Full Disclosure mailing list archives
CVE-2017-9732: knc (kerberized netcat) memory exhaustion
From: Imre Rad <radimre83 () gmail com>
Date: Wed, 28 Nov 2018 08:21:19 +0100
Product: "KNC is Kerberised NetCat. It works in basically the same way as either netcat or stunnel except that it is uses GSS-API to secure the communication. You can use it to construct client/server applications while keeping the Kerberos libraries out of your programs address space quickly and easily." Official page: http://oskt.secure-endpoints.com/knc.html Source code repository: https://github.com/elric1/knc/ Vulnerability: knc (Kerberised NetCat) before 1.11-1 is vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another services running on the targeted host. The knc implementation uses a temporary buffer in read_packet() function that is not freed (memory leak). An unauthenticated attacker can abuse this by sending a blob of valid kerberos handshake structure but with unexpected type; instead of token type AP_REQ (0x0100) I sent 0x0000 at bytes 16 and 17 in my proof of concept. During the attack, gss_sec_accept_context returns G_CONTINUE_NEEDED and the memory is exhausted in the long run. The attack might not even be logged, depending on how the Open Source Kerberos Tooling stack is configured. Proof of Concept code: https://github.com/irsl/knc-memory-exhaustion/ Bugfix: https://github.com/elric1/knc/commit/f237f3e09ecbaf59c897f5046538a7b1a3fa40c1 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2017-9732: knc (kerberized netcat) memory exhaustion Imre Rad (Nov 30)