Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

I use technology in order to hate it more properly. -- Nam June Paik

devel / comp.protocols.kerberos / MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing

SubjectAuthor
o MITKRB5-SA-2022-001 Vulnerabilities in PAC parsingGreg Hudson

1
MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing

<mailman.126.1668528721.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=327&group=comp.protocols.kerberos#327

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ghud...@mit.edu (Greg Hudson)
Newsgroups: comp.protocols.kerberos
Subject: MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing
Date: Tue, 15 Nov 2022 11:08:37 -0500
Organization: TNet Consulting
Lines: 204
Sender: kerberos-announce <kerberos-announce-bounces@mit.edu>
Message-ID: <mailman.126.1668528721.8148.kerberos@mit.edu>
References: <x7dleoc42uy.fsf@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="17169"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos-announce@mit.edu
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1668528719; bh=pyuKAaIt1ip7toMy9ZiymtQ6fsgEGjTgjmZ5+wZKBIM=;
h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
List-Post:List-Help:List-Subscribe;
b=aFAObkgMvxq/8MUXg2Is2LFiv1YLO5ySjNRXKmKbrSOZ8Y5n5D9cmm31yI9Lw4m8Z
X/B/I9mqwR8ppd2Txi4rfrUThGqaTizYOIRR4fcWYW15p35B8VBpoSLo0AE6p1cdDR
Pryu5+vEDZeo7nIXETj89IJvIKZ6pOdDYnLUn7owMjMlvlZXOabZKuwiG/0Tq1Ud0V
xA76b1PAqiiLb/J2nc7/kf/nmNB3xF/RbkCIUXVZjACmItZ5CbOb+7jfEi/vBn1y7O
5py5qAxicqbH+ythI6RyzdR0NJHEUoOVYGVYt94yP1yaR1JhyaF7eVKr2tUB3dmwef
z4In/zhQ7jg8w==
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=fail;
b=asQYtpgkzXq84H0iqeP1FTyNYCfEMJZqck2+syYBRvn0CTOhJbWOE4lGv8TaCyx9cKhsmXEcR8Uu7UnJd+MnJfLze5sJez/zb26EpC5/H9cQaCo6EsVQ9vmjgX6JGBSZS8u9gxd94emmPLgCWiP3scBVRynBTmeLvfe36g1wKGlw4pHuAv4dj0VyKfEW70hZIOPSg90rReu0bD7+qaE9i2q7kOUMgHrQwMdl64Ro/CVTV41m1Jv3rlNd7Omm0ryamGwZrBf0zlvwMbLJncjEy5rIyfKEIODQB+a9Ff1NJKUoYcwrfrl22nxgZvB2u/zNE2vwYSpj/hIM5ntpyXko6g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=pyuKAaIt1ip7toMy9ZiymtQ6fsgEGjTgjmZ5+wZKBIM=;
b=Z/EpfXkIxwBUl+zzwyx5B3An9eEZCtlh4iy9wfP+rL+xuW2wzA9mkcZvETVe++ZldpxHbqHpf/odqQnY9VK7fxeAr8W5rRfcCkZ04iPmgNjCYb0tpxRb1F7mdincxzyyKCpeZLshdyYAHPWJv7wr6tUibj1dqTsKPwgKgFAqtpSEywFq/5ThpUfm5XENiIIqCWoBgvBGBPmCeVQXWYrI1csy1Tzpu9Utaj/s9yRClMP6Dw2aOyXLszZJlcnHxpKGluFOkm46KqV3Rd0NHJGVsYDBDieoITFnq1kPnxxMap45X+Pd9xqqHpNwcd4njWYRtwLMTPXpfT5Wm1XGbweH+g==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
18.7.21.50) smtp.rcpttodomain=mit.edu smtp.mailfrom=mit.edu; dmarc=pass
(p=none sp=none pct=100) action=none header.from=mit.edu; dkim=fail (body
hash did not verify) header.d=mit.edu; dkim=fail (body hash did not verify)
header.d=mit.edu; arc=fail (47)
Authentication-Results: spf=pass (sender IP is 18.7.21.50)
smtp.mailfrom=mit.edu; dkim=fail (body hash did not verify)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.7.21.50 as permitted sender) receiver=protection.outlook.com;
client-ip=18.7.21.50; helo=mailman.mit.edu; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1668528572; bh=PhYRP/EblbwNgL7IedrH1LgrRS3g4f6VokykGqoVZEM=;
h=From:To:Subject:Date;
