6 # CVE-2021-36222 KDC null dereference on encrypted challenge preauth
9 s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
10 a = (hostname, realm.portbase)
12 m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE
13 'A103' '0201' '05' # [1] pvno = 5
14 'A203' '0201' '0A' # [2] msg-type = 10
15 'A30E' '300C' # [3] padata = SEQUENCE OF
17 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE
18 'A202' '0400' # [2] padata-value = ""
19 'A48180' '307E' # [4] req-body = SEQUENCE
20 'A007' '0305' '0000000000' # [0] kdc-options = 0
21 'A120' '301E' # [1] cname = SEQUENCE
22 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
23 'A117' '3015' # [1] name-string = SEQUENCE-OF
24 '1B06' '6B7262746774' # krbtgt
25 '1B0B' '4B5242544553542E434F4D'
27 'A20D' '1B0B' '4B5242544553542E434F4D'
28 # [2] realm = KRBTEST.COM
29 'A320' '301E' # [3] sname = SEQUENCE
30 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
31 'A117' '3015' # [1] name-string = SEQUENCE-OF
32 '1B06' '6B7262746774' # krbtgt
33 '1B0B' '4B5242544553542E434F4D'
35 'A511' '180F' '31393934303631303036303331375A'
36 # [5] till = 19940610060317Z
37 'A703' '0201' '00' # [7] nonce = 0
38 'A808' '3006' # [8] etype = SEQUENCE OF
39 '020112' '020111') # aes256-cts aes128-cts
41 s.sendto(bytes.fromhex(m), a)
43 # Make sure kinit still works.
44 realm.kinit(realm.user_princ, password('user'))
46 success('CVE-2021-36222 regression test')