Advertisement






FreeIPA 4.10.1 Denial Of Service / Information Disclosure

CVE Category Price Severity
CVE-2020-17374 CWE-20 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2024-02-22
CPE
cpe:cpe:2.3:a:freeipa:freeipa:4.10.1:*:*:*:*:*:*:*
CVSS EPSS EPSSP
CVSS:4.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024020069

Below is a copy:

FreeIPA 4.10.1 Denial Of Service / Information Disclosure
Summary:
Specially crafted HTTP requests can read files in the DC server. And use keytab files for authorization for different kerberos principals.

Tested FreeIPA version:
ipa-server-4.10.1

Details
The "user" parameter in the HTTP URI "/sip/session/login_password" is inserted into the "run" function from the file "ipautil.py". Then it is passed as an argument to the "subprocess.Popen". As a result, the following list is passed: "args=['/usr/bin/kinit', '{user params}', '-c', /run/ipa/ccaches/kinit_13704', '-T', '/run/ipa/ccaches/armor_13704', '-C', '-E']". If instead of "{user params}" there is a string "-V", then it will be taken as an argument for "kinit". As a result, remote attackers can use options such as "-t", "-X", "-S" or "-I" for DOS, or use the keytab file from the system to log in under participants without a password.

PoC (attached screenshots):
Simple request with "user=-H&password=0000000"
With multiple parameters "user=-Vkt&password=0000000"

Impact
Possible DOS, use keytab from system and read files on DC.

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum