Memory leak in Kerberos protocol parser

Zeek
1

Hi everyone,

I am doing vulnerabilities research in Bro. Recently, I found these memory leaks in the Kerberos protocol analyzer:

1331918844.990000 expression error in /home/mshudrak/bro_hacking/bro/scripts/base/protocols/krb/./main.bro, line 143: field value missing [KRB::msg$service_name]

<----------truncated---------------->

Direct leak of 144 byte(s) in 1 object(s) allocated from:
#0 0x9cc562 in operator new(unsigned long) /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:92:3
#1 0x16d0f10 in binpac::KRB_TCP::proc_krb_kdc_req_arguments(binpac::KRB_TCP::KRB_KDC_REQ*, analyzer::Analyzer*) /home/mshudrak/bro_hacking/bro/build/src/analyzer/protocol/krb/krb_TCP_pac.cc:5495:18
#2 0x16d0994 in binpac::KRB_TCP::KRB_Conn::proc_krb_kdc_req_msg(binpac::KRB_TCP::KRB_KDC_REQ*) /home/mshudrak/bro_hacking/bro/build/src/analyzer/protocol/krb/krb_TCP_pac.cc:79:19
#3 0x16f6038 in binpac::KRB_TCP::KRB_AS_REQ::Parse(unsigned char const*, unsigned char const*, binpac::KRB_TCP::ContextKRB_TCP*, int) /home/mshudrak/bro_hacking/bro/build/src/analyzer/protocol/krb/krb_TCP_pac.cc:3461:35

<-------------truncated---------------->

You can find detailed report produced by Leak Sanitizer and a dump of traffic that reproduce this leak under the following links:

  1. LASAN output:
    https://drive.google.com/open?id=1OQVYMaQyj9fEXgJICq3MUbI3-UIwCkNn
  2. reproducer:
    https://drive.google.com/open?id=1tskWWs4MEph0tnIG5adU2Zxm-ukYD1fz

I compiled the last version of bro pulled from github repo (bro version 2.5-962-debug). I compiled the project with clang-6.0 (as a part of llvm-6.0) using the following command line arguments:

Compile
CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure --enable-debug

ASAN_OPTIONS=detect_leaks=0 make -j

Run
ASAN_OPTIONS=detect_odr_violation=0 …/build/src/bro -r last_4.pcap &> out

This leak happens for each Kerberos connection which might lead to out-of-memory and DoS. I was able to write simple exploit to cause DoS (usually takes 2-3 hours to force BRO allocate 40-50GB of RAM without parallelization using Python sockets).

2

Thanks. See [1] for a fix, now in master branch.

- Jon

[1] https://github.com/bro/bro/commit/34d0cf886ca16c665f673a299e295b2a2bc14533