Use after free in authenticate_user_krb5pwd()

Brought to you by: kouril

#61 Use after free in authenticate_user_krb5pwd()

Milestone: Version 5.*

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2020-08-12

Created: 2018-12-13

Creator: Johan Ymerson

Private: No

In verify_krb5_user() krb5_kt_close() is called under certain conditions, but krb5_kt_close() is also called from the top level function authenticate_user_krb5pwd() after calling verify_krb5_user().
This leads to a use after free, since kbr5_kt_close() free up memory pointed to in the keytab struct and
the next call to krb5_kt_close() will dereference pointers in that (now freed) memory.
This leads to a segmentation fault with recent versions of MIT Kerberos.

Patch to fix this attached.

1 Attachments

mod_auth_kerb-krb5_kt_close.patch

Discussion

Paul Wise - 2019-10-21

FYI I've just added this patch to the Debian package of mod_auth_kerb in response to Debian bug #934043.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Joakim Tjernlund - 2020-08-12

This makes mod_auth_kerb load when built against mit-krb5-1.18.2
Not run tested yet

krb5-1.18.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Use after free in authenticate_user_krb5pwd()

Group

Searches

Help

#61 Use after free in authenticate_user_krb5pwd()

Discussion