Tue Jul 11 17:45:32 2017 UTC ()
https://orpheus-lyre.info/design/index.html
https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea

In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

XXX: pullup 6, 7, 8.


(christos)
diff -r1.2 -r1.3 src/crypto/external/bsd/heimdal/dist/lib/krb5/ticket.c
cvs diff -r1.2 -r1.3 src/crypto/external/bsd/heimdal/dist/lib/krb5/ticket.c (expand / switch to unified diff)

--- src/crypto/external/bsd/heimdal/dist/lib/krb5/ticket.c 2017/01/28 21:31:49 1.2
+++ src/crypto/external/bsd/heimdal/dist/lib/krb5/ticket.c 2017/07/11 17:45:31 1.3
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: ticket.c,v 1.2 2017/01/28 21:31:49 christos Exp $ */ 1/* $NetBSD: ticket.c,v 1.3 2017/07/11 17:45:31 christos Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan 4 * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden). 5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved. 6 * All rights reserved.
7 * 7 *
8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
9 * 9 *
10 * Redistribution and use in source and binary forms, with or without 10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions 11 * modification, are permitted provided that the following conditions
12 * are met: 12 * are met:
13 * 13 *
14 * 1. Redistributions of source code must retain the above copyright 14 * 1. Redistributions of source code must retain the above copyright
@@ -697,28 +697,28 @@ _krb5_extract_ticket(krb5_context contex @@ -697,28 +697,28 @@ _krb5_extract_ticket(krb5_context contex
697 tmp_principal, 697 tmp_principal,
698 &creds->session); 698 &creds->session);
699 if (ret) { 699 if (ret) {
700 krb5_free_principal (context, tmp_principal); 700 krb5_free_principal (context, tmp_principal);
701 goto out; 701 goto out;
702 } 702 }
703 } 703 }
704 krb5_free_principal (context, creds->client); 704 krb5_free_principal (context, creds->client);
705 creds->client = tmp_principal; 705 creds->client = tmp_principal;
706 706
707 /* check server referral and save principal */ 707 /* check server referral and save principal */
708 ret = _krb5_principalname2krb5_principal (context, 708 ret = _krb5_principalname2krb5_principal (context,
709 &tmp_principal, 709 &tmp_principal,
710 rep->kdc_rep.ticket.sname, 710 rep->enc_part.sname,
711 rep->kdc_rep.ticket.realm); 711 rep->enc_part.realm);
712 if (ret) 712 if (ret)
713 goto out; 713 goto out;
714 if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ 714 if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
715 ret = check_server_referral(context, 715 ret = check_server_referral(context,
716 rep, 716 rep,
717 flags, 717 flags,
718 creds->server, 718 creds->server,
719 tmp_principal, 719 tmp_principal,
720 &creds->session); 720 &creds->session);
721 if (ret) { 721 if (ret) {
722 krb5_free_principal (context, tmp_principal); 722 krb5_free_principal (context, tmp_principal);
723 goto out; 723 goto out;
724 } 724 }