b=PWlc+NIw8Kb+Wl2myJlMA04LUpnDXbt9No4ZC3HV3J3V6zqZ6XYV+urdmD230bddt
qV0hobcdidkGT8fPRsmDVzNXKFsMz0Um19ury+vVsti1LPOLABBiLt8EF+p8fJdI0E
NTdYzJPLDIrfZxuRmYz+G4nAZMReLX12F5NdVUIJgbRTMwzM+ZbNunp5xW9rTyKkDZ
mxdO9V8SI15W21/0rfvX+MoKtNctQw/ElLyOkYHvzL7TlIp8QlXbD0CbA7lOxdfYhh
BWt0qmTBfYcMcTU6MRbAJZKIvXmfR4ytUtw7gIZmzxfEpiHs9Fxk8zub7uAN35xzEi
6zlGLHPD3SfXg==
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=iHupNNSwA+a49i8g/Oe/RPDdFZVHJLT1Znt3ct23UiZ3SD4VkKfn+xw2UN1+nwy5LO8GXxLimc3skhbNY5HOvk1SzCnrqsKbYUZv/cnXzDGVVO09RkEX3YiaoLx372JZJBWdlEb8mqvpZxzUJWs6Ejd8shev8urtgtnuKl5t7qmFpwAwwu0uDGsE6qNUXrFWysyPQIDXNkwVkcVcrGhRUsu+H76ZInsu0sxGHxvRO/H1nIJhmR+T19Y7sEJ3CPhCsnBel4OM+r+HfiXIbWSUhUzkYvT2L4Z7xBVVkGzGKtYtfibfVY2op2xUB+A8D0eX1J0FXpn+8d6J3h0clj3GWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=PhYRP/EblbwNgL7IedrH1LgrRS3g4f6VokykGqoVZEM=;
b=IVIzNPnZm0+HZXTy8HGJIURLQtSPURAap3B0jbvEHfc8z8RAt1wg2rqlb5rLA6MJ3aL9Rkg7pwNSbptvDruW0PMP099S3Ii3migWKYktTqF/m+tnZ/RMcg86mUhlPiWDI5g6Z0xtfcAf/3T55OFn+O2MG/YVWEmAigLKOySRLmS8QZ+n6Zhuy6sv/GcROMg8mCR0dao3OWGHS/Cq2+gSWl/XjhBBDw8MLNWqIqJDpXzCOggBgcMmxAsrPdT2iB4MKEXtyiBBBgMMAZdAhZn6i8yAx0OsJ0w5QI9XP9O+XfsmYODvVYg9Krgx4bjtB36hadVxgkDweM9GIcIMZdznQQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
18.9.28.11) smtp.rcpttodomain=mit.edu smtp.mailfrom=mit.edu; dmarc=pass
(p=none sp=none pct=100) action=none header.from=mit.edu; dkim=pass
(signature was verified) header.d=mit.edu; arc=none (0)
Authentication-Results-Original: spf=pass (sender IP is 18.9.28.11)
smtp.mailfrom=mit.edu; dkim=pass (signature was verified)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.9.28.11 as permitted sender) receiver=protection.outlook.com;
client-ip=18.9.28.11; helo=outgoing.mit.edu; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1668528518; bh=PhYRP/EblbwNgL7IedrH1LgrRS3g4f6VokykGqoVZEM=;
h=From:To:Subject:Date;
b=ifTTfMooGhEvEceK/WhFLiKT8hT5NAmu4iU3aY+bI3746Ll4ObAmMhkOLyNK4/I/z
FT3wn2jLrV84zksWitQOwq+HeTBvICICwzGAUWawzX350EOegVh3End16bSn8aLqly
LdK419mGUN1zwGUWJo7LY4p5JKX7Lyu49u5fyXtHLA9ZkyZbguNmbULjBnIE8uPK7m
XtLSiTBgjnBw0fz8OYYtH++G1TLyX5ePhKN8pGZ7RuY0vJ2i7OyFjzQzS0PDF1Boaa
N3jPPJDtAO5A1Wvv7WP85kOCwzsMk4YLFCnGjEoUM6x8WUft7L+DpQP9y6Tt9k7vLp
EWkaLhnjCmYgA==
X-EOPAttributedMessage: 1
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:1
X-MS-TrafficTypeDiagnostic: DS1PEPF0000B077:EE_|SN6PR01MB4494:EE_|BN8NAM11FT027:EE_|BL0PR01MB4609:EE_
X-MS-Office365-Filtering-Correlation-Id: c9f2f61d-3ad3-4a76-f485-08dac7240bcb
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: wOcaqGSYQRbjpGKJP6sq8vZToKjo307Cq36di1gLHQ0dqWyjB+KQ0EWbQz0oo35C0S/rUkT7TqguLNejrn+j5RW2BzOTho5feFaHSjx9IMBtyGeMM/B60yWpzSYZlnk25oCQE61b6TRcQ9CblnaAKrDfwDOT0hqd8r1D0lo3+P2QXo9Y8xHLzesnfPX62XqYwh7Y9yS4jtwPmtY/G1YNikBIQ4d0e3En8kkQYR0KqYXuLA1AaDYfnIFFHhnzXjyF5Afp4SdzYHxoWW8QchBg758z8HY7ygrZifpblX4UYaRaGrAv8J5isl4mV29/8FBUkEfKZmNUjvk11iM772UrzPJyi4h+zf/cgJ/Pl+J4oJOX59pioryWSqkEwQAleOpo4V1Hus/7FykvER8+CI9qJ2iMuLRI8QGcUJP3DW4FoiJPRgkmZ+mLPMTdlTKkeV4jgQr9IQMkzRv10mXtrCgdthbwyPq0bYYg42UfW4j2laNzUGQ3I81zFN9fqoV6sunFmRkt9LHjg/LJVsfLC8UbS3blfEqdct8jvqePS3xySuO8Jrh6bd+NWwwM2Nkx4JnP9rs7h+N4ayzcqarIjuGtT52AK/RscqOd0376cuRsU/bEYBCD8/1xfvJRknjpIltMKurtsCpEqB4og+U3wRruybwB4LW/QMQvMkm3gxRPViK9tyxrD23MJSa/uXAuCvKBBHMNdAi7XRrop0oW3XTAQLbjaeXzYoQSFniU4tHiHcqZcdv+NRp5sCSIS83OK/zu1FI3bNv/S5EC4PvN3lJMk6NV17w2zpCMou4O0UtxdAL1bTHN6klxee7OEnzEH45Bo5Vr4euRR/G6XYh4LoKStgtBXeRnw08TvV8EPOQfHJcad1Yw8TM9e+TOt/YjD1bo
