ASA-2018-00060 – Samba: AD DC S4U2Self Crash in experimental MIT Kerberos configuration

Allele Security Alert



ASA-2018-00060, CVE-2018-16853


AD DC S4U2Self Crash in experimental MIT Kerberos configuration





Affected version(s)

Samba 4.7.0 and later versions

Fixed version(s)

Samba 4.7.12, 4.8.7 and 4.9.3

Proof of concept



A user in a Samba AD domain can crash the KDC when Samba is built in the non-default MIT Kerberos configuration.

Technical details

When trying a s4u2self request against a fresh samba AD built with MIT krb5, the kdc segfaults.

To reproduce you’d need a domain member and to run:

net ads kerberos pac dump impersonate=administrator@REALM -P -d3
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5bffab7 in ks_is_kadmin (context=0x647620, princ=0x0) at ../source4/kdc/mit-kdb/kdb_samba_common.c:76
76 return krb5_princ_size(context, princ) >= 1 &&
(gdb) bt
#0 0x00007ffff5bffab7 in ks_is_kadmin (context=0x647620, princ=0x0) at ../source4/kdc/mit-kdb/kdb_samba_common.c:76
#1 0x00007ffff5c00179 in kdb_samba_db_check_policy_as (context=0x647620, kdcreq=0x137d020, client=0x7fffffffdc30, server=0x7fffffffdc88,
kdc_time=1534188443, status=0x7fffffffde88, e_data_out=0x7fffffffdd10) at ../source4/kdc/mit-kdb/kdb_samba_policies.c:93
#2 0x000000000040d005 in validate_as_request (kdc_active_realm=kdc_active_realm@entry=0x646d70, request=request@entry=0x137d020, client=..., server=...,
kdc_time=kdc_time@entry=1534188443, status=status@entry=0x7fffffffde88, e_data=e_data@entry=0x7fffffffdd10) at kdc_util.c:747
#3 0x000000000040e674 in kdc_process_s4u2self_req (kdc_active_realm=kdc_active_realm@entry=0x646d70, request=0x137d020, client_princ=0xe07a80,
server=<optimized out>, tgs_subkey=<optimized out>, tgs_session=<optimized out>, kdc_time=1534188443, s4u_x509_user=0x7fffffffdeb0,
princ_ptr=0x7fffffffde90, status=0x7fffffffde88) at kdc_util.c:1567
#4 0x0000000000409c08 in process_tgs_req (request=<optimized out>, pkt=pkt@entry=0x16ace90, from=from@entry=0xdfef40, kdc_active_realm=0x646d70,
response=response@entry=0x7fffffffe148) at do_tgs_req.c:269
#5 0x0000000000407396 in dispatch (cb=0x620a30 <shandle>, local_addr=local_addr@entry=0x16ace78, remote_addr=remote_addr@entry=0xdfef40,
pkt=pkt@entry=0x16ace90, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x69e4f0, respond=0x417440 <process_tcp_response>, arg=0x16acde0) at dispatch.c:196
#6 0x0000000000419151 in process_tcp_connection_read (ctx=0x69e4f0, ev=0xcdec90) at net-server.c:1349
#7 0x00007ffff6409a68 in verto_fire () from /lib64/
#8 0x00007fffdc14e293 in ev_invoke_pending () from /lib64/
#9 0x00007fffdc151859 in ev_run () from /lib64/
#10 0x000000000040634b in main (argc=2, argv=0x7fffffffe498) at main.c:1050


Isaac Boukris


Summary: [SECURITY] CVE-2018-16853 S4U2Self crash with MIT KDC build

Samba AD DC S4U2Self Crash in experimental MIT Kerberos configuration (unsupported)

[Announce] Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available

CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental

CVE-2018-16853 WHATSNEW: The Samba AD DC, when build with MIT Kerberos is experimental

CVE-2018-16853: Fix kinit test on system lacking ldbsearch

CVE-2018-16853: The ticket in check_policy_as can actually be a TGS

CVE-2018-16853: Add a test to verify s4u2self doesn’t crash

CVE-2018-16853: Do not segfault if client is not set

CVE-2018-16853: fix crash in expired passowrd case

[SECURITY] Mark MIT support for the AD DC experimental (related to CVE-2018-16853)

[SECURITY] CVE-2018-16853 S4U2Self crash with MIT KDC build

S4U2Self with MIT KDC build



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 4, 2018

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.