From 9b0972c8e429fee8e15f23ab508a9f0729a4e0b6 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Wed, 12 Apr 2017 15:40:42 -0400 Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894 (based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea) Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Reviewed-by: Stefan Metzmacher --- source4/heimdal/lib/krb5/ticket.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c index 064bbfb..5a317c7 100644 --- a/source4/heimdal/lib/krb5/ticket.c +++ b/source4/heimdal/lib/krb5/ticket.c @@ -641,8 +641,8 @@ _krb5_extract_ticket(krb5_context context, /* check server referral and save principal */ ret = _krb5_principalname2krb5_principal (context, &tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); + rep->enc_part.sname, + rep->enc_part.srealm); if (ret) goto out; if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ -- 1.9.1