Blame src/tests/t_cve-2012-1015.py
|
Packit |
fd8b60 |
import base64
|
|
Packit |
fd8b60 |
import socket
|
|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm = K5Realm()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# CVE-2012-1015 KDC frees uninitialized pointer
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Force a failure in krb5_c_make_checksum(), which causes the cleanup
|
|
Packit |
fd8b60 |
# code in kdc_handle_protected_negotiation() to free an uninitialized
|
|
Packit |
fd8b60 |
# pointer in an unpatched KDC.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
|
Packit |
fd8b60 |
a = (hostname, realm.portbase)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
x1 = base64.b16decode('6A81A030819DA103020105A20302010A' +
|
|
Packit |
fd8b60 |
'A30E300C300AA10402020095A2020400' +
|
|
Packit |
fd8b60 |
'A48180307EA00703050000000000A120' +
|
|
Packit |
fd8b60 |
'301EA003020101A11730151B066B7262' +
|
|
Packit |
fd8b60 |
'7467741B0B4B5242544553542E434F4D' +
|
|
Packit |
fd8b60 |
'A20D1B0B4B5242544553542E434F4DA3' +
|
|
Packit |
fd8b60 |
'20301EA003020101A11730151B066B72' +
|
|
Packit |
fd8b60 |
'627467741B0B4B5242544553542E434F' +
|
|
Packit |
fd8b60 |
'4DA511180F3139393430363130303630' +
|
|
Packit |
fd8b60 |
'3331375AA7030201')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
x2 = base64.b16decode('A8083006020106020112')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
for x in range(0, 128):
|
|
Packit |
fd8b60 |
s.sendto(x1 + bytes([x]) + x2, a)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Make sure kinit still works.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('CVE-2012-1015 regression test')
|