Vigil@nce - MIT krb5: two vulnerabilities via krb5_read_message
March 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force two errors due to the krb5_read_message()
function of MIT krb5, in order to trigger a denial of service.
Impacted products: MIT krb5
Severity: 2/4
Creation date: 23/02/2015
DESCRIPTION OF THE VULNERABILITY
The krb5_read_message() function reads network messages, and store
them in a string.
The krb5_read_message() function does not guaranties that the
string containing the version ends with a ’\0’. The
recvauth_common() function then tries to read a memory area which
is not reachable, which triggers a fatal error. [severity:2/4]
An attacker can use a version with a zero length, to force a NULL
pointer to be dereferenced in recvauth_common(), in order to
trigger a denial of service. [severity:2/4]
An attacker can therefore force two errors due to the
krb5_read_message() function of MIT krb5, in order to trigger a
denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/MIT-krb5-two-vulnerabilities-via-krb5-read-message-16247