Vigil@nce - MIT krb5 : use after free via SPNEGO init_ctx_reselect
septembre 2014 par Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a freed memory area in SPNEGO
init_ctx_reselect() of MIT krb5, in order to trigger a denial of
service, and possibly to execute code.
Impacted products : BIG-IP Appliance, Fedora, AIX, MIT krb5,
openSUSE, Ubuntu
Severity : 2/4
Creation date : 28/08/2014
DESCRIPTION OF THE VULNERABILITY
During an authentication with Kerberos, in the protocol step named
SPNEGO, the client send a packet with his identity, typically a
username.
However, a Man-in-the-middle triggers a double memory free in the
init_ctx_reselect() function of the lib/gssapi/spnego/spnego_mech.c
file.
An attacker can therefore use a freed memory area in SPNEGO
init_ctx_reselect() of MIT krb5, in order to trigger a denial of
service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/MIT-krb5-use-after-free-via-SPNEGO-init-ctx-reselect-15241