Integer overflows and memory corruption errors have been identified during the encoding of the kerb-message OCTET STRING field. At this juncture, both SEQUENCE and EXPLICIT fields have already undergone encoding. The ASN1encoder.buf is allocated a buffer of size 1,024, while ASN1encoder.current points to the address ASN1_encoder.buf + 4. The KDC Proxy accepts Kerberos responses with a maximum size of 4,294,967,295.
When a Kerberos response is sent with a length ranging from 4,294,967,291 to 4,294,967,295 (inclusive), the function ASN1BEREncLength() determines that 5 bytes are necessary to encode the Length Octets, subsequently adding the length of the Kerberos response. However, this addition is stored in a 4-byte unsigned variable, leading to an overflow. Consequently, the size passed to ASN1EncCheck() is significantly smaller than intended. As ASN1EncCheck() does not reallocate the ASN1_encoder.buf buffer, a heap buffer overflow occurs when ASN1BEREncCharString() invokes memcpy().
In a different scenario, when sending a Kerberos response with a length between 4,294,966,267 and 4,294,967,290 (inclusive), ASN1BEREncLength() calls ASN1EncCheck(). Given that the current ASN1_encoder.buf buffer is insufficient, ASN1EncCheck() reallocates it by adding the buffer’s current size (1,024) to the length of the Kerberos response. Yet again, this addition is stored in a 4-byte unsigned variable, resulting in an overflow and a reduction in the buffer size during the LocalReAlloc() call. This leads to an out-of-bounds write or a heap buffer overflow when ASN1BEREncCharString() subsequently calls memcpy().
An intriguing edge case arises when passing 0 as the new size to LocalReAlloc(). While LocalReAlloc() returns a memory address rather than an error, the memory is not allocated, leading to an access violation upon attempting to write to that address. A remote, unauthenticated attacker could potentially direct the KDC proxy to forward a Kerberos request to a controlled server, which would then return a crafted Kerberos response. Successful exploitation of this vulnerability could enable arbitrary code execution within the security context of the target service.
Detection Guidance
To effectively detect an attack exploiting this vulnerability, monitoring and parsing of traffic on UDP port 389 and TCP port 88 is essential. Kerberos messages may be transmitted over either UDP or TCP on port 88; however, TCP requests and responses are prefaced by a 4-octet message length in network byte order. The detection device should focus on inspecting Kerberos responses, noting that KDC Proxy exclusively utilizes TCP port 88 for Kerberos traffic, negating the need for full parsing of the responses. Instead, it suffices to parse the 4-byte message length prefix and isolate responses within a TCP stream. If a Kerberos response exceeds 0x80000000 (2,147,483,648) bytes, the traffic should be flagged as suspicious, indicating a likely attack exploiting this vulnerability.
It is important to highlight that the detection guidance is informed by section 7.2.2 of the Kerberos V5 RFC, which stipulates that the high bit in the 4-octet message length prefix must be set to 0. Hence, according to the RFC, the maximum length for Kerberos messages transmitted over TCP is 0x7FFFFFFF.
Questions About the Patch
Research indicates that the vulnerability originates from the ASN.1 library; however, the Microsoft advisory specifically references the KDC Proxy server. The vulnerability was addressed by incorporating a length check within the KDC Proxy KpsSocketRecvDataIoCompletion() function. The rationale behind Microsoft’s approach remains unclear. It may be that the ASN.1 library is known to harbor bugs, necessitating software to validate its inputs. Additionally, it is uncertain whether other software components could trigger this vulnerability in the ASN.1 library. Therefore, the current report emphasizes the KDC Proxy server.
This vulnerability was patched by the vendor in November, and as of now, no attacks have been reported in the wild. Microsoft has not provided specific mitigations for this issue, but they clarify that only servers configured as KDC servers are at risk. Domain controllers remain unaffected. Furthermore, since the vulnerability exists solely within the KDC Proxy Server service (KDCSVC), exposure is limited to environments utilizing KPSSVC. If KPSSVC is not configured, the vulnerability is not exploitable. Immediate patching of all instances of the KPSSVC server is recommended.
Special acknowledgment is due to Simon Humbert and Guy Lederfein of the Trend Micro Research Team for their comprehensive analysis of this vulnerability. For further insights into Trend Micro Research services, please visit this link. The threat research team will continue to provide valuable vulnerability analysis reports in the future. For ongoing updates on exploit techniques and security patches, follow the team on Twitter, Mastodon, LinkedIn, or Bluesky.
