CVE CyberSecurity Database News

CVE-2023-36054 - Uninitialized Pointer Free in MIT Kerberos 5’s lib/kadm5/kadm_rpc_xdr.c

Poster -

CVE-2023-36054 is a serious vulnerability that was discovered in MIT Kerberos 5 before versions 1.20.2 and 1.21.1. This bug resides in the way Kerberos handles certain key data structures through its kadmind service. Specifically, an uninitialized pointer can be freed in lib/kadm5/kadm_rpc_xdr.c, leading to a crash of the kadmind process. In this post, we’ll break down the vulnerability, highlight how it can be triggered, and provide code snippets and resources for further reading.

What is MIT Kerberos 5 and kadmind?

MIT Kerberos 5 is a well-known implementation of the Kerberos authentication protocol used for network security. The component at the heart of this vulnerability is kadmind, a daemon that lets authenticated users interact with the Kerberos database — for example, to change passwords or manage principals (users/services).

What is the issue?

When Kerberos kadmind receives and decodes remote procedure calls (RPCs) about principal records, it doesn’t properly validate the count of keys (n_key_data) against the actual size of the key_data array. Because of this, kadmind might free a pointer that was never initialized, leading to a server crash.

This can be exploited remotely by an authenticated user, effectively creating a denial-of-service (DoS) for the admin service. While not giving full control to the attacker, it can cause headaches for organizations relying on Kerberos for authentication services.

Vulnerable Code Walkthrough

Let’s examine the buggy area. The vulnerable function is called _xdr_kadm5_principal_ent_rec inside lib/kadm5/kadm_rpc_xdr.c. This function handles the encoding/decoding (serialization/deserialization) of kadm5_principal_ent_rec structures.

Here is a simplified (and anonymized) snippet to demonstrate the logic

if (!xdr_u_int(xdrs, &objp->n_key_data))
    return FALSE;
if (objp->n_key_data > KADM5_MAX_KEY_DATA ||
    (objp->n_key_data >  && objp->key_data == NULL))
    return FALSE;
for (i = ; i < objp->n_key_data; i++) {
    if (!xdr_kadm5_key_data(xdrs, &objp->key_data[i]))
        return FALSE;
}

Problem: If the incoming RPC claims there are lots of keys (huge n_key_data), but there’s no corresponding memory allocation for key_data, or an array of the wrong size, freeing or accessing out-of-bounds indexes will touch uninitialized memory.

The crash occurs during cleanup, when the code attempts to free or dereference fields of these objects.

Requirements

- Authenticated access to kadmind (that is, the attacker needs legitimate credentials, or somehow compromise them).
- Ability to send a specially-crafted RPC that specifies a mismatched n_key_data and supplies a bogus or partially filled key_data array.

Actions

1. Send a malicious request with a large or manipulated n_key_data, and provide a deliberately short or NULL key_data pointer.
2. Trigger cleanup logic: When kadmind processes the message, it tries to free or read key_data entries that were never actually allocated. This immediately crashes the daemon.

Impact

- Denial of Service (DoS): The Kerberos admin daemon (kadmind) goes down, halting user and admin operations until the service is restarted.

Proof of Concept (Simplified)

Suppose you have Kerberos client code and can call modify_principal or similar kadm5 RPCs. If you craft a message (for example with Python or custom C) that incorrectly claims a huge key array size, you can knock over the server.

*This is high-level pseudocode:*

# pseudo-code of malicious RPC call
kadmin_conn.modify_principal(
    principal="target/host",
    key_data=[],       # Supply empty or malformed key_data
    n_key_data=999999  # Ridiculous count, no real keys
)

Upon processing this, kadmind’s codebase crashes as it tries to free or process nonexistent key data.

Patch and Fixes

The patch comes down to verifying the relationship between n_key_data and the pointers in key_data. The development team added proper checks to ensure n_key_data matches the real size, and that key_data is always allocated for each declared key.

> Fixed in:  
> - MIT Kerberos 5 1.20.2  
> - MIT Kerberos 5 1.21.1

Upgrade right away if you run affected versions. This is especially urgent in environments where multiple users have administrative access.

References

- MIT Kerberos 5 Security Advisory 2023-001
- CVE-2023-36054 NIST Detail
- Upstream Git commit fixing the bug
- Kerberos Admin Protocol

Conclusion

CVE-2023-36054 is a potent denial-of-service bug in MIT Kerberos's admin utilities, showing once again how critical proper array handling is in C. While exploitation requires authentication, the impact is disruptive in active environments.

Timeline

Published on: 08/07/2023 19:15:00 UTC
Last modified on: 08/15/2023 17:57:00 UTC