X-Forefront-Antispam-Report-Untrusted: CIP:18.9.28.11; CTRY:US; LANG:en;
SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:outgoing.mit.edu;
PTR:outgoing-auth-1.mit.edu; CAT:NONE;
SFS:(13230022)(4636009)(396003)(136003)(376002)(39860400002)(346002)(451199015)(34206002)(2906002)(5660300002)(356005)(26005)(478600001)(7696005)(6636002)(316002)(966005)(786003)(4001150100001)(37006003)(70586007)(8676002)(68406010)(45080400002)(83380400001)(86362001)(426003)(75432002)(336012)(956004)(36756003)(2616005);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB4494
X-Mailman-Approved-At: Tue, 15 Nov 2022 11:09:49 -0500
X-BeenThere: kerberos-announce@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
Errors-To: kerberos-announce-bounces@mit.edu
X-MS-Exchange-Transport-CrossTenantHeadersStripped: BN8NAM11FT027.eop-nam11.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 8fd32c54-041a-4a08-a272-08dac723a87c
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: SL10sohGp7+7uv/PVk0AnQ014iApBxsDE3QncAMAkzefsrubI0P9TJ+DDQO4w7a2E9ohr9F+HyrHEgC8WPF/+PSTVKPbILnSQ/wOmKLFTTC6Zo9/7Fm//8qa91OwteiTfbp2otGUGRj3zZWKjWOFmZ9oqn2hLrLn+Aifemd9PMy3VCKWS3fCXrxQubC64V9QQ/v/+lBgGX18i6xkV5BszAVCW8/z3dczKWD4B0kRSGmgnYRjcXbddmxVeypxMxLhwzx0gyQbAShBZDaxRKoYAZtM00Ps+HAfF69DjGA0CpfwSnKyM9oMLjT9UbhLWvVIhGM3DVaLB6mdQxpHxdcGS1UwWtnyI+uy2m+U2vY2jSkp5vV/dStbAOj81ZkQ5/XxOYj7XVPjVbMtDzlgIgQ3TGP2wSHE41umeucB5c8zvR5O8usHG6FsvBJEtVTsGL8DnJjzYx0Q64KrugPDBxvAHqFFLI1+sXwIvjwK/I9RG1M8YEcajnYy4Mep6D305obhPfo5GtXwtnYxKZJWLVQNMDGzj3W/MhoPg2Z8Vq3ztzCa2ZRtDZTSmibaPrjjWz98Pfksc2xzZWlvzlw6hk6ingTrNLML6kGI1vfV01Qcub8CNRJjW5/KmWLMPDg4KD/LWJMKE6UGIM9a84aJt92qx9lZIlV6SnVovc4+nMo4fb66gSs3cjt9p23uUWpvg9bLlTDMZgUU2uKeZvK8fS+56hCwj31oAIqtll1BkNfmy1/utSt+qdTtHEA34hnkXWwXAr7Nu3XNeRtv3CrVGj4I/jXRYzG933stEtPKKgqcE87tak83rSa9DUnWXoK9A0yWcksYULExvq+hoRX43ac5OFzzKHhI5tHVukVAjdiSpNXPi9l368kNaUtgLK40flTS
X-Forefront-Antispam-Report: CIP:18.7.21.50; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM; H:mailman.mit.edu; PTR:mailman.mit.edu; CAT:NONE;
SFS:(13230022)(4636009)(39860400002)(376002)(346002)(396003)(136003)(451199015)(8676002)(450100002)(70586007)(4001150100001)(9036002)(36756003)(478600001)(5660300002)(34206002)(68406010)(6636002)(16670700002)(7696005)(83380400001)(426003)(956004)(2616005)(336012)(7596003)(316002)(786003)(75432002)(966005)(7846003)(37006003)(26005)(2906002)(19810500001);
DIR:OUT; SFP:1102;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Nov 2022 16:11:25.5918 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c9f2f61d-3ad3-4a76-f485-08dac7240bcb
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT027.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR01MB4609
X-OriginatorOrg: mit.edu
X-BeenThere: kerberos@mit.edu
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <x7dleoc42uy.fsf@mit.edu>
 by: Greg Hudson - Tue, 15 Nov 2022 16:08 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

MITKRB5-SA-2022-001

MIT krb5 Security Advisory 2022-001
Original release: 2022-11-15
Last update: 2022-11-15

Topic: Vulnerabilities in PAC parsing

CVE-2022-42898: integer overflow vulnerabilities in PAC parsing

SUMMARY
=======

Three integer overflow vulnerabilities have been discovered in the MIT
krb5 library function krb5_parse_pac().

IMPACT
======

An authenticated attacker may be able to cause a KDC or kadmind
process to crash by reading beyond the bounds of allocated memory,
creating a denial of service. A privileged attacker may similarly be
able to cause a Kerberos or GSS application service to crash.

On a 32-bit platform, an authenticated attacker may be able to cause
heap corruption in a KDC or kadmind process, possibly leading to
remote code execution. A privileged attacker may similarly be able to
cause heap corruption in a Kerberos or GSS application service running
on a 32-bit platform.

An attacker with the privileges of a cross-realm KDC may be able to
extract secrets from a KDC process's memory by having them copied into
the PAC of a new ticket.

AFFECTED SOFTWARE
=================

Kerberos and GSS application services using krb5-1.8 or later are
affected. kadmind in krb5-1.8 or later is affected. The krb5-1.20
KDC is affected. The krb5-1.8 through krb5-1.19 KDC is affected when
using the Samba or FreeIPA KDB modules.

FIXES
=====

* Upcoming releases in the krb5-1.19 and krb5-1.20 series will contain
fixes for these vulnerabilities.

* The patch for krb5-1.20.x is available at

https://web.mit.edu/kerberos/advisories/2022-001-patch-r120.txt

A PGP-signed patch is available at

https://web.mit.edu/kerberos/advisories/2022-001-patch-r120.txt.asc

* The patch for krb5-1.19.x is available at

https://web.mit.edu/kerberos/advisories/2022-001-patch-r119.txt

A PGP-signed patch is available at

https://web.mit.edu/kerberos/advisories/2022-001-patch-r119.txt.asc

REFERENCES
==========

This announcement is posted at:

https://web.mit.edu/kerberos/advisories/MITKRB5-SA-2022-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

https://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

https://web.mit.edu/kerberos/index.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898

ACKNOWLEDGMENTS
===============

One of the integer overflow vulnerabilities was discovered by
oss-fuzz.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>.

DETAILS
=======

A PAC (Privilege Attribute Certificate) is a Kerberos authorization
data type specified by Microsoft. PACs are parsed by application
services and KDCs after the PAC is extracted from a decrypted ticket.
Attacking an application service requires a high level of privilege,
as the attacker must possess the long-term key of the service to
insert a crafted invalid PAC into a ticket that the service can
decrypt. To attack a KDC or kadmind, the attacker must possess the
long-term key of a principal in the KDC realm, but does not require a
high level of privilege.

There are three potential overflow vulnerabilities in
krb5_pac_parse():

1. krb5_pac_parse() reads a buffer count from the serialized PAC,
which can be any unsigned 32-bit value. It then computes a header
length from the buffer count, and returns an error if the header
length is larger than the serialized PAC length. If the buffer count
is 2^28 or higher, the header length computation will overfow, and the
result may be less than or equal to the PAC length.

