Out-of-Bounds Read in the MIT Kerberos V5 (krb5) library

We discussed this vulnerability during Episode 198 on 21 March 2023

Three hard to exploit (beyond denial of service) out-of-bounds read vulnerabilities in MIT Kerberos V5 but each with a bit of an interest cause.

First issue was in get_mech_set would parse a DER-encoded sequence and return a list of OIDs. In doing so it would iterate over the sequence using i as the iterator. If it was successfully able to parse out the OID, it would end up accessing the returned_mechSet->elements[i].length value, if it was unsuccessful it would just skip this access and continue on. However, if it was unsuccessful, elements[i] wouldn’t end up being created/added, i as the iterator for the for loop would be incremented all the same though. So the next run, if it was successful the number of elements in elements would be off from the index the loop is trying to access. Provide multiple failed instances and the index will go far beyond the actual bounds.

The second and third issues have very similar root causes, atleast at the logical level, and both happen ing_verify_neg_token_init. As with the first issue, it is parsing DER encoded data. In both cases, it reads a value from the buffer, increments the buffer forward, but does not adjust the value that reflects the remaining buffer. For the second issue this happens when the length of the item is zero, which is valid for DER encoded entities, For the third issue, it reads the type/tag byte and doesn’t decrement the remaining space.