CVE-2014-6324 issued against Microsoft's handling of KDC PAC's.

Wed Nov 26 16:18:40 MST 2014

On 26/11/2014 7:28 PM, Andrew Bartlett wrote:
> On Thu, 2014-11-20 at 08:50 -0800, Jeremy Allison wrote:
>> On Thu, Nov 20, 2014 at 06:29:15PM +1100, Dewayne Geraghty wrote:
>>> Does Samba4 handle PAC validation in the same way that Windows 2008/2003
>>> servers, and if so, is samba4/Lorikeet also vulnerable to elevation of
>>> privileges due to the handling of PAC validation of service tickets?
>>>
>>> Using this as my starting point,
>>> https://git.samba.org/?p=abartlet/lorikeet-heimdal.git/.git;a=commitdiff;h=685293c35caa3d4fbcfdc4e4df2191bf9680bf87;hp=d7f44d72d7dd8ecbcb334ea011d90d30a0d822af 
>>>
>>> I started to look at the code, but if I saw an elephant in the room, I
>>> wouldn't recognise it.
> This is very close to the issue - indeed, the mirror image of it.  Here
> we know that we are often SENT a HMAC-MD5 checksum when the cryptosystem
> would indicate the use of CRC32.  We didn't think to check what happens
> in windows if they RECEIVE CRC32 however, but someone else clearly did. 
>
>>> Refs:
>>> https://technet.microsoft.com/library/security/MS14-068
>>> http://www.kb.cert.org/vuls/id/213119
>> Microsoft hasn't notified us of a problem (which I
>> would expect them to do as a courtesy if our code had
>> the same problem (we do this for them), so my guess
>> is we're not vulnerable.
> I wish it were that simple, and that this always worked.  
>
> Garming and I did a couple of days ago confirm that Samba and Heimdal
> have never allowed an unkeyed checksum here, at least since 2007. 
>
> I've also checked MIT Krb5, and they discovered this in 2010 with
> CVE-2010-1324.  
>
> http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt
>
> Sadly (apparently) nobody at Microsoft caught on that this could be an
> issue in Microsoft AD, but I'm sure the black-hats were watching. :-(
>
>> Until we know the exact details of the exploit however,
>> we're still stumbling around in the dark until we know
>> exactly what to look for.
> That has now happened:
> http://blog.beyondtrust.com/a-quick-look-at-ms14-068
>
> We should probably put something up saying we are not vulnerable, and
> anyone running a Windows AD server really, really should upgrade.  This
> is one of the nastiest issues in a long time, and is being exploited in
> the wild. 
>
> Andrew Bartlett
>

Thank-you for taking the time to look into this matter.  I think its a
credit to the wider *NIX community that this situation was addressed
sometime ago, and yes its worthwhile "gently" sharing the fact that this
subtle though significant vulnerability was addressed at least 4 years
and Samba as an AD isn't vulnerable.

Though I believe that this nasty is in third place, the schannel
vulnerability is in second place, because it doesn't require
authentication, first place goes to "badusb" (where the usb controller
contains nasties, not just the usb memory)  but the latter is beyond
Samba's aegis ;)

Kind regards, Dewayne.
PS I'm really pleased that Samba isn't vulnerable to the PAC misuse,
great work whether by luck, diligence or good coding practice!

Ref: Badusb at blackhat USA 2014 -
https://www.youtube.com/watch?v=nuruzFqMgIw

-- 
For the talkers: “The superior man acts before he speaks, and afterwards speaks according to his action.”
For everyone else: “Life is really simple, but we insist on making it complicated.”