[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] general Krb5 DNS vulnerabilities (e.g. krb5 web auth)? [was: Re: [oss-security] CVE r
From: Daniel Kahn Gillmor <dkg () fifthhorseman ! net>
Date: 2013-06-28 20:39:11
Message-ID: 87fvw2dl74.fsf () alice ! fifthhorseman ! net
[Download RAW message or body]
On Thu 2013-04-04 13:01:13 -0400, Kurt Seifried wrote:
> On 04/03/2013 04:43 PM, Vincent Danen wrote:
>> This has been discussed on the linux-nfs mailing list, so fully
>> public. Just cutting and pasting from our bugzilla:
>>
>> It was reported [1],[2] that rpc.gssd in nfs-utils is vulnerable to
>> DNS spoofing due to it depending on PTR resolution for GSSAPI
>> authentication. Because of this, if a user where able to poison
>> DNS to a victim's computer, they would be able to trick rpc.gssd
>> into talking to another server (perhaps with less security) than
>> the intended server (with stricter security). If the victim has
>> write access to the second (less secure) server, and the attacker
>> has read access (when they normally might not on the secure
>> server), the victim could write files to that server, which the
>> attacker could obtain (when normally they would not be able to).
>> To the victim this is transparent because the victim's computer
>> asks the KDC for a ticket to the second server due to reverse DNS
>> resolution; in this case Krb5 authentication does not fail because
>> the victim is talking to the "correct" server.
>>
>> A patch that prevents this issue has been posted [3].
>>
>> To workaround this issue, set the IP/host pair in /etc/hosts so
>> that it cannot be spoofed.
>>
>> A good explanation is also available here [4].
>>
>> [1] http://marc.info/?l=linux-nfs&m=136491998607561&w=2 [2]
>> http://marc.info/?l=linux-nfs&m=136500502805121&w=2 [3]
>> http://marc.info/?l=linux-nfs&m=136493115612397&w=2 [4]
>> http://ssimo.org/blog/id_015.html
>>
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=948072
>>
>>
>> Since this is fairly new, I don't think a CVE would have been
>> requested already. Could one be assigned to this?
>
> Please use CVE-2013-1923 for this issue.
I'm wondering if this isn't actually a larger issue, outside of NFS.
For example, when i use SPNEGO/Negotiate authentication in a
firefox/iceweasel browser to foo.example.com, firefox appears to
normalize the request via a DNS reverse lookup before requesting a krb5
ticket.
-------------------------
0 dkg@alice:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dkg@EXAMPLE.COM
Valid starting Expires Service principal
28/06/2013 10:32 29/06/2013 01:32 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 29/06/2013 10:32
0 dkg@alice:~$
[ then i point my browser (debian iceweasel 22.0-1, maintainer Cc'ed
here) at http://foo.example.com/login, which does WWW Negotiate
authentication, but the PTR record refers to bar.example.com ]
0 dkg@alice:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dkg@EXAMPLE.COM
Valid starting Expires Service principal
28/06/2013 10:32 29/06/2013 01:32 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 29/06/2013 10:32
28/06/2013 15:02 29/06/2013 01:32 HTTP/bar.example.com@
renew until 29/06/2013 10:32
28/06/2013 15:02 29/06/2013 01:32 HTTP/bar.example.com@EXAMPLE.COM
renew until 29/06/2013 10:32
0 dkg@alice:~$
-------------------------
On the server side, using debian's libapache2-mod-kerb 5.4-2 (maintainer
cc'ed as well), apache does a reverse lookup on its own virtualhost name
(confirmed by observing traffic with tcpdump).
So it seems like the same argument used above for NFS applies to the
web/negotiate/spnego/gssapi/krb5 use case: an attacker capable of
poisoning the DNS and intercepting traffic could make an authenticated
victim do something on server A while thinking that they were
manipulating server B, based on their kerberos credentials.
Is it possible that this is a bigger problem that needs to be addressed
at the krb5 level? iirc, reverse DNS has traditionally been a known
point of concern for krb5 deployments, but maybe the specific attacks
just haven't been explicitly articulated or identified as a problem?
I might also be confused; feel free to point me to corrective material.
--dkg
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic