From cf1a0c411b2668c57c41e9c4efd15ba17b6b322c Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Fri, 3 May 2013 16:26:46 -0400 Subject: [PATCH] Fix kpasswd UDP ping-pong [CVE-2002-2443] The kpasswd service provided by kadmind was vulnerable to a UDP "ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless they pass some basic validation, and don't respond to our own error packets. Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong attack or UDP ping-pong attacks in general, but there is discussion leading toward narrowing the definition of CVE-1999-0103 to the echo, chargen, or other similar built-in inetd services. Thanks to Vincent Danen for alerting us to this issue. CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C ticket: 7637 (new) target_version: 1.11.3 tags: pullup --- src/kadmin/server/schpw.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c index 15b0ab5..7f455d8 100644 --- a/src/kadmin/server/schpw.c +++ b/src/kadmin/server/schpw.c @@ -52,7 +52,7 @@ ret = KRB5KRB_AP_ERR_MODIFIED; numresult = KRB5_KPASSWD_MALFORMED; strlcpy(strresult, "Request was truncated", sizeof(strresult)); - goto chpwfail; + goto bailout; } ptr = req->data; @@ -67,7 +67,7 @@ numresult = KRB5_KPASSWD_MALFORMED; strlcpy(strresult, "Request length was inconsistent", sizeof(strresult)); - goto chpwfail; + goto bailout; } /* verify version number */ @@ -80,7 +80,7 @@ numresult = KRB5_KPASSWD_BAD_VERSION; snprintf(strresult, sizeof(strresult), "Request contained unknown protocol version number %d", vno); - goto chpwfail; + goto bailout; } /* read, check ap-req length */ @@ -93,7 +93,7 @@ numresult = KRB5_KPASSWD_MALFORMED; strlcpy(strresult, "Request was truncated in AP-REQ", sizeof(strresult)); - goto chpwfail; + goto bailout; } /* verify ap_req */ -- 1.8.1.6