CVE-2014-6324 issued against Microsoft's handling of KDC PAC's.

Andrew Bartlett abartlet at samba.org
Wed Nov 26 01:28:41 MST 2014 

On Thu, 2014-11-20 at 08:50 -0800, Jeremy Allison wrote:
> On Thu, Nov 20, 2014 at 06:29:15PM +1100, Dewayne Geraghty wrote:
> > Does Samba4 handle PAC validation in the same way that Windows 2008/2003
> > servers, and if so, is samba4/Lorikeet also vulnerable to elevation of
> > privileges due to the handling of PAC validation of service tickets?
> > 
> > Using this as my starting point,
> > https://git.samba.org/?p=abartlet/lorikeet-heimdal.git/.git;a=commitdiff;h=685293c35caa3d4fbcfdc4e4df2191bf9680bf87;hp=d7f44d72d7dd8ecbcb334ea011d90d30a0d822af 
> > 
> > I started to look at the code, but if I saw an elephant in the room, I
> > wouldn't recognise it.

This is very close to the issue - indeed, the mirror image of it.  Here
we know that we are often SENT a HMAC-MD5 checksum when the cryptosystem
would indicate the use of CRC32.  We didn't think to check what happens
in windows if they RECEIVE CRC32 however, but someone else clearly did. 

> > Refs:
> > https://technet.microsoft.com/library/security/MS14-068
> > http://www.kb.cert.org/vuls/id/213119
> 
> Microsoft hasn't notified us of a problem (which I
> would expect them to do as a courtesy if our code had
> the same problem (we do this for them), so my guess
> is we're not vulnerable.

I wish it were that simple, and that this always worked.  

Garming and I did a couple of days ago confirm that Samba and Heimdal
have never allowed an unkeyed checksum here, at least since 2007. 

I've also checked MIT Krb5, and they discovered this in 2010 with
CVE-2010-1324.  

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt

Sadly (apparently) nobody at Microsoft caught on that this could be an
issue in Microsoft AD, but I'm sure the black-hats were watching. :-(

> Until we know the exact details of the exploit however,
> we're still stumbling around in the dark until we know
> exactly what to look for.

That has now happened:
http://blog.beyondtrust.com/a-quick-look-at-ms14-068

We should probably put something up saying we are not vulnerable, and
anyone running a Windows AD server really, really should upgrade.  This
is one of the nastiest issues in a long time, and is being exploited in
the wild. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list