From: Isaac Boukris Date: Thu, 7 Nov 2019 00:05:05 +0100 Subject: CVE-2019-14870: Validate client attributes in protocol-transition Signed-off-by: Isaac Boukris --- kdc/krb5tgs.c | 11 +++++++++++ tests/kdc/check-kdc.in | 8 ++++++++ 2 files changed, 19 insertions(+) diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 39b3460..89bd1f2 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -2125,6 +2125,17 @@ server_lookup: goto out; } + /* Ignore require_pwchange and pw_end attributes (as Windows does), + * since S4U2Self is not password authentication. */ + s4u2self_impersonated_client->entry.flags.require_pwchange = FALSE; + free(s4u2self_impersonated_client->entry.pw_end); + s4u2self_impersonated_client->entry.pw_end = NULL; + + ret = kdc_check_flags(context, config, s4u2self_impersonated_client, tpn, + NULL, NULL, FALSE); + if (ret) + goto out; + /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */ if(rspac.data) { krb5_pac p = NULL; diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in index a0dd887..ae963a7 100644 --- a/tests/kdc/check-kdc.in +++ b/tests/kdc/check-kdc.in @@ -811,6 +811,14 @@ echo "test impersonate unknown client"; > messages.log ${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \ { ec=1 ; eval "${testfailed}"; } +echo "test impersonate account-expired client"; > messages.log +${kgetcred_imp} --forward --impersonate=account-expired@${R} ${ps} && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test impersonate pw-expired client"; > messages.log +${kgetcred_imp} --forward --impersonate=pw-expired@${R} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } + echo "test delegate sensitive client"; > messages.log ${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \ { ec=1 ; eval "${testfailed}"; }