Vigil@nce - MIT krb5: double free in KDC
April 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a double memory free in MIT krb5 KDC,
which leads to a denial of service, and possibly to code execution.
Severity: 2/4
Creation date: 21/04/2010
DESCRIPTION OF THE VULNERABILITY
The KDC daemon of MIT krb5 authenticates users and generates
Kerberos tickets.
When a ticket is validated or renewed, the process_tgs_req()
function of the kdc/do_tgs_req.c file copies the received ticket
to generate the answer. The authorization_data field of the ticket
points to authentication information. As this pointer is located
in two tickets, it is freed twice when tickets are deleted.
An attacker can therefore generate a double memory free in MIT
krb5 KDC, which leads to a denial of service, and possibly to code
execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/MIT-krb5-double-free-in-KDC-9600