ASA-2018-00060 – Samba: AD DC S4U2Self Crash na configuração experimental do MIT Kerberos


For the English version of this alert, click here.

Allele Security Alert

ASA-2018-00060

Identificador(es)

ASA-2018-00060, CVE-2018-16853

Título

AD DC S4U2Self Crash na configuração experimental do MIT Kerberos

Fabricante(s)

Samba

Produto(s)

Samba

Versão(ões) afetada(s)

Samba 4.7.0 e versões posteriores

Versão(ões) corrigida(s)

Samba 4.7.12, 4.8.7 e 4.9.3

Prova de conceito

Desconhecido

Descrição

Um usuário no domínio do Samba AD pode travar o KDC quando o Samba é construído na configuração não padrão do MIT Kerberos.

Detalhes técnicos

Ao tentar uma requisição s4u2self em um novo samba AD construído com MIT krb5, o kdc irá acessar uma região inválida da memória.

Para reproduzir, você precisará de um membro do domínio e executar:

net ads kerberos pac dump impersonate=administrator@REALM -P -d3
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5bffab7 in ks_is_kadmin (context=0x647620, princ=0x0) at ../source4/kdc/mit-kdb/kdb_samba_common.c:76
76 return krb5_princ_size(context, princ) >= 1 &&
(gdb) bt
#0 0x00007ffff5bffab7 in ks_is_kadmin (context=0x647620, princ=0x0) at ../source4/kdc/mit-kdb/kdb_samba_common.c:76
#1 0x00007ffff5c00179 in kdb_samba_db_check_policy_as (context=0x647620, kdcreq=0x137d020, client=0x7fffffffdc30, server=0x7fffffffdc88,
kdc_time=1534188443, status=0x7fffffffde88, e_data_out=0x7fffffffdd10) at ../source4/kdc/mit-kdb/kdb_samba_policies.c:93
#2 0x000000000040d005 in validate_as_request (kdc_active_realm=kdc_active_realm@entry=0x646d70, request=request@entry=0x137d020, client=..., server=...,
kdc_time=kdc_time@entry=1534188443, status=status@entry=0x7fffffffde88, e_data=e_data@entry=0x7fffffffdd10) at kdc_util.c:747
#3 0x000000000040e674 in kdc_process_s4u2self_req (kdc_active_realm=kdc_active_realm@entry=0x646d70, request=0x137d020, client_princ=0xe07a80,
server=<optimized out>, tgs_subkey=<optimized out>, tgs_session=<optimized out>, kdc_time=1534188443, s4u_x509_user=0x7fffffffdeb0,
princ_ptr=0x7fffffffde90, status=0x7fffffffde88) at kdc_util.c:1567
#4 0x0000000000409c08 in process_tgs_req (request=<optimized out>, pkt=pkt@entry=0x16ace90, from=from@entry=0xdfef40, kdc_active_realm=0x646d70,
response=response@entry=0x7fffffffe148) at do_tgs_req.c:269
#5 0x0000000000407396 in dispatch (cb=0x620a30 <shandle>, local_addr=local_addr@entry=0x16ace78, remote_addr=remote_addr@entry=0xdfef40,
pkt=pkt@entry=0x16ace90, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x69e4f0, respond=0x417440 <process_tcp_response>, arg=0x16acde0) at dispatch.c:196
#6 0x0000000000419151 in process_tcp_connection_read (ctx=0x69e4f0, ev=0xcdec90) at net-server.c:1349
#7 0x00007ffff6409a68 in verto_fire () from /lib64/libverto.so.1
#8 0x00007fffdc14e293 in ev_invoke_pending () from /lib64/libev.so.4
#9 0x00007fffdc151859 in ev_run () from /lib64/libev.so.4
#10 0x000000000040634b in main (argc=2, argv=0x7fffffffe498) at main.c:1050

Créditos

Isaac Boukris

Referência(s)

Summary: [SECURITY] CVE-2018-16853 S4U2Self crash with MIT KDC build
https://bugzilla.samba.org/show_bug.cgi?id=13571

Samba AD DC S4U2Self Crash in experimental MIT Kerberos configuration (unsupported)
https://www.samba.org/samba/security/CVE-2018-16853.html

[Announce] Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available
https://lists.samba.org/archive/samba-announce/2018/000462.html

CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental
https://github.com/samba-team/samba/commit/07c49d25cdca605bd84294603713d51f913a7ed2

CVE-2018-16853 WHATSNEW: The Samba AD DC, when build with MIT Kerberos is experimental
https://github.com/samba-team/samba/commit/c5370a4349d381ba3b64b063dc28a2c54cfacdfc

CVE-2018-16853: Fix kinit test on system lacking ldbsearch
https://github.com/samba-team/samba/commit/bf0e9041becde3ad15e03d820cd2919c708dd9f5

CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
https://github.com/samba-team/samba/commit/6c453aeb0c771d14fe501e9a37d9f51b9403872b

CVE-2018-16853: Add a test to verify s4u2self doesn’t crash
https://github.com/samba-team/samba/commit/c556ac5c66bf31e9065e723541ff6173e16ca70b

CVE-2018-16853: Do not segfault if client is not set
https://github.com/samba-team/samba/commit/7cddbcf039a7a67df2bae1779254e2a136f673f0

CVE-2018-16853: fix crash in expired passowrd case
https://github.com/samba-team/samba/commit/6ab51b2af90f5dca11b8587b2a16215ab4497069

[SECURITY] Mark MIT support for the AD DC experimental (related to CVE-2018-16853)
https://bugzilla.samba.org/show_bug.cgi?id=13678

[SECURITY] CVE-2018-16853 S4U2Self crash with MIT KDC build
https://bugzilla.samba.org/show_bug.cgi?id=13571

S4U2Self with MIT KDC build
https://lists.samba.org/archive/samba-technical/2018-August/129670.html

CVE-2018-16853
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16853

CVE-2018-16853
https://nvd.nist.gov/vuln/detail/CVE-2018-16853

Se encontrou algum erro neste alerta ou deseja uma análise compreensiva, entre em contato.

Última modificação: 7 de dezembro de 2018