ASA-2018-00060 – Samba: AD DC S4U2Self Crash na configuração experimental do MIT Kerberos

Publicado em por Allele Security Intelligence em Alertas

For the English version of this alert, click here.

Allele Security Alert

ASA-2018-00060

Identificador(es)

ASA-2018-00060, CVE-2018-16853

Título

AD DC S4U2Self Crash na configuração experimental do MIT Kerberos

Fabricante(s)

Samba

Produto(s)

Samba

Versão(ões) afetada(s)

Samba 4.7.0 e versões posteriores

Versão(ões) corrigida(s)

Samba 4.7.12, 4.8.7 e 4.9.3

Prova de conceito

Desconhecido

Descrição

Um usuário no domínio do Samba AD pode travar o KDC quando o Samba é construído na configuração não padrão do MIT Kerberos.

Detalhes técnicos

Ao tentar uma requisição s4u2self em um novo samba AD construído com MIT krb5, o kdc irá acessar uma região inválida da memória.

Para reproduzir, você precisará de um membro do domínio e executar:

net ads kerberos pac dump impersonate=administrator@REALM -P -d3
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5bffab7 in ks_is_kadmin (context=0x647620, princ=0x0) at ../source4/kdc/mit-kdb/kdb_samba_common.c:76
76 return krb5_princ_size(context, princ) >= 1 &&
(gdb) bt
#0 0x00007ffff5bffab7 in ks_is_kadmin (context=0x647620, princ=0x0) at ../source4/kdc/mit-kdb/kdb_samba_common.c:76
#1 0x00007ffff5c00179 in kdb_samba_db_check_policy_as (context=0x647620, kdcreq=0x137d020, client=0x7fffffffdc30, server=0x7fffffffdc88,
kdc_time=1534188443, status=0x7fffffffde88, e_data_out=0x7fffffffdd10) at ../source4/kdc/mit-kdb/kdb_samba_policies.c:93
#2 0x000000000040d005 in validate_as_request (kdc_active_realm=kdc_active_realm@entry=0x646d70, request=request@entry=0x137d020, client=..., server=...,
kdc_time=kdc_time@entry=1534188443, status=status@entry=0x7fffffffde88, e_data=e_data@entry=0x7fffffffdd10) at kdc_util.c:747
#3 0x000000000040e674 in kdc_process_s4u2self_req (kdc_active_realm=kdc_active_realm@entry=0x646d70, request=0x137d020, client_princ=0xe07a80,
server=<optimized out>, tgs_subkey=<optimized out>, tgs_session=<optimized out>, kdc_time=1534188443, s4u_x509_user=0x7fffffffdeb0,
princ_ptr=0x7fffffffde90, status=0x7fffffffde88) at kdc_util.c:1567
#4 0x0000000000409c08 in process_tgs_req (request=<optimized out>, pkt=pkt@entry=0x16ace90, from=from@entry=0xdfef40, kdc_active_realm=0x646d70,
response=response@entry=0x7fffffffe148) at do_tgs_req.c:269
#5 0x0000000000407396 in dispatch (cb=0x620a30 <shandle>, local_addr=local_addr@entry=0x16ace78, remote_addr=remote_addr@entry=0xdfef40,
pkt=pkt@entry=0x16ace90, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x69e4f0, respond=0x417440 <process_tcp_response>, arg=0x16acde0) at dispatch.c:196
#6 0x0000000000419151 in process_tcp_connection_read (ctx=0x69e4f0, ev=0xcdec90) at net-server.c:1349
#7 0x00007ffff6409a68 in verto_fire () from /lib64/libverto.so.1
#8 0x00007fffdc14e293 in ev_invoke_pending () from /lib64/libev.so.4
#9 0x00007fffdc151859 in ev_run () from /lib64/libev.so.4
#10 0x000000000040634b in main (argc=2, argv=0x7fffffffe498) at main.c:1050

Créditos

Isaac Boukris

Referência(s)

Summary: [SECURITY] CVE-2018-16853 S4U2Self crash with MIT KDC build
https://bugzilla.samba.org/show_bug.cgi?id=13571

Samba AD DC S4U2Self Crash in experimental MIT Kerberos configuration (unsupported)
https://www.samba.org/samba/security/CVE-2018-16853.html

[Announce] Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available
https://lists.samba.org/archive/samba-announce/2018/000462.html

CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental
https://github.com/samba-team/samba/commit/07c49d25cdca605bd84294603713d51f913a7ed2

CVE-2018-16853 WHATSNEW: The Samba AD DC, when build with MIT Kerberos is experimental
https://github.com/samba-team/samba/commit/c5370a4349d381ba3b64b063dc28a2c54cfacdfc

CVE-2018-16853: Fix kinit test on system lacking ldbsearch
https://github.com/samba-team/samba/commit/bf0e9041becde3ad15e03d820cd2919c708dd9f5

CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
https://github.com/samba-team/samba/commit/6c453aeb0c771d14fe501e9a37d9f51b9403872b

CVE-2018-16853: Add a test to verify s4u2self doesn’t crash
https://github.com/samba-team/samba/commit/c556ac5c66bf31e9065e723541ff6173e16ca70b

CVE-2018-16853: Do not segfault if client is not set
https://github.com/samba-team/samba/commit/7cddbcf039a7a67df2bae1779254e2a136f673f0

CVE-2018-16853: fix crash in expired passowrd case
https://github.com/samba-team/samba/commit/6ab51b2af90f5dca11b8587b2a16215ab4497069

[SECURITY] Mark MIT support for the AD DC experimental (related to CVE-2018-16853)
https://bugzilla.samba.org/show_bug.cgi?id=13678

[SECURITY] CVE-2018-16853 S4U2Self crash with MIT KDC build
https://bugzilla.samba.org/show_bug.cgi?id=13571

S4U2Self with MIT KDC build
https://lists.samba.org/archive/samba-technical/2018-August/129670.html

CVE-2018-16853
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16853

CVE-2018-16853
https://nvd.nist.gov/vuln/detail/CVE-2018-16853

Se encontrou algum erro neste alerta ou deseja uma análise compreensiva, entre em contato.

Última modificação: 7 dezembro 2018

Não somos responsáveis por qualquer perda de dados, corrupção de dispositivos ou qualquer outro tipo de problema devido ao uso de qualquer informação mencionada em nossos alertas de segurança.