FreeIPA 4.10.1 Denial Of Service / Information Disclosure

2024-02-2200:00:00

Robb Gatica

packetstormsecurity.com

222

freeipa 4.10.1

denial of service

information disclosure

http request

dc server

keytab authorization

kerberos principals

specially crafted

remote attackers

dos

file access

AI Score

7.4

Confidence

Low

EPSS

Percentile

15.5%

JSON

`Summary:  
Specially crafted HTTP requests can read files in the DC server. And use keytab files for authorization for different kerberos principals.  
  
Tested FreeIPA version:  
ipa-server-4.10.1  
  
Details  
The "user" parameter in the HTTP URI "/sip/session/login_password" is inserted into the "run" function from the file "ipautil.py". Then it is passed as an argument to the "subprocess.Popen". As a result, the following list is passed: "args=['/usr/bin/kinit', '{user params}', '-c', /run/ipa/ccaches/kinit_13704', '-T', '/run/ipa/ccaches/armor_13704', '-C', '-E']". If instead of "{user params}" there is a string "-V", then it will be taken as an argument for "kinit". As a result, remote attackers can use options such as "-t", "-X", "-S" or "-I" for DOS, or use the keytab file from the system to log in under participants without a password.  
  
PoC (attached screenshots):  
Simple request with "user=-H&password=0000000"  
With multiple parameters "user=-Vkt&password=0000000"  
  
Impact  
Possible DOS, use keytab from system and read files on DC.  
  
`