oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

CVE-2019-14870: Always lookup impersonate client in DB

Browse Source 
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
This commit is contained in:
Isaac Boukris
2019-11-05 02:35:35 +01:00
committed by Jeffrey Altman
parent 733140553a
commit 51415eaaae
2 changed files with 26 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
kdc/krb5tgs.c
View File

@@ -2120,30 +2120,32 @@ server_lookup:
if (ret)
goto out;
ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
NULL, &s4u2self_impersonated_clientdb,
&s4u2self_impersonated_client);
if (ret) {
const char *msg;
/*
* If the client belongs to the same realm as our krbtgt, it
* should exist in the local database.
*
*/
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 2,
"S4U2Self principal to impersonate %s not found in database: %s",
tpn, msg);
krb5_free_error_message(context, msg);
goto out;
}
/* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
if(rspac.data) {
krb5_pac p = NULL;
krb5_data_free(&rspac);
ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
if (ret) {
const char *msg;
/*
* If the client belongs to the same realm as our krbtgt, it
* should exist in the local database.
*
*/
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 4,
"S4U2Self principal to impersonate %s not found in database: %s",
tpn, msg);
krb5_free_error_message(context, msg);
goto out;
}
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
if (ret) {
kdc_log(context, config, 4, "PAC generation failed for -- %s",

4
tests/kdc/check-kdc.in
View File

@@ -805,6 +805,10 @@ echo " negative check"
${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \
{ ec=1 ; eval "${testfailed}"; }
echo "test impersonate unknown client"; > messages.log
${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \
{ ec=1 ; eval "${testfailed}"; }
echo "test constrained delegation"; > messages.log
${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
{ ec=1 ; eval "${testfailed}"; }