Summary:
Specially crafted HTTP requests can read files in the DC server. And use keytab files for authorization for different kerberos principals.Tested FreeIPA version:
ipa-server-4.10.1
Details
The "user" parameter in the HTTP URI "/sip/session/login_password" is inserted into the "run" function from the file "ipautil.py". Then it is passed as an argument to the "subprocess.Popen". As a result, the following list is passed: "args=['/usr/bin/kinit', '{user params}', '-c', /run/ipa/ccaches/kinit_13704', '-T', '/run/ipa/ccaches/armor_13704', '-C', '-E']". If instead of "{user params}" there is a string "-V", then it will be taken as an argument for "kinit". As a result, remote attackers can use options such as "-t", "-X", "-S" or "-I" for DOS, or use the keytab file from the system to log in under participants without a password.
PoC (attached screenshots):
Simple request with "user=-H&password=0000000"
With multiple parameters "user=-Vkt&password=0000000"
Impact
Possible DOS, use keytab from system and read files on DC.