[1801] in Kerberos_V5_Development
krb5-libs/33: Returned mail: Host unknown (Name server: mit.edu#: host not found)
daemon@ATHENA.MIT.EDU (Mail Delivery Subsystem)
Thu Sep 26 19:46:10 1996
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@dragons-lair.mit.edu,
Mail Delivery Subsystem <MAILER-DAEMON@rt-11.MIT.EDU>
Date: Thu, 26 Sep 1996 19:45:06 -0400
From: Mail Delivery Subsystem <MAILER-DAEMON@rt-11.MIT.EDU>
To: gnats@rt-11.MIT.EDU
>Number: 33
>Category: krb5-libs
>Synopsis: security flaw in get_in_tkt: address verification
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Sep e 19:46:00 EDT 1996
>Last-Modified:
>Originator: Tom Yu
>Organization:
mit
>Release: unknown-1.0
>Environment:
System: SunOS tesla-coil 5.4 Generic_101945-37 sun4m sparc
>Description:
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: krbdev@MIT.EDU
Subject: security flaw in get_in_tkt: address verification
verify_as_reply in get_in_tkt.c does not currently verify that the
address list in the reply is the same as was requested:
/* XXX || (!krb5_addresses_compare(context, addrs,
as_reply->enc_part2->caddrs)) */
This means that an attacker can intercept an AS_REQ, insert his own
address into the list, steal the resulting krbtgt from the client, and
use the stolen ticket from his own IP address.
Of course, this is not really a significant issue because it still
requires the attacker to steal the tickets or know the client's
password and, of course, having accomplished that an attacker could
easily forge the correct IP address anyway even if this vulnerability
did not exist. Frankly, I've been arguing since at latest 1990 that
Kerberos should not bother to include or check IP addresses in tickets
because it increases code complexity and does not increase security in
any significant way; the fact that this bug exists supports my point
further.
Barry
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: epeisach@MIT.EDU
Cc: krbdev@MIT.EDU
Date: Thu, 30 May 1996 13:22:45 EDT
From: Ezra Peisach <epeisach@MIT.EDU>
Question: Your code fragment implied that the code was commented out... I
Do you think that was to handle the multiple homed hosts out there now?
Yes, the code is commented out, and I have no idea why. Perhaps
someone commented it out because the addrs variable is no available,
but in fact the addresses are in the request structure, which is
available.
Barry
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
This is a MIME-encapsulated message
--TAA03750.843781506/rt-11.MIT.EDU
The original message was received at Thu, 26 Sep 1996 19:45:02 -0400
from gnats@localhost
----- The following addresses have delivery notifications -----
krb5-bugs-redist@mit.edu (unrecoverable error)
(expanded from: krb5-prs)
krbcore@mit.edu# (unrecoverable error)
(expanded from: krb5-prs)
----- Transcript of session follows -----
... while talking to pacific-carrier-annex.mit.edu.:
>>> RCPT To:<krb5-bugs-redist@mit.edu>
<<< 550 <krb5-bugs-redist@mit.edu>... User unknown
550 krb5-bugs-redist@mit.edu... User unknown
550 krbcore@mit.edu#... Host unknown (Name server: mit.edu#: host not found)
--TAA03750.843781506/rt-11.MIT.EDU
Content-Type: message/delivery-status
Reporting-MTA: dns; rt-11.MIT.EDU
Arrival-Date: Thu, 26 Sep 1996 19:45:02 -0400
Final-Recipient: RFC822; krb5-unassigned@rt-11.MIT.EDU
Action: expanded (to multi-recipient alias)
Status: 2.0.0
Last-Attempt-Date: Thu, 26 Sep 1996 19:45:06 -0400
Final-Recipient: RFC822; krb5-prs@rt-11.MIT.EDU
Action: expanded (to multi-recipient alias)
Status: 2.0.0
Last-Attempt-Date: Thu, 26 Sep 1996 19:45:06 -0400
Final-Recipient: RFC822; krb5-prs@rt-11.MIT.EDU
X-Actual-Recipient: RFC822; krb5-bugs-redist@mit.edu
Action: failed
Status: 5.2.0
Remote-MTA: DNS; pacific-carrier-annex.mit.edu
Diagnostic-Code: SMTP; 550 <krb5-bugs-redist@mit.edu>... User unknown
Last-Attempt-Date: Thu, 26 Sep 1996 19:45:05 -0400
Final-Recipient: RFC822; krb5-prs@rt-11.MIT.EDU
X-Actual-Recipient: RFC822; krbcore@mit.edu#
