Allele Security Alert
ASA-2018-00060
Identifier(s)
ASA-2018-00060, CVE-2018-16853
Title
AD DC S4U2Self Crash in experimental MIT Kerberos configuration
Vendor(s)
Samba
Product(s)
Samba
Affected version(s)
Samba 4.7.0 and later versions
Fixed version(s)
Samba 4.7.12, 4.8.7 and 4.9.3
Proof of concept
Unknown
Description
A user in a Samba AD domain can crash the KDC when Samba is built in the non-default MIT Kerberos configuration.
Technical details
When trying a s4u2self request against a fresh samba AD built with MIT krb5, the kdc segfaults.
To reproduce you’d need a domain member and to run:
net ads kerberos pac dump impersonate=administrator@REALM -P -d3
Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5bffab7 in ks_is_kadmin (context=0x647620, princ=0x0) at ../source4/kdc/mit-kdb/kdb_samba_common.c:76 76 return krb5_princ_size(context, princ) >= 1 && (gdb) bt #0 0x00007ffff5bffab7 in ks_is_kadmin (context=0x647620, princ=0x0) at ../source4/kdc/mit-kdb/kdb_samba_common.c:76 #1 0x00007ffff5c00179 in kdb_samba_db_check_policy_as (context=0x647620, kdcreq=0x137d020, client=0x7fffffffdc30, server=0x7fffffffdc88, kdc_time=1534188443, status=0x7fffffffde88, e_data_out=0x7fffffffdd10) at ../source4/kdc/mit-kdb/kdb_samba_policies.c:93 #2 0x000000000040d005 in validate_as_request (kdc_active_realm=kdc_active_realm@entry=0x646d70, request=request@entry=0x137d020, client=..., server=..., kdc_time=kdc_time@entry=1534188443, status=status@entry=0x7fffffffde88, e_data=e_data@entry=0x7fffffffdd10) at kdc_util.c:747 #3 0x000000000040e674 in kdc_process_s4u2self_req (kdc_active_realm=kdc_active_realm@entry=0x646d70, request=0x137d020, client_princ=0xe07a80, server=<optimized out>, tgs_subkey=<optimized out>, tgs_session=<optimized out>, kdc_time=1534188443, s4u_x509_user=0x7fffffffdeb0, princ_ptr=0x7fffffffde90, status=0x7fffffffde88) at kdc_util.c:1567 #4 0x0000000000409c08 in process_tgs_req (request=<optimized out>, pkt=pkt@entry=0x16ace90, from=from@entry=0xdfef40, kdc_active_realm=0x646d70, response=response@entry=0x7fffffffe148) at do_tgs_req.c:269 #5 0x0000000000407396 in dispatch (cb=0x620a30 <shandle>, local_addr=local_addr@entry=0x16ace78, remote_addr=remote_addr@entry=0xdfef40, pkt=pkt@entry=0x16ace90, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x69e4f0, respond=0x417440 <process_tcp_response>, arg=0x16acde0) at dispatch.c:196 #6 0x0000000000419151 in process_tcp_connection_read (ctx=0x69e4f0, ev=0xcdec90) at net-server.c:1349 #7 0x00007ffff6409a68 in verto_fire () from /lib64/libverto.so.1 #8 0x00007fffdc14e293 in ev_invoke_pending () from /lib64/libev.so.4 #9 0x00007fffdc151859 in ev_run () from /lib64/libev.so.4 #10 0x000000000040634b in main (argc=2, argv=0x7fffffffe498) at main.c:1050
Credits
Isaac Boukris
Reference(s)
Summary: [SECURITY] CVE-2018-16853 S4U2Self crash with MIT KDC build
https://bugzilla.samba.org/show_bug.cgi?id=13571
Samba AD DC S4U2Self Crash in experimental MIT Kerberos configuration (unsupported)
https://www.samba.org/samba/security/CVE-2018-16853.html
[Announce] Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available
https://lists.samba.org/archive/samba-announce/2018/000462.html
CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental
https://github.com/samba-team/samba/commit/07c49d25cdca605bd84294603713d51f913a7ed2
CVE-2018-16853 WHATSNEW: The Samba AD DC, when build with MIT Kerberos is experimental
https://github.com/samba-team/samba/commit/c5370a4349d381ba3b64b063dc28a2c54cfacdfc
CVE-2018-16853: Fix kinit test on system lacking ldbsearch
https://github.com/samba-team/samba/commit/bf0e9041becde3ad15e03d820cd2919c708dd9f5
CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
https://github.com/samba-team/samba/commit/6c453aeb0c771d14fe501e9a37d9f51b9403872b
CVE-2018-16853: Add a test to verify s4u2self doesn’t crash
https://github.com/samba-team/samba/commit/c556ac5c66bf31e9065e723541ff6173e16ca70b
CVE-2018-16853: Do not segfault if client is not set
https://github.com/samba-team/samba/commit/7cddbcf039a7a67df2bae1779254e2a136f673f0
CVE-2018-16853: fix crash in expired passowrd case
https://github.com/samba-team/samba/commit/6ab51b2af90f5dca11b8587b2a16215ab4497069
[SECURITY] Mark MIT support for the AD DC experimental (related to CVE-2018-16853)
https://bugzilla.samba.org/show_bug.cgi?id=13678
[SECURITY] CVE-2018-16853 S4U2Self crash with MIT KDC build
https://bugzilla.samba.org/show_bug.cgi?id=13571
S4U2Self with MIT KDC build
https://lists.samba.org/archive/samba-technical/2018-August/129670.html
CVE-2018-16853
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16853
CVE-2018-16853
https://nvd.nist.gov/vuln/detail/CVE-2018-16853
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 4, 2018