[pcre-dev] [Bug 1498] AUTH GSSAPI does not work with cross-r…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
Madmin at <-
Madmin at ->
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1498] AUTH GSSAPI does not work with cross-realm
https://bugs.exim.org/show_bug.cgi?id=1498

rapepav820 <rapepav820@???> changed: 

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED


--- Comment #4 from rapepav820 <rapepav820@???> ---
(In reply to Phil Pennock from comment #3)
> Okay, the KRB5_KTNAME problem is a deficiency in the APIs; neither the SASL
> nor the GSSAPI specifications provide a way to specify the location of the
> server keytab.
>
> We documented this environment variable for Exim in the preamble for the
> cyrus_sasl authenticator chapter of the docs. It used to work reliably. I
> wrote the heimdal_gssapi authenticator after Heimdal stopped honouring that
> environment variable in setuid programs, even when the original caller was
> root, and that is the one potentially non-portable call used in the library
> which makes it Heimdal specific -- the environment variable hack to bypass
> the deficient APIs is convenient but, like all hacks, not guaranteed. I
> feel your pain though -- I'm the one who found the environment variable
> path, which led to it being documented.
>
> When using cyrus-sasl, Exim's code is not handling anything to do with
> talking to the KDC -- that's all part of the service provided by the
> authentication library.
>
> I can not find any documentation on anything specific which needs to be
> done, per-app, to support multiple realms; the debug traces you provide show
> that Exim is passing the auth data to cyrus-sasl, which is just erroring out
> immediately, as a permanent error; according to the header file
> <sasl/sasl.h> the numeric error -13 is "SASL_BADAUTH" -- so the library is
> telling Exim outright that authentication has failed. If this were
> something wrong with cross-realm trust setup, I'd optimistically expect
> SASL_NOAUTHZ telling us that the user can't be authorized, not that
> authentication itself failed.
>
> The first other avenue I know of to investigate is that we initialise Cyrus
> SASL with an application name of "exim", so a file named "exim.conf" in the
> sasl2 library directory should be picked up by Cyrus and parsed; my
> recollection is that setting "keytab" in that did not work for me, using
> Cyrus SASL with Heimdal, so I've not explored that much.
>
> The other option is that the SASL library is expecting to be able to call
> the "sasl_authorize_t" callback to handle cross-realm trust issues (very
> unclear if this is so), and because Exim does not register a callback for
> that, authorization fails and Cyrus is doing something horrendously funky to
> turn that into an authentication failure.
>
> Investigation and patches very welcome.

The latest version of PCRE (pcre2-10.34-RC1, pcre2-10.33) is prone to a stack
http://www.sprite-ideas.com/
overflow vulnerability in internal_dfa_match() (pcre2_dfa_match.c) which can be
triggered using a crafted regular expression. Upon execution of the crafted
regular expression, the function internal_dfa_match() calls itself recursively,
resulting into uncontrolled recursion. It exceeds the stack size limit (8 MB),
finally resulting into stack exhaustion. An attacker can potentially exploit
this issue to perform remote code execution or denial of service attack.

=====================
Output of ASAN compiled library (-fsanitize=address)

Run as: ./pcre2test sbovf-input (attached herewith)
http://www.componentanalysis.org/

--------------------
ASAN:DEADLYSIGNAL 

==17245==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7feff8 (pc
0x5555555afcc7 bp 0x7fffff7ff4b0 sp 0x7fffff7fefe0 T0)
    #0 0x5555555afcc6 in internal_dfa_match src/pcre2_dfa_match.c:2859
    #1 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #2 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
http://www.environmentaleducationnews.com/
    #3 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #4 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #5 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #6 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #7 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
http://toscanoandsonsblog.com/
    #8 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #9 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #10 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    ...
    <skipped>
    ...
    #240 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #241 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
http://www.mic-sound.net/
    #242 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #243 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #244 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
http://www.craftpatternwarehouse.com/
    #245 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #246 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #247 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #248 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #249 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #250 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871






SUMMARY: AddressSanitizer: stack-overflow src/pcre2_dfa_match.c:2859 in
internal_dfa_match http://www.slipstone.co.uk/
==17245==ABORTING

====================
With gdb
--------------------
$ gdb ./pcre2test http://www.bigeasydesarucoast.com/ 

(gdb) r sbovf-input
Program received signal SIGSEGV, Segmentation fault.
0x00005555555aaab4 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002eb1 '\200' <repeats 200
times>..., http://matslideborg.com/
start_offset=start_offset@entry=6522, offsets=offsets@entry=0x7fffec780030,
offsetcount=offsetcount@entry=1000, https://www.hr-itconsulting.tech/




http://www.izidil.com/ workspace=0x7fffec781f70, wscount=1000,
rlevel=6522, RWS=0x7fffeb8c5800) at src/pcre2_dfa_match.c:533
http://padreislandtv.com/




The latest version of PCRE (pcre2-10.34-RC1, pcre2-10.33) is prone to a stack
overflow vulnerability http://www.dontfuckwiththeearth.com/ in
internal_dfa_match()
(pcre2_dfa_match.c) which can be triggered using a crafted regular expression.
Upon execution of the crafted regular expression, the function
internal_dfa_match() http://openbsdvps.net/ calls itself recursively,
resulting into uncontrolled recursion. http://www.artofcharlesgriffith.com/It
exceeds the stack size limit (8 MB),
finally resulting into stack exhaustion. An attacker can potentially exploit
this issue to perform http://www.griintravel.com/ remote code execution or
denial
of service attack.

SOURCE
http://www.lanavebruja.com/
http://www.nzhorses.co.nz/
http://www.heurisko.co.nz/
http://www.totalregistrations.co/
https://www.waterspumpingservices.co.nz
http://fb.tiranna.org/
http://fb.tiranna.org/essences.html
https://www.laikadesign.net/
http://www.osubg.org/
http://www.english-for-winners.com/

--
You are receiving this mail because:
You are on the CC list for the bug.
This message was posted to the following mailing lists:
Pcre-dev
Mailing List Info | Nearby Messages		<-[pcre-dev] [Bug 123] Send failed error messages to somebody[pcre-dev] [Bug 393] Analogue of errors_copy for warning messages->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)