Memory leak in Kerberos protocol parser

Hi everyone,

I am doing vulnerabilities research in Bro. Recently, I found these memory leaks in the Kerberos protocol analyzer:

1331918844.990000 expression error in /home/mshudrak/bro_hacking/bro/scripts/base/protocols/krb/./main.bro, line 143: field value missing [KRB::msg$service_name]


Direct leak of 144 byte(s) in 1 object(s) allocated from:
#0 0x9cc562 in operator new(unsigned long) /tmp/final/llvm.src/projects/compiler-rt/lib/asan/
#1 0x16d0f10 in binpac::KRB_TCP::proc_krb_kdc_req_arguments(binpac::KRB_TCP::KRB_KDC_REQ*, analyzer::Analyzer*) /home/mshudrak/bro_hacking/bro/build/src/analyzer/protocol/krb/
#2 0x16d0994 in binpac::KRB_TCP::KRB_Conn::proc_krb_kdc_req_msg(binpac::KRB_TCP::KRB_KDC_REQ*) /home/mshudrak/bro_hacking/bro/build/src/analyzer/protocol/krb/
#3 0x16f6038 in binpac::KRB_TCP::KRB_AS_REQ::Parse(unsigned char const*, unsigned char const*, binpac::KRB_TCP::ContextKRB_TCP*, int) /home/mshudrak/bro_hacking/bro/build/src/analyzer/protocol/krb/


You can find detailed report produced by Leak Sanitizer and a dump of traffic that reproduce this leak under the following links:

  1. LASAN output:
  2. reproducer:

I compiled the last version of bro pulled from github repo (bro version 2.5-962-debug). I compiled the project with clang-6.0 (as a part of llvm-6.0) using the following command line arguments:

CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure --enable-debug

ASAN_OPTIONS=detect_leaks=0 make -j

ASAN_OPTIONS=detect_odr_violation=0 …/build/src/bro -r last_4.pcap &> out

This leak happens for each Kerberos connection which might lead to out-of-memory and DoS. I was able to write simple exploit to cause DoS (usually takes 2-3 hours to force BRO allocate 40-50GB of RAM without parallelization using Python sockets).

Thanks. See [1] for a fix, now in master branch.

- Jon