[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CVE-2017-9732: knc (kerberized netcat) memory exhaustion
From: Imre Rad <radimre83 () gmail ! com>
Date: 2018-11-28 7:21:19
Message-ID: CAPWzz4wBbAw7P0scb6Nj+LUTbRpuxM534=LZF_azH7Ep0uAwmQ () mail ! gmail ! com
[Download RAW message or body]
Product:
"KNC is Kerberised NetCat. It works in basically the same way as either
netcat or stunnel except that it is uses GSS-API to secure the
communication. You can use it to construct client/server applications while
keeping the Kerberos libraries out of your programs address space quickly
and easily."
Official page:
http://oskt.secure-endpoints.com/knc.html
Source code repository:
https://github.com/elric1/knc/
Vulnerability:
knc (Kerberised NetCat) before 1.11-1 is vulnerable to denial of service
(memory exhaustion) that can be exploited remotely without authentication,
possibly affecting another services running on the targeted host.
The knc implementation uses a temporary buffer in read_packet() function
that is not freed (memory leak). An unauthenticated attacker can abuse this
by sending a blob of valid kerberos handshake structure but with unexpected
type; instead of token type AP_REQ (0x0100) I sent 0x0000 at bytes 16 and
17 in my proof of concept. During the attack, gss_sec_accept_context
returns G_CONTINUE_NEEDED and the memory is exhausted in the long run.
The attack might not even be logged, depending on how the Open Source
Kerberos Tooling stack is configured.
Proof of Concept code:
https://github.com/irsl/knc-memory-exhaustion/
Bugfix:
https://github.com/elric1/knc/commit/f237f3e09ecbaf59c897f5046538a7b1a3fa40c1
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic