oss-sec mailing list archives

general Krb5 DNS vulnerabilities (e.g. krb5 web auth)? [was: Re: [oss-security] CVE request: rpc-gssd is vulnerable to DNS spoofing]

From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Fri, 28 Jun 2013 16:39:11 -0400

On Thu 2013-04-04 13:01:13 -0400, Kurt Seifried wrote:

On 04/03/2013 04:43 PM, Vincent Danen wrote:

This has been discussed on the linux-nfs mailing list, so fully
public. Just cutting and pasting from our bugzilla:

It was reported [1],[2] that rpc.gssd in nfs-utils is vulnerable to
DNS spoofing due to it depending on PTR resolution for GSSAPI 
authentication.  Because of this, if a user where able to poison
DNS to a victim's computer, they would be able to trick rpc.gssd
into talking to another server (perhaps with less security) than
the intended server (with stricter security).  If the victim has
write access to the second (less secure) server, and the attacker
has read access (when they normally might not on the secure
server), the victim could write files to that server, which the
attacker could obtain (when normally they would not be able to).
To the victim this is transparent because the victim's computer
asks the KDC for a ticket to the second server due to reverse DNS
resolution; in this case Krb5 authentication does not fail because
the victim is talking to the "correct" server.

A patch that prevents this issue has been posted [3].

To workaround this issue, set the IP/host pair in /etc/hosts so
that it cannot be spoofed.

A good explanation is also available here [4].

[1] http://marc.info/?l=linux-nfs&m=136491998607561&w=2 [2]
http://marc.info/?l=linux-nfs&m=136500502805121&w=2 [3]
http://marc.info/?l=linux-nfs&m=136493115612397&w=2 [4]
http://ssimo.org/blog/id_015.html


https://bugzilla.redhat.com/show_bug.cgi?id=948072


Since this is fairly new, I don't think a CVE would have been
requested already.  Could one be assigned to this?


Please use CVE-2013-1923 for this issue.


I'm wondering if this isn't actually a larger issue, outside of NFS.
For example, when i use SPNEGO/Negotiate authentication in a
firefox/iceweasel browser to foo.example.com, firefox appears to
normalize the request via a DNS reverse lookup before requesting a krb5
ticket.

-------------------------
0 dkg@alice:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dkg () EXAMPLE COM

Valid starting    Expires           Service principal
28/06/2013 10:32  29/06/2013 01:32  krbtgt/EXAMPLE.COM () EXAMPLE COM
        renew until 29/06/2013 10:32
0 dkg@alice:~$ 

 [ then i point my browser (debian iceweasel 22.0-1, maintainer Cc'ed
   here) at http://foo.example.com/login, which does WWW Negotiate
   authentication, but the PTR record refers to bar.example.com ]

0 dkg@alice:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dkg () EXAMPLE COM

Valid starting    Expires           Service principal
28/06/2013 10:32  29/06/2013 01:32  krbtgt/EXAMPLE.COM () EXAMPLE COM
        renew until 29/06/2013 10:32
28/06/2013 15:02  29/06/2013 01:32  HTTP/bar.example.com@
        renew until 29/06/2013 10:32
28/06/2013 15:02  29/06/2013 01:32  HTTP/bar.example.com () EXAMPLE COM
        renew until 29/06/2013 10:32
0 dkg@alice:~$ 
-------------------------


On the server side, using debian's libapache2-mod-kerb 5.4-2 (maintainer
cc'ed as well), apache does a reverse lookup on its own virtualhost name
(confirmed by observing traffic with tcpdump).

So it seems like the same argument used above for NFS applies to the
web/negotiate/spnego/gssapi/krb5 use case: an attacker capable of
poisoning the DNS and intercepting traffic could make an authenticated
victim do something on server A while thinking that they were
manipulating server B, based on their kerberos credentials.

Is it possible that this is a bigger problem that needs to be addressed
at the krb5 level?  iirc, reverse DNS has traditionally been a known
point of concern for krb5 deployments, but maybe the specific attacks
just haven't been explicitly articulated or identified as a problem?

I might also be confused; feel free to point me to corrective material.

  --dkg

Attachment: _bin
Description:

Current thread:

CVE request: rpc-gssd is vulnerable to DNS spoofing Vincent Danen (Apr 03)
- Re: CVE request: rpc-gssd is vulnerable to DNS spoofing Kurt Seifried (Apr 04)
  - general Krb5 DNS vulnerabilities (e.g. krb5 web auth)? [was: Re: [oss-security] CVE request: rpc-gssd is vulnerable to DNS spoofing] Daniel Kahn Gillmor (Jun 28)