Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2017-9732: knc (kerberized netcat) memory exhaustion

Related Vulnerabilities: CVE-2017-9732  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="64"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#65">By Date</a>
<a href="66"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="64"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#65">By Thread</a>
<a href="66"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">CVE-2017-9732: knc (kerberized netcat) memory exhaustion</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Imre Rad &lt;radimre83 () gmail com&gt;


<em>Date</em>: Wed, 28 Nov 2018 08:21:19 +0100


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Product:
"KNC is Kerberised NetCat. It works in basically the same way as either
netcat or stunnel except that it is uses GSS-API to secure the
communication. You can use it to construct client/server applications while
keeping the Kerberos libraries out of your programs address space quickly
and easily."

Official page:
<a rel="nofollow" href="http://oskt.secure-endpoints.com/knc.html">http://oskt.secure-endpoints.com/knc.html</a>

Source code repository:
<a rel="nofollow" href="https://github.com/elric1/knc/">https://github.com/elric1/knc/</a>

Vulnerability:
knc (Kerberised NetCat) before 1.11-1 is vulnerable to denial of service
(memory exhaustion) that can be exploited remotely without authentication,
possibly affecting another services running on the targeted host.

The knc implementation uses a temporary buffer in read_packet() function
that is not freed (memory leak). An unauthenticated attacker can abuse this
by sending a blob of valid kerberos handshake structure but with unexpected
type; instead of token type AP_REQ (0x0100) I sent 0x0000 at bytes 16 and
17 in my proof of concept. During the attack, gss_sec_accept_context
returns G_CONTINUE_NEEDED and the memory is exhausted in the long run.

The attack might not even be logged, depending on how the Open Source
Kerberos Tooling stack is configured.

Proof of Concept code:
<a rel="nofollow" href="https://github.com/irsl/knc-memory-exhaustion/">https://github.com/irsl/knc-memory-exhaustion/</a>

Bugfix:
<a rel="nofollow" href="https://github.com/elric1/knc/commit/f237f3e09ecbaf59c897f5046538a7b1a3fa40c1">https://github.com/elric1/knc/commit/f237f3e09ecbaf59c897f5046538a7b1a3fa40c1</a>

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="64"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#65">By Date</a>
<a href="66"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="64"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#65">By Thread</a>
<a href="66"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>CVE-2017-9732: knc (kerberized netcat) memory exhaustion</strong> <em>Imre Rad (Nov 30)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started