65 lines
2.3 KiB
Diff
65 lines
2.3 KiB
Diff
|
commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c
|
||
|
Author: Tom Yu <tlyu@mit.edu>
|
||
|
Date: Fri May 3 16:26:46 2013 -0400
|
||
|
|
||
|
Fix kpasswd UDP ping-pong [CVE-2002-2443]
|
||
|
|
||
|
The kpasswd service provided by kadmind was vulnerable to a UDP
|
||
|
"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
|
||
|
they pass some basic validation, and don't respond to our own error
|
||
|
packets.
|
||
|
|
||
|
Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
|
||
|
attack or UDP ping-pong attacks in general, but there is discussion
|
||
|
leading toward narrowing the definition of CVE-1999-0103 to the echo,
|
||
|
chargen, or other similar built-in inetd services.
|
||
|
|
||
|
Thanks to Vincent Danen for alerting us to this issue.
|
||
|
|
||
|
CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
|
||
|
|
||
|
ticket: 7637 (new)
|
||
|
target_version: 1.11.3
|
||
|
tags: pullup
|
||
|
|
||
|
diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
|
||
|
index 15b0ab5..7f455d8 100644
|
||
|
--- a/src/kadmin/server/schpw.c
|
||
|
+++ b/src/kadmin/server/schpw.c
|
||
|
@@ -52,7 +52,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
|
||
|
ret = KRB5KRB_AP_ERR_MODIFIED;
|
||
|
numresult = KRB5_KPASSWD_MALFORMED;
|
||
|
strlcpy(strresult, "Request was truncated", sizeof(strresult));
|
||
|
- goto chpwfail;
|
||
|
+ goto bailout;
|
||
|
}
|
||
|
|
||
|
ptr = req->data;
|
||
|
@@ -67,7 +67,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
|
||
|
numresult = KRB5_KPASSWD_MALFORMED;
|
||
|
strlcpy(strresult, "Request length was inconsistent",
|
||
|
sizeof(strresult));
|
||
|
- goto chpwfail;
|
||
|
+ goto bailout;
|
||
|
}
|
||
|
|
||
|
/* verify version number */
|
||
|
@@ -80,7 +80,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
|
||
|
numresult = KRB5_KPASSWD_BAD_VERSION;
|
||
|
snprintf(strresult, sizeof(strresult),
|
||
|
"Request contained unknown protocol version number %d", vno);
|
||
|
- goto chpwfail;
|
||
|
+ goto bailout;
|
||
|
}
|
||
|
|
||
|
/* read, check ap-req length */
|
||
|
@@ -93,7 +93,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
|
||
|
numresult = KRB5_KPASSWD_MALFORMED;
|
||
|
strlcpy(strresult, "Request was truncated in AP-REQ",
|
||
|
sizeof(strresult));
|
||
|
- goto chpwfail;
|
||
|
+ goto bailout;
|
||
|
}
|
||
|
|
||
|
/* verify ap_req */
|