[Bro] Memory leak in Kerberos protocol parser
Maksim Shudrak
mxmssh at gmail.com
Mon Sep 10 11:07:24 PDT 2018
Hi everyone,
I am doing vulnerabilities research in Bro. Recently, I found these memory
leaks in the Kerberos protocol analyzer:
1331918844.990000 expression error in
/home/mshudrak/bro_hacking/bro/scripts/base/protocols/krb/./main.bro, line
143: field value missing [KRB::msg$service_name]
<----------truncated---------------->
Direct leak of 144 byte(s) in 1 object(s) allocated from:
#0 0x9cc562 in operator new(unsigned long)
/tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:92:3
#1 0x16d0f10 in
binpac::KRB_TCP::proc_krb_kdc_req_arguments(binpac::KRB_TCP::KRB_KDC_REQ*,
analyzer::Analyzer*)
/home/mshudrak/bro_hacking/bro/build/src/analyzer/protocol/krb/krb_TCP_pac.cc:5495:18
#2 0x16d0994 in
binpac::KRB_TCP::KRB_Conn::proc_krb_kdc_req_msg(binpac::KRB_TCP::KRB_KDC_REQ*)
/home/mshudrak/bro_hacking/bro/build/src/analyzer/protocol/krb/krb_TCP_pac.cc:79:19
#3 0x16f6038 in binpac::KRB_TCP::KRB_AS_REQ::Parse(unsigned char
const*, unsigned char const*, binpac::KRB_TCP::ContextKRB_TCP*, int)
/home/mshudrak/bro_hacking/bro/build/src/analyzer/protocol/krb/krb_TCP_pac.cc:3461:35
<-------------truncated---------------->
You can find detailed report produced by Leak Sanitizer and a dump of
traffic that reproduce this leak under the following links:
1) LASAN output:
https://drive.google.com/open?id=1OQVYMaQyj9fEXgJICq3MUbI3-UIwCkNn
2) reproducer:
https://drive.google.com/open?id=1tskWWs4MEph0tnIG5adU2Zxm-ukYD1fz
I compiled the last version of bro pulled from github repo (bro version
2.5-962-debug). I compiled the project with clang-6.0 (as a part of
llvm-6.0) using the following command line arguments:
Compile
CC=clang CXX=clang++ CFLAGS="-fsanitize=address"
CXXFLAGS="-fsanitize=address" ./configure --enable-debug
ASAN_OPTIONS=detect_leaks=0 make -j
Run
ASAN_OPTIONS=detect_odr_violation=0 ../build/src/bro -r last_4.pcap &> out
This leak happens for each Kerberos connection which might lead to
out-of-memory and DoS. I was able to write simple exploit to cause DoS
(usually takes 2-3 hours to force BRO allocate 40-50GB of RAM without
parallelization using Python sockets).
----------------------
Best regards,
Maksim Shudrak.
tel. +1-415-793-0894
skype: vitality_3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180910/727dd29d/attachment.html
More information about the Bro
mailing list