Created attachment 236990 [details] fake telnet server that crashes telnet via unexpected kerberos5 authentication message If the telnet server sends an IAC SB OPT_AUTHENTICATE QUAL_REPLY KRB_ACCEPT without a prior QUAL_SEND, the auth_context variable in libtelnet/kerberos5.c is NULL but kerberos5_reply() passes it to krb5_auth_con_getlocalsubkey() anyway, resulting in a crash. I've attached a demo: # cc telnet7a.c # ./a.out & # telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. [ Kerberos V5 accepts you as ``xxx'' ] Segmentation fault (core dumped) (gdb) where #0 0x0000000801449004 in krb5_auth_con_getlocalsubkey () from /usr/lib/libkrb5.so.11 #1 0x0000000001042c3c in kerberos5_reply (ap=0x10481c8 <authenticators+56>, data=<optimized out>, cnt=<optimized out>) at /usr/src/contrib/telnet/libtelnet/kerberos5.c:611 #2 0x000000000103f746 in auth_reply (data=<optimized out>, cnt=<optimized out>) at /usr/src/contrib/telnet/libtelnet/auth.c:491 #3 0x0000000001039a21 in suboption () at /usr/src/contrib/telnet/telnet/telnet.c:944 #4 0x0000000001038fdd in telrcv () at /usr/src/contrib/telnet/telnet/telnet.c:1885 #5 0x0000000001039ed3 in Scheduler (block=block@entry=1) at /usr/src/contrib/telnet/telnet/telnet.c:2098 #6 0x0000000001039d7a in telnet (user=user@entry=0x7fffffffec17 "rtm") at /usr/src/contrib/telnet/telnet/telnet.c:2163 #7 0x0000000001033013 in tn (argc=<optimized out>, argc@entry=2, argv=<optimized out>, argv@entry=0x7fffffffe780) at /usr/src/contrib/telnet/telnet/commands.c:2492 #8 0x0000000001036032 in main (argc=1, argv=<optimized out>) at /usr/src/contrib/telnet/telnet/main.c:370 FreeBSD stock14 14.0-CURRENT FreeBSD 14.0-CURRENT #3 main-n258027-c9baa974717a: Thu Sep 15 20:02:51 AST 2022 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
A similar problem can arise in kerberos5_reply()'s code for AUTH_HOW_MUTUAL KRB_RESPONSE: if there was no previous SEND or IS, auth_context will be NULL, and krb5_rd_rep() will crash.