEgcmggcYwgcOhHDAaoAQCAv92oRIEENADzN17cScXJnKzdJyjGBCigaIwgZ+gAwIBF6KBlwSBlIIMyrP7cBbJSj1HU7FXB6OJ6ma0zfFHMFcbqgkFEFF80jCR3l5dBqowhICpHABMiONBF3otaGqffIwxI7SBvBB3S4M8K8eMC4Qjxqj77+qKqGgd14+bre3ryM1qN58szG+FQIBqAS9dwWpE1LMQsp5Lk+IQLMZ/3NPPjwx6iePRerY5+E/4pjJHkCIXvGdrc0QB2n2kazBpoAcDBQBAgQAAohQbEkdFUi5DT1JQLklOVEVMLkNPTaMgMB6gAwIBA6EXMBUbBEhUVFAbDW90cC5pbnRlbC5jb22lERgPMjAxNDA3MTAwMzE3MDhapwYCBFO9eUSoCzAJAgEXAgEDAgEB

...and gets a 401 back with this:

WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=


If I 'kdestroy' and try again, authentication works just fine with NTLM (via gss-ntlmssp):

Authorization: Negotiate YFEGBisGAQUFAqBHMEWgDjAMBgorBgEEAYI3AgIKojMEMU5UTE1TU1AAAQAAABWyCKADAAMAIAAAAA4ADgAjAAAAR0VSRFdPT0RIT1UtTElOVVg=
WWW-Authenticate: Negotiate oYIBHDCCARigAwoBAaEMBgorBgEEAYI3AgIKooIBAQSB/k5UTE1TU1AAAgAAAAYABgA4AAAAFYKJor3g82gBoEOnAAAAAAAAAADAAMAAPgAAAAYAchcAAAAPQQBNAFIAAgAGAEEATQBSAAEAGABGAE0AUwBQAFMATQBTAE8AVABQADAAMwAEACQAYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0AAwA+AEYATQBTAFAAUwBNAFMATwBUAFAAMAAzAC4AYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0ABQAcAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAHAAgAy44uzpmbzwEAAAAA
Authorization: Negotiate oYIBhzCCAYOgAwoBAaKCAXoEggF2TlRMTVNTUAADAAAAGAAYAEAAAADsAOwAWAAAAAYABgBEAQAAEAAQAEoBAAAcABwAWgEAAAAAAAB2AQAAFbKJoqmg54V6175b3F8hAp4O98G18JGf7OmnH1KOzKkxo6efI32UX5QveQQBAQAAAAAAAICNRc6Zm88BMnur5cIRXIAAAAAAAgAGAEEATQBSAAEAGABGAE0AUwBQAFMATQBTAE8AVABQADAAMwAEACQAYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0AAwA+AEYATQBTAFAAUwBNAFMATwBUAFAAMAAzAC4AYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0ABQAcAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAHAAgAy44uzpmbzwEAAAAARwBFAFIAZAB3AG8AbwBkAGgAbwB1AEQAVwBPAE8ARABIAE8AVQAtAEwASQBOAFUAWAA=


Quite why firefox doesn't try actual NTLM auth (as opposed to NTLM-in-SPNEGO) after GSSAPI auth fails, I don't know. That should have worked too.
Comment 1 David Woodhouse 2014-07-10 07:24:59 UTC 
Is there a way to easily use wireshark's dissectors (or something else) to interpret SPNEGO packets? Other than faking a real Ethernet packet capture of an HTTP exchange by using 'nc' and 'nc -l'...

The first request is:
    [truncated] Authorization: Negotiate YIIP1wYGKwYBBQUCoIIPyzCCD8egF...
        GSS-API Generic Security Service Application Program Interface
            OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
            Simple Protected Negotiation
                negTokenInit
                    mechTypes: 2 items
                        MechType: 1.3.6.1.5.2.5 (iso.3.6.1.5.2.5)
                        MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                    mechToken: 60820fa306062b060105020505013016a11404124745522e...


The response from the server (after which we give up) is:

    WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=\r\n
        GSS-API Generic Security Service Application Program Interface
            Simple Protected Negotiation
                negTokenTarg
                    negResult: Unknown (3)
                    supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)

It's *telling* us to try NTLMSSP. Why didn't we?

That 'unknown' negResult is, if I'm reading RFC4178 correctly, 'request-mic'. Is that the problem? I see recent changes in gssntlmssp and krb5 to handle MIC generation...

(Simo, note that I'm testing this with the unhacked package in Fedora and $NTLM_USER_FILE set; not my patches to make it use winbind which don't support MIC generation).
Comment 2 David Woodhouse 2014-07-10 17:18:38 UTC 
Fixed (slightly unexpectedly) by http://david.woodhou.se/krb5-fix-spnego-double-free.patch

In trying to reproduce, I could only get a crash in gss_delete_sec_context(). And once that was fixed, so was this.
Comment 3 David Woodhouse 2014-07-14 15:31:46 UTC 
==31436== Invalid free() / delete / delete[] / realloc()
==31436==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31436==    by 0x3AE900D6A7: generic_gss_release_oid_set (gssapi_alloc.h:93)
==31436==    by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895)
==31436==    by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164)
==31436==    by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90)
==31436==  Address 0x4fb55a0 is 0 bytes inside a block of size 9 free'd
==31436==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31436==    by 0x3AE900C881: generic_gss_release_oid (oid_ops.c:102)
==31436==    by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792)
==31436==    by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210)

http://mailman.mit.edu/pipermail/krbdev/2014-July/012079.html
Comment 4 Fedora Update System 2014-07-17 15:37:05 UTC 
krb5-1.11.5-9.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/FEDORA-2014-8189/krb5-1.11.5-9.fc20
Comment 5 Fedora Update System 2014-07-17 15:40:02 UTC 
krb5-1.11.3-23.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-23.fc19
Comment 6 Fedora Update System 2014-07-19 05:54:52 UTC 
Package krb5-1.11.3-23.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.11.3-23.fc19'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-23.fc19
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2014-08-07 15:26:57 UTC 
krb5-1.11.3-24.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-08-07 15:32:40 UTC 
krb5-1.11.5-10.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.