Action: failed
Status: 5.1.2
Remote-MTA: DNS; mit.edu#
Last-Attempt-Date: Thu, 26 Sep 1996 19:45:06 -0400
--TAA03750.843781506/rt-11.MIT.EDU
Content-Type: message/rfc822
Return-Path: gnats
Received: (from gnats@localhost) by rt-11.MIT.EDU (8.7.5/8.7.3) id TAA03748; Thu, 26 Sep 1996 19:45:02 -0400
Resent-Date: Thu, 26 Sep 1996 19:45:02 -0400
Resent-Message-Id: <199609262345.TAA03748@rt-11.MIT.EDU>
Resent-From: gnats (GNATS Management)
Resent-To: krb5-unassigned
Resent-Cc: gnats-admin, krb5-prs
Resent-Reply-To: krb5-bugs@dragons-lair.mit.edu,
Mail Delivery Subsystem <MAILER-DAEMON>
Received: from localhost (localhost) by rt-11.MIT.EDU (8.7.5/8.7.3) with internal id TAA03730; Thu, 26 Sep 1996 19:44:04 -0400
Message-Id: <199609262344.TAA03730@rt-11.MIT.EDU>
Date: Thu, 26 Sep 1996 19:44:04 -0400
From: Mail Delivery Subsystem <MAILER-DAEMON>
To: gnats
Subject: krb5-libs/32: Returned mail: Host unknown (Name server: mit.edu#: host not found)
>>> RCPT To:<krb5-bugs-redist@mit.edu>
<<< 550 <krb5-bugs-redist@mit.edu>... User unknown: Bad file number
550 krb5-bugs-redist@mit.edu... User unknown
550 krbcore@mit.edu#... Host unknown (Name server: mit.edu#: host not found)
--TAA03730.843781444/rt-11.MIT.EDU
Content-Type: message/delivery-status
Reporting-MTA: dns; rt-11.MIT.EDU
Arrival-Date: Thu, 26 Sep 1996 19:44:02 -0400
Final-Recipient: RFC822; krb5-unassigned@rt-11.MIT.EDU
Action: expanded (to multi-recipient alias)
Status: 2.0.0
Last-Attempt-Date: Thu, 26 Sep 1996 19:44:04 -0400
Final-Recipient: RFC822; krb5-prs@rt-11.MIT.EDU
Action: expanded (to multi-recipient alias)
Status: 2.0.0
Last-Attempt-Date: Thu, 26 Sep 1996 19:44:04 -0400
Final-Recipient: RFC822; krb5-prs@rt-11.MIT.EDU
X-Actual-Recipient: RFC822; krb5-bugs-redist@mit.edu
Action: failed
Status: 5.2.0
Remote-MTA: DNS; south-station-annex.mit.edu
Diagnostic-Code: SMTP; 550 <krb5-bugs-redist@mit.edu>... User unknown: Bad file number
Last-Attempt-Date: Thu, 26 Sep 1996 19:44:03 -0400
Final-Recipient: RFC822; krb5-prs@rt-11.MIT.EDU
X-Actual-Recipient: RFC822; krbcore@mit.edu#
Action: failed
Status: 5.1.2
Remote-MTA: DNS; mit.edu#
Last-Attempt-Date: Thu, 26 Sep 1996 19:44:04 -0400
--TAA03730.843781444/rt-11.MIT.EDU
Content-Type: message/rfc822
Return-Path: gnats
Received: (from gnats@localhost) by rt-11.MIT.EDU (8.7.5/8.7.3) id TAA03728; Thu, 26 Sep 1996 19:44:02 -0400
Resent-Date: Thu, 26 Sep 1996 19:44:02 -0400
Resent-Message-Id: <199609262344.TAA03728@rt-11.MIT.EDU>
Resent-From: gnats (GNATS Management)
Resent-To: krb5-unassigned
Resent-Cc: gnats-admin, krb5-prs
Resent-Reply-To: krb5-bugs@dragons-lair.mit.edu, tlyu@mit.edu
Received: from dragons-lair.MIT.EDU (DRAGONS-LAIR.MIT.EDU [18.177.1.200]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA03713 for <bugs@RT-11.MIT.EDU>; Thu, 26 Sep 1996 19:43:51 -0400
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by dragons-lair.MIT.EDU (8.6.13/8.6.9) with SMTP id TAA20321 for <krb5-bugs@dragons-lair.mit.edu>; Thu, 26 Sep 1996 19:43:50 -0400
Received: from TESLA-COIL.MIT.EDU by MIT.EDU with SMTP
id AA18743; Thu, 26 Sep 96 19:43:49 EDT
Received: by tesla-coil.MIT.EDU (5.x/4.7) id AA15611; Thu, 26 Sep 1996 19:43:46 -0400
Message-Id: <9609262343.AA15611@tesla-coil.MIT.EDU>
Date: Thu, 26 Sep 1996 19:43:46 -0400
From: tlyu@mit.edu
Reply-To: tlyu@mit.edu
To: krb5-bugs@mit.edu
X-Send-Pr-Version: 3.99
Subject: krb5-libs/31: security flaw in get_in_tkt: address verification
--TAA03730.843781444/rt-11.MIT.EDU--
--TAA03750.843781506/rt-11.MIT.EDU--
This is a MIME-encapsulated message
--TAA03730.843781444/rt-11.MIT.EDU
The original message was received at Thu, 26 Sep 1996 19:44:02 -0400
from gnats@localhost
----- The following addresses have delivery notifications -----
krb5-bugs-redist@mit.edu (unrecoverable error)
(expanded from: krb5-prs)
krbcore@mit.edu# (unrecoverable error)
(expanded from: krb5-prs)
----- Transcript of session follows -----
... while talking to south-station-annex.mit.edu.:
