Hashcat Heap-Based Buffer Overflow Vulnerability in Kerberos Hash Parser Allowing Denial-of-Service and Potential Arbitrary Code Execution

A heap-based buffer overflow vulnerability has been identified in the Kerberos hash parser of Hashcat version 7.1.2. This vulnerability allows an attacker to cause a denial-of-service condition or possibly execute arbitrary code by using a crafted Kerberos hash file. The issue arises in the 'module_hash_decode' function of several Kerberos-related modules. The vulnerability occurs because the length of the account information is calculated from untrusted delimiter positions without proper validation, allowing for a buffer overflow when the data is copied into a fixed-size buffer.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, where the attacker can overwrite memory and potentially execute arbitrary code.

Reproduction

The vulnerability can be reproduced by creating a Kerberos hash file that includes an 'account_info' field exceeding the buffer size of the 'krb5tgs' struct. This crafted hash file can then be processed by Hashcat, triggering the buffer overflow as the parser calculates the length of the account information from delimiters without any upper limit, and directly uses this length in a memory copy operation.

Remediation

Users are advised to update to the latest version of Hashcat, where this vulnerability has been addressed.