For the English version of this alert, click here.
Allele Security Alert
ASA-2018-00060
Identificador(es)
ASA-2018-00060, CVE-2018-16853
Título
AD DC S4U2Self Crash na configuração experimental do MIT Kerberos
Fabricante(s)
Samba
Produto(s)
Samba
Versão(ões) afetada(s)
Samba 4.7.0 e versões posteriores
Versão(ões) corrigida(s)
Samba 4.7.12, 4.8.7 e 4.9.3
Prova de conceito
Desconhecido
Descrição
Um usuário no domínio do Samba AD pode travar o KDC quando o Samba é construído na configuração não padrão do MIT Kerberos.
Detalhes técnicos
Ao tentar uma requisição s4u2self em um novo samba AD construído com MIT krb5, o kdc irá acessar uma região inválida da memória.
Para reproduzir, você precisará de um membro do domínio e executar:
net ads kerberos pac dump impersonate=administrator@REALM -P -d3
Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5bffab7 in ks_is_kadmin (context=0x647620, princ=0x0) at ../source4/kdc/mit-kdb/kdb_samba_common.c:76 76 return krb5_princ_size(context, princ) >= 1 && (gdb) bt #0 0x00007ffff5bffab7 in ks_is_kadmin (context=0x647620, princ=0x0) at ../source4/kdc/mit-kdb/kdb_samba_common.c:76 #1 0x00007ffff5c00179 in kdb_samba_db_check_policy_as (context=0x647620, kdcreq=0x137d020, client=0x7fffffffdc30, server=0x7fffffffdc88, kdc_time=1534188443, status=0x7fffffffde88, e_data_out=0x7fffffffdd10) at ../source4/kdc/mit-kdb/kdb_samba_policies.c:93 #2 0x000000000040d005 in validate_as_request (kdc_active_realm=kdc_active_realm@entry=0x646d70, request=request@entry=0x137d020, client=..., server=..., kdc_time=kdc_time@entry=1534188443, status=status@entry=0x7fffffffde88, e_data=e_data@entry=0x7fffffffdd10) at kdc_util.c:747 #3 0x000000000040e674 in kdc_process_s4u2self_req (kdc_active_realm=kdc_active_realm@entry=0x646d70, request=0x137d020, client_princ=0xe07a80, server=<optimized out>, tgs_subkey=<optimized out>, tgs_session=<optimized out>, kdc_time=1534188443, s4u_x509_user=0x7fffffffdeb0, princ_ptr=0x7fffffffde90, status=0x7fffffffde88) at kdc_util.c:1567 #4 0x0000000000409c08 in process_tgs_req (request=<optimized out>, pkt=pkt@entry=0x16ace90, from=from@entry=0xdfef40, kdc_active_realm=0x646d70, response=response@entry=0x7fffffffe148) at do_tgs_req.c:269 #5 0x0000000000407396 in dispatch (cb=0x620a30 <shandle>, local_addr=local_addr@entry=0x16ace78, remote_addr=remote_addr@entry=0xdfef40, pkt=pkt@entry=0x16ace90, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x69e4f0, respond=0x417440 <process_tcp_response>, arg=0x16acde0) at dispatch.c:196 #6 0x0000000000419151 in process_tcp_connection_read (ctx=0x69e4f0, ev=0xcdec90) at net-server.c:1349 #7 0x00007ffff6409a68 in verto_fire () from /lib64/libverto.so.1 #8 0x00007fffdc14e293 in ev_invoke_pending () from /lib64/libev.so.4 #9 0x00007fffdc151859 in ev_run () from /lib64/libev.so.4 #10 0x000000000040634b in main (argc=2, argv=0x7fffffffe498) at main.c:1050
Créditos
Isaac Boukris
Referência(s)
Summary: [SECURITY] CVE-2018-16853 S4U2Self crash with MIT KDC build
https://bugzilla.samba.org/show_bug.cgi?id=13571
Samba AD DC S4U2Self Crash in experimental MIT Kerberos configuration (unsupported)
https://www.samba.org/samba/security/CVE-2018-16853.html
[Announce] Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available
https://lists.samba.org/archive/samba-announce/2018/000462.html
CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental
https://github.com/samba-team/samba/commit/07c49d25cdca605bd84294603713d51f913a7ed2
CVE-2018-16853 WHATSNEW: The Samba AD DC, when build with MIT Kerberos is experimental
https://github.com/samba-team/samba/commit/c5370a4349d381ba3b64b063dc28a2c54cfacdfc
CVE-2018-16853: Fix kinit test on system lacking ldbsearch
https://github.com/samba-team/samba/commit/bf0e9041becde3ad15e03d820cd2919c708dd9f5
CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
https://github.com/samba-team/samba/commit/6c453aeb0c771d14fe501e9a37d9f51b9403872b
CVE-2018-16853: Add a test to verify s4u2self doesn’t crash
https://github.com/samba-team/samba/commit/c556ac5c66bf31e9065e723541ff6173e16ca70b
CVE-2018-16853: Do not segfault if client is not set
https://github.com/samba-team/samba/commit/7cddbcf039a7a67df2bae1779254e2a136f673f0
CVE-2018-16853: fix crash in expired passowrd case
https://github.com/samba-team/samba/commit/6ab51b2af90f5dca11b8587b2a16215ab4497069
[SECURITY] Mark MIT support for the AD DC experimental (related to CVE-2018-16853)
https://bugzilla.samba.org/show_bug.cgi?id=13678
[SECURITY] CVE-2018-16853 S4U2Self crash with MIT KDC build
https://bugzilla.samba.org/show_bug.cgi?id=13571
S4U2Self with MIT KDC build
https://lists.samba.org/archive/samba-technical/2018-August/129670.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16853
CVE-2018-16853
https://nvd.nist.gov/vuln/detail/CVE-2018-16853
Se encontrou algum erro neste alerta ou deseja uma análise compreensiva, entre em contato.
Última modificação: 7 de dezembro de 2018