1import socket 2from k5test import * 3 4realm = K5Realm() 5 6# CVE-2021-36222 KDC null dereference on encrypted challenge preauth 7# without FAST 8 9s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 10a = (hostname, realm.portbase) 11 12m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE 13 'A103' '0201' '05' # [1] pvno = 5 14 'A203' '0201' '0A' # [2] msg-type = 10 15 'A30E' '300C' # [3] padata = SEQUENCE OF 16 '300A' # SEQUENCE 17 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE 18 'A202' '0400' # [2] padata-value = "" 19 'A48180' '307E' # [4] req-body = SEQUENCE 20 'A007' '0305' '0000000000' # [0] kdc-options = 0 21 'A120' '301E' # [1] cname = SEQUENCE 22 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL 23 'A117' '3015' # [1] name-string = SEQUENCE-OF 24 '1B06' '6B7262746774' # krbtgt 25 '1B0B' '4B5242544553542E434F4D' 26 # KRBTEST.COM 27 'A20D' '1B0B' '4B5242544553542E434F4D' 28 # [2] realm = KRBTEST.COM 29 'A320' '301E' # [3] sname = SEQUENCE 30 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL 31 'A117' '3015' # [1] name-string = SEQUENCE-OF 32 '1B06' '6B7262746774' # krbtgt 33 '1B0B' '4B5242544553542E434F4D' 34 # KRBTEST.COM 35 'A511' '180F' '31393934303631303036303331375A' 36 # [5] till = 19940610060317Z 37 'A703' '0201' '00' # [7] nonce = 0 38 'A808' '3006' # [8] etype = SEQUENCE OF 39 '020112' '020111') # aes256-cts aes128-cts 40 41s.sendto(bytes.fromhex(m), a) 42 43# Make sure kinit still works. 44realm.kinit(realm.user_princ, password('user')) 45 46success('CVE-2021-36222 regression test') 47