Any info on CVE-2006-1721 ?

Biswatosh biswatosh2001 at yahoo.com
Wed Oct 4 08:42:20 EDT 2006 

That was a nice explanation Kai. But I still need to
be 100% clear on this fix. 
My question is, what was the attack and how was it
averted by doing this?
**********************************************
-    if (strcmp(realm, text->realm) != 0) {
+    if (((realm != NULL) && (strcmp(realm,
text->realm) != 0)) &&
+	(text->realm[0] != 0)) {
 	SETERROR(sparams->utils,....
***********************************************
All I know is from
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721
How a "text->realm != 0" and a "realm != NULL", could
avert that attack?

Thanks
Biswatosh

--- Kai Blin <blin at gmx.net> wrote:

> On Wednesday 04 October 2006 10:07, Biswatosh wrote:
> 
> > > > 2)What if,
> > > >          (a) realm != NULL
> > > >      and (b) strcmp(realm,text->realm) != 0
> > > >      and (c) text->realm[0] == 0 ,  are all
> true?
> > >
> > > This is a != 0, not a == 0. So we make sure
> that...
> >
> > Yes, SASL code checks text->realm[0] != 0, correct
> but
> > my question was what if text->realm[0] == 0 ,and
> > having realm !=NULL and  realm not same as
> text->realm
> 
> Oh, I thought you had misread the patch. Sorry then.
> 
> > Where is this being validated? Why are we not
> making
> > SETERROR(sparams->util,"realm changed:
> authentication
> > aborted") then? The realm has certainly changed,is
> not
> > it, even if text->realm is an empty string?
> 
> To be honest, I am no expert on this code, I've only
> looked into the ntlm 
> plugin a little, but from a quick look on  the
> source code, I would say this:
> 
> text is a context_t struct used for the
> authentication. The sanity check you 
> were asking about is from
> digestmd5_server_mech_step2(). The context is 
> initialized digestmd5_server_mech_new(),  where it
> is memset to 0. (line 
> 1002). Unless it's set by some helper function I
> missed while reading 
> digestmd5_server_mech_step1(), it's not initialized
> on a new context when the 
> sanity check happens in
> digestmd5_server_mech_step2(). So on the first run
> on 
> a new context, text->realm[0] is always == 0.
> 
> Thus it would not make sense to fail on that. This
> only makes sure that a 
> context is not reused on a different realm.
> 
> Cheers,
> Kai
> 
> -- 
> Kai Blin, <blin At gmx Dot net>
> WorldForge developer    http://www.worldforge.org/
> Wine developer         
> http://wiki.winehq.org/KaiBlin/
> --
> Ninjas and Pirates agree: Cowboys suck!
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Cyrus-sasl mailing list