If the header length check is defeated in this manner,
krb5_pac_parse() will attempt to parse metadata for at least 2^28
buffers, exceeding the bounds of the serialized PAC. In most cases,
parsing beyond the end of the PAC will encounter invalid metadata and
the parse operation will fail, with no harmful consequences. In some
cases the process may be terminated with a segmentation violation.

2. krb5_pac_parse() computes a reallocation size based on the buffer
count. If the buffer count is 2^28 or higher, the size computation
will overflow on 32-bit platforms, and the function will allocate
insufficient space to store buffer metadata. On 64-bit platforms the
size computation cannot overflow.

An insufficient storage allocation will result in heap corruption when
buffer metadata is read. The attacker has a significant degree of
control over what data is written beyond the end of the allocated heap
region.

3. For each buffer, krb5_pac_parse() reads a 64-bit offset and a
32-bit length. The function returns an error if the sum of the offset
and length exceeds the length of the serialized PAC. If the sum
exceeds 2^64, the offset and length may be erroneously allowed. A
later read of the buffer may cause the process to crash. If it does
not, the buffer contents may contain secrets located in process
memory. A KDC may copy the invalid buffer into the PAC for a new
ticket, possibly revealing secret information to the attacker.
However, a high level of privilege would be required to conduct such
an attack, as the PAC must be signed by a KDC within the local realm
or a KDC from a realm that the local realm is directly connected to.

GSS and Kerberos application services using krb5-1.8 or later will
parse a PAC when an AP-REQ or Kerberos GSS initiator token is received
from a client, if a PAC is contained within the decrypted Kerberos
ticket. To exploit the aforementioned vulnerabilities, an attacker
must be able to construct a ticket that the application service can
decrypt, containing a crafted invalid PAC encoding. Constructing such
a ticket requires possession of a key contained within the service's
keytab file, implying that the attacker already has the privileges of
the application service or the KDC of the service realm.

kadmind is a GSS application service with the special property that it
can decrypt a ticket encrypted to in any service key in the database.
After authentication, it checks that the target service has an
appropriate name, but by that time any PAC in the received ticket has
already been parsed. Therefore, it could be attacked by any attacker
who possesses the long-term key of any principal that does not have
the DISALLOW_SVR or DISALLOW_ALL_TIX flags set.

The krb5-1.20 KDC.20 will parse a PAC if one is contained within a TGS
request header ticket or second ticket. As with kadmind, such a
ticket could be crafted using the long-term key of any principal that
does not have the DISALLOW_SVR or DISALLOW_ALL_TIX flags set.

The KDC prior to krb5-1.20 does not parse PACs unless it is used with
a KDB module that implements PACs, such as the Samba or FreeIPA KDB
modules.

REVISION HISTORY
================

2022-11-15 original release

Copyright (C) 2022 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNzuQQACgkQDLoIV1+D
ct8Ung/8DWy/aMtta10Z1pclpCZDP/piQs/r9pY+uugaZIZo9TWKBmbj8agASdS8
C/BKp9fj80P5uPPveSuAMbuj0ocRjWVeRa04GR+Le8UeCIjOJrh1uXHLTWza/xpU
rpV+/xi/KsueaxGS3I4hUTUd1K4nUmGX/Kzvjo27YCvOKRXiiUn2J1mX9d+G+hyS
lVjAlLI7+HvDbC9Cq96BYKRcLvCugMDY1g4wjmFw7L7tvftsf2t1dl8i8dlHfSNJ
fcYgpNne3fRgwSEkPZNukfZQD3i4usUfRoimqnG57fV1mOilfWT1bGVlNC7HOpgs
anHYrhc+j4CYtwR8YhHU/aZSUs82ksfjLX+/o+LmUfyQhKqKreT5WYyJUW8pzG/+
DAery0OBG+wLOpNMzLhCRExPOzh1gcJs1RXF/meb68D4KBCfmM9F6tASLlVNTmd2
cI+Mh3Zm70S+l4ZKEgppKmFTcG+0HucOnpGl8QdTifMpM7Ox66asnPznPy6uaNoa
xMXW718Ldr1p3n8gzIA2FrOi3t/I+CL59APfkt43QwH/7+x0uxLyswA/3LX6pLtY
dTgbVHXa+PkfowmrD7Gn8bkFAwZiAsfKy/r+Xf+3flZzj8I6BqAzvqcAke7Fyr+o
uWw8IMxy85cirlwstllbfqwEz6KrkHVuu61vrANvWBEOpKHmMeU=
=8tHI
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-announce@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor