+++ /dev/null
-From 9519f8f5123be055a4e845f87badef8b80ab2ee4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 15 Dec 2015 14:49:36 +0100
-Subject: [PATCH 01/10] CVE-2016-2118: s3: rpcclient: change the default auth
- level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
-
-ncacn_ip_tcp:server should get the same protection as ncacn_np:server
-if authentication and smb signing is used.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-(cherry picked from commit dab41dee8a4fb27dbf3913b0e44a4cc726e3ac98)
----
- source3/rpcclient/rpcclient.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index 949e14c..81c5f42 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -1062,10 +1062,9 @@ out_free:
- }
- }
- if (pipe_default_auth_type != DCERPC_AUTH_TYPE_NONE) {
-- /* If neither Integrity or Privacy are requested then
-- * Use just Connect level */
-+ /* If nothing is requested then default to integrity */
- if (pipe_default_auth_level == DCERPC_AUTH_LEVEL_NONE) {
-- pipe_default_auth_level = DCERPC_AUTH_LEVEL_CONNECT;
-+ pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
- }
- }
-
---
-2.8.1
-
-
-From 0e00f6da40e6f76d9bd56187e74841c85ea86c55 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 11 Mar 2016 16:02:25 +0100
-Subject: [PATCH 02/10] CVE-2016-2118: s4:librpc: use integrity by default for
- authenticated binds
-
-ncacn_ip_tcp:server should get the same protection as ncacn_np:server
-if authentication and smb signing is used.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 7847ee85d278adb9ce4fc7da7cf171917227c93f)
----
- source4/librpc/rpc/dcerpc_util.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
-index 2cd9499..a6d0df5 100644
---- a/source4/librpc/rpc/dcerpc_util.c
-+++ b/source4/librpc/rpc/dcerpc_util.c
-@@ -593,15 +593,15 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
-
- /* Perform an authenticated DCE-RPC bind
- */
-- if (!(conn->flags & (DCERPC_SIGN|DCERPC_SEAL))) {
-+ if (!(conn->flags & (DCERPC_CONNECT|DCERPC_SEAL))) {
- /*
- we are doing an authenticated connection,
-- but not using sign or seal. We must force
-- the CONNECT dcerpc auth type as a NONE auth
-- type doesn't allow authentication
-- information to be passed.
-+ which needs to use [connect], [sign] or [seal].
-+ If nothing is specified, we default to [sign] now.
-+ This give roughly the same protection as
-+ ncacn_np with smb signing.
- */
-- conn->flags |= DCERPC_CONNECT;
-+ conn->flags |= DCERPC_SIGN;
- }
-
- if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
---
-2.8.1
-
-
-From 8d53761dbcbea6439f4bfaef86ff79f42b682b22 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 10 Mar 2016 17:03:59 +0100
-Subject: [PATCH 03/10] CVE-2016-2118: docs-xml: add "allow dcerpc auth level
- connect" defaulting to "yes"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We sadly need to allow this for now by default.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(backported from commit 56baca8619ba9ae1734c3d77524fc705ebcbd8d2)
----
- .../security/allowdcerpcauthlevelconnect.xml | 24 ++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
- create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
-
-diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
-new file mode 100644
-index 0000000..5552112
---- /dev/null
-+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
-@@ -0,0 +1,24 @@
-+<samba:parameter name="allow dcerpc auth level connect"
-+ context="G"
-+ type="boolean"
-+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+ <para>This option controls whether DCERPC services are allowed to
-+ be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
-+ but no per message integrity nor privacy protection.</para>
-+
-+ <para>The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
-+ winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option.</para>
-+
-+ <para>This option yields precedence to the implentation specific restrictions.
-+ E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
-+ While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
-+ </para>
-+
-+ <para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para>
-+</description>
-+
-+<value type="default">yes</value>
-+<value type="example">no</value>
-+
-+</samba:parameter>
---
-2.8.1
-
-
-From 9a0e8182314c631681f2dd47da5d790168066279 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Fri, 18 Mar 2016 08:45:11 +0100
-Subject: [PATCH 04/10] CVE-2016-2118: param: add "allow dcerpc auth level
- connect" defaulting to "yes"
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(backported from commit 6e3ada2c36f527077d77a8278bd41bbc030f48cd)
-
-(cherry picked from commit 74172d061597c96f0e733c11daee6cb15f3277dc)
-Signed-off-by: Aurelien Aptel <aaptel@suse.com>
----
- source3/include/proto.h | 1 +
- source3/param/loadparm.c | 13 +++++++++++++
- 2 files changed, 14 insertions(+)
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index ac1540f..2ed6547 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1821,6 +1821,7 @@ char* lp_perfcount_module(void);
- void lp_set_passdb_backend(const char *backend);
- void widelinks_warning(int snum);
- char *lp_ncalrpc_dir(void);
-+bool lp_allow_dcerpc_auth_level_connect(void);
-
- /* The following definitions come from param/loadparm_server_role.c */
-
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index fdc9407..87d33c5 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -355,6 +355,7 @@ struct global {
- bool bUseMmap;
- bool bHostnameLookups;
- bool bUnixExtensions;
-+ bool bAllowDcerpcAuthLevelConnect;
- bool bDisableNetbios;
- char * szDedicatedKeytabFile;
- int iKerberosMethod;
-@@ -2303,6 +2304,15 @@ static struct parm_struct parm_table[] = {
- .flags = FLAG_ADVANCED,
- },
- {
-+ .label = "allow dcerpc auth level connect",
-+ .type = P_BOOL,
-+ .p_class = P_GLOBAL,
-+ .ptr = &Globals.bAllowDcerpcAuthLevelConnect,
-+ .special = NULL,
-+ .enum_list = NULL,
-+ .flags = FLAG_ADVANCED,
-+ },
-+ {
- .label = "use spnego",
- .type = P_BOOL,
- .p_class = P_GLOBAL,
-@@ -5371,6 +5381,8 @@ static void init_globals(bool reinit_globals)
- Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
- /* Note, that we will also use NTLM2 session security (which is different), if it is available */
-
-+ Globals.bAllowDcerpcAuthLevelConnect = true; /* we need to allow this for now by default */
-+
- Globals.map_to_guest = 0; /* By Default, "Never" */
- Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */
- Globals.enhanced_browsing = true;
-@@ -5745,6 +5757,7 @@ FN_GLOBAL_INTEGER(lp_username_map_cache_time, &Globals.iUsernameMapCacheTime)
-
- FN_GLOBAL_STRING(lp_check_password_script, &Globals.szCheckPasswordScript)
-
-+FN_GLOBAL_BOOL(lp_allow_dcerpc_auth_level_connect, &Globals.bAllowDcerpcAuthLevelConnect)
- FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
- FN_GLOBAL_CONST_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
- FN_GLOBAL_CONST_STRING(lp_template_shell, &Globals.szTemplateShell)
---
-2.8.1
-
-
-From 82a245ff842ea33c050a8fbe415a531497232d3d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 18 Mar 2016 04:40:30 +0100
-Subject: [PATCH 05/10] CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc
- auth level connect"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY},
-this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED.
-
-We sadly need to keep this enabled by default for now.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Pair-Programmed-With: Günther Deschner <gd@samba.org>
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 1fa0bad3da921fca1d34971062522b4cc3e6db2c)
-(cherry picked from commit 46744bbe5e3616613b2dbee7cf6fdf0d8d5caab3)
-Signed-off-by: Aurelien Aptel <aaptel@suse.com>
----
- source3/include/ntdomain.h | 4 ++++
- source3/rpc_server/srv_pipe.c | 49 ++++++++++++++++++++++++++++++++++++++++++-
- 2 files changed, 52 insertions(+), 1 deletion(-)
-
-diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h
-index 2fbeabc..650f1d0 100644
---- a/source3/include/ntdomain.h
-+++ b/source3/include/ntdomain.h
-@@ -89,6 +89,10 @@ typedef struct pipe_rpc_fns {
- uint32 context_id;
- struct ndr_syntax_id syntax;
-
-+ /*
-+ * shall we allow "connect" auth level for this interface ?
-+ */
-+ bool allow_connect;
- } PIPE_RPC_FNS;
-
- /*
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index d659705..c462dcf 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -335,6 +335,7 @@ static bool check_bind_req(struct pipes_struct *p,
- uint32 context_id)
- {
- struct pipe_rpc_fns *context_fns;
-+ const char *interface_name = NULL;
-
- DEBUG(3,("check_bind_req for %s\n",
- get_pipe_name_from_syntax(talloc_tos(), abstract)));
-@@ -355,12 +356,29 @@ static bool check_bind_req(struct pipes_struct *p,
- return False;
- }
-
-+ interface_name = get_pipe_name_from_syntax(talloc_tos(),
-+ abstract);
-+
-+ SMB_ASSERT(interface_name != NULL);
-+
- context_fns->next = context_fns->prev = NULL;
- context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
- context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
- context_fns->context_id = context_id;
- context_fns->syntax = *abstract;
-
-+ context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
-+ /*
-+ * every interface can be modified to allow "connect" auth_level by
-+ * using a parametric option like:
-+ * allow dcerpc auth level connect:<interface>
-+ * e.g.
-+ * allow dcerpc auth level connect:samr = yes
-+ */
-+ context_fns->allow_connect = lp_parm_bool(-1,
-+ "allow dcerpc auth level connect",
-+ interface_name, context_fns->allow_connect);
-+
- /* add to the list of open contexts */
-
- DLIST_ADD( p->contexts, context_fns );
-@@ -1592,6 +1610,7 @@ static bool api_pipe_request(struct pipes_struct *p,
- TALLOC_CTX *frame = talloc_stackframe();
- bool ret = False;
- PIPE_RPC_FNS *pipe_fns;
-+ const char *interface_name = NULL;
-
- if (!p->pipe_bound) {
- DEBUG(1, ("Pipe not bound!\n"));
-@@ -1613,8 +1632,36 @@ static bool api_pipe_request(struct pipes_struct *p,
- return false;
- }
-
-+ interface_name = get_pipe_name_from_syntax(talloc_tos(),
-+ &pipe_fns->syntax);
-+
-+ SMB_ASSERT(interface_name != NULL);
-+
- DEBUG(5, ("Requested \\PIPE\\%s\n",
-- get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
-+ interface_name));
-+
-+ switch (p->auth.auth_level) {
-+ case DCERPC_AUTH_LEVEL_NONE:
-+ case DCERPC_AUTH_LEVEL_INTEGRITY:
-+ case DCERPC_AUTH_LEVEL_PRIVACY:
-+ break;
-+ default:
-+ if (!pipe_fns->allow_connect) {
-+ DEBUG(1, ("%s: restrict auth_level_connect access "
-+ "to [%s] with auth[type=0x%x,level=0x%x] "
-+ "on [%s] from [%s]\n",
-+ __func__, interface_name,
-+ p->auth.auth_type,
-+ p->auth.auth_level,
-+ derpc_transport_string_by_transport(p->transport),
-+ p->client_id->name));
-+
-+ setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
-+ TALLOC_FREE(frame);
-+ return true;
-+ }
-+ break;
-+ }
-
- if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) {
- DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n"));
---
-2.8.1
-
-
-From b68b204307e0b24bc2879ea667a706e11925166d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 7 Aug 2015 09:50:30 +0200
-Subject: [PATCH 06/10] CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}:
- reject DCERPC_AUTH_LEVEL_CONNECT by default
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This prevents man in the middle downgrade attacks.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Pair-Programmed-With: Günther Deschner <gd@samba.org>
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 51dd08951eb4ab9d297678f96cde61f508937721)
-Signed-off-by: Aurelien Aptel <aaptel@suse.com>
-
-Conflicts:
- selftest/knownfail
- source3/rpc_server/srv_pipe.c
-
-selftest/knownfail is ignored in 3.6
----
- source3/rpc_server/srv_pipe.c | 20 ++++++++++++++++++++
- source3/selftest/knownfail | 1 +
- source3/selftest/tests.py | 2 ++
- 3 files changed, 23 insertions(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index c462dcf..3086b9e 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -43,6 +43,9 @@
- #include "ntdomain.h"
- #include "rpc_server/srv_pipe.h"
- #include "../librpc/ndr/ndr_dcerpc.h"
-+#include "../librpc/gen_ndr/ndr_samr.h"
-+#include "../librpc/gen_ndr/ndr_lsa.h"
-+#include "../librpc/gen_ndr/ndr_netlogon.h"
-
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_RPC_SRV
-@@ -336,6 +339,7 @@ static bool check_bind_req(struct pipes_struct *p,
- {
- struct pipe_rpc_fns *context_fns;
- const char *interface_name = NULL;
-+ bool ok;
-
- DEBUG(3,("check_bind_req for %s\n",
- get_pipe_name_from_syntax(talloc_tos(), abstract)));
-@@ -369,6 +373,22 @@ static bool check_bind_req(struct pipes_struct *p,
-
- context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
- /*
-+ * for the samr and the lsarpc interfaces we don't allow "connect"
-+ * auth_level by default.
-+ */
-+ ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id);
-+ if (ok) {
-+ context_fns->allow_connect = false;
-+ }
-+ ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
-+ if (ok) {
-+ context_fns->allow_connect = false;
-+ }
-+ ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
-+ if (ok) {
-+ context_fns->allow_connect = false;
-+ }
-+ /*
- * every interface can be modified to allow "connect" auth_level by
- * using a parametric option like:
- * allow dcerpc auth level connect:<interface>
-diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail
-index bda1fe0..8717a4d 100644
---- a/source3/selftest/knownfail
-+++ b/source3/selftest/knownfail
-@@ -18,3 +18,4 @@ samba3.posix_s3.nbt.dgram.*netlogon2
- samba3.*rap.sam.*.useradd # Not provided by Samba 3
- samba3.*rap.sam.*.userdelete # Not provided by Samba 3
- samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3
-+samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index a733f14..8dfbf1e 100755
---- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -201,6 +201,8 @@ if sub.returncode == 0:
- plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
- elif t == "raw.samba3posixtimedlock":
- plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/dc/share')
-+ elif t == "rpc.samr.passwords.validate":
-+ plansmbtorturetestsuite(t, "s3dc", 'ncacn_np:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_np ')
- else:
- plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
-
---
-2.8.1
-
-
-From 720b9f861322c5fe804c53eb74e7d2d6a4d8b876 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 5 Apr 2016 09:54:38 +0200
-Subject: [PATCH 07/10] CVE-2016-2118: s3:selftest: The lsa tests which use
- connect need to fail
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/selftest/knownfail | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail
-index 8717a4d..7d9275e 100644
---- a/source3/selftest/knownfail
-+++ b/source3/selftest/knownfail
-@@ -19,3 +19,4 @@ samba3.*rap.sam.*.useradd # Not provided by Samba 3
- samba3.*rap.sam.*.userdelete # Not provided by Samba 3
- samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3
- samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore
-+samba3.posix_s3.rpc.lsa.lookupsids.*ncacn_ip_tcp.*connect.* # we don't allow auth_level_connect anymore
---
-2.8.1
-
-
-From 9b2b563a1f8247f5ec7efde52d70efc666e30f56 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 26 Mar 2016 08:47:42 +0100
-Subject: [PATCH 08/10] CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow
- DCERPC_AUTH_LEVEL_CONNECT by default
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-(cherry picked from commit 98f1a85f23d3d2a4f1c665746588688574261d90)
----
- source3/rpc_server/srv_pipe.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 3086b9e..964b843 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -46,6 +46,8 @@
- #include "../librpc/gen_ndr/ndr_samr.h"
- #include "../librpc/gen_ndr/ndr_lsa.h"
- #include "../librpc/gen_ndr/ndr_netlogon.h"
-+#include "../librpc/gen_ndr/ndr_epmapper.h"
-+#include "../librpc/gen_ndr/ndr_echo.h"
-
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_RPC_SRV
-@@ -389,6 +391,18 @@ static bool check_bind_req(struct pipes_struct *p,
- context_fns->allow_connect = false;
- }
- /*
-+ * for the epmapper and echo interfaces we allow "connect"
-+ * auth_level by default.
-+ */
-+ ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id);
-+ if (ok) {
-+ context_fns->allow_connect = true;
-+ }
-+ ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
-+ if (ok) {
-+ context_fns->allow_connect = true;
-+ }
-+ /*
- * every interface can be modified to allow "connect" auth_level by
- * using a parametric option like:
- * allow dcerpc auth level connect:<interface>
---
-2.8.1
-
-
-From 21453f6887569b162be44faaf43e1b9a81423210 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 10 Mar 2016 17:03:59 +0100
-Subject: [PATCH 09/10] CVE-2016-2118: docs-xml/param: default "allow dcerpc
- auth level connect" to "no"
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-(backported from commit 6469e21af32a2a405dd4f43e7d96a2f87c4a9902)
-
-Conflicts:
- lib/param/loadparm.c
- source3/param/loadparm.c
----
- docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 6 ++----
- source3/param/loadparm.c | 2 +-
- 2 files changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
-index 5552112..c8e9d18 100644
---- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
-+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
-@@ -14,11 +14,9 @@
- E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
- While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
- </para>
--
-- <para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para>
- </description>
-
--<value type="default">yes</value>
--<value type="example">no</value>
-+<value type="default">no</value>
-+<value type="example">yes</value>
-
- </samba:parameter>
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 87d33c5..a514727 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -5381,7 +5381,7 @@ static void init_globals(bool reinit_globals)
- Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
- /* Note, that we will also use NTLM2 session security (which is different), if it is available */
-
-- Globals.bAllowDcerpcAuthLevelConnect = true; /* we need to allow this for now by default */
-+ Globals.bAllowDcerpcAuthLevelConnect = false; /* we don't allow this by default */
-
- Globals.map_to_guest = 0; /* By Default, "Never" */
- Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */
---
-2.8.1
-
-
-From a5aebec4ff2f1d3b824dfcc05091da712639220d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 28 Feb 2016 22:48:11 +0100
-Subject: [PