#9541 specially crafted HTTP requests potentially lead to DoS or data exposure
Closed: fixed 11 months ago by frenaud. Opened 11 months ago by rcritten.

Issue

The "user" parameter in the HTTP URI "/sip/session/login_password" is inserted into the "run" function from the file "ipautil.py". Then it is passed as an argument to the "subprocess.Popen". As a result, the following list is passed: "args=['/usr/bin/kinit', '{user params}', '-c', /run/ipa/ccaches/kinit_13704', '-T', '/run/ipa/ccaches/armor_13704', '-C', '-E']". If instead of "{user params}" there is a string "-V", then it will be taken as an argument for "kinit". As a result, remote attackers can use options such as "-t", "-X", "-S" or "-I" for DOS, or use the keytab file from the system to log in under participants without a password.

Simple request with "user=-H&password=0000000"
With multiple parameters "user=-Vkt&password=0000000"

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=2262169


Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2265129

11 months ago

master:

  • 404fe10 rpcserver: validate Kerberos principal name before running kinit

master:

  • 33af154 validate_principal: Don't try to verify that the realm is known

ipa-4-11:

  • 8b59881 rpcserver: validate Kerberos principal name before running kinit
  • 5781369 validate_principal: Don't try to verify that the realm is known

ipa-4-10:

  • 921661f rpcserver: validate Kerberos principal name before running kinit
  • 204011d validate_principal: Don't try to verify that the realm is known

ipa-4-9:

  • b039f30 rpcserver: validate Kerberos principal name before running kinit
  • 96a478b validate_principal: Don't try to verify that the realm is known

ipa-4-6:

  • 09c3b32 rpcserver: validate Kerberos principal name before running kinit
  • e4628c4 validate_principal: Don't try to verify that the realm is known

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

11 months ago

ipa-4-6:

  • a84db9a validate_principal: Fix python2 issues

Log in to comment on this ticket.

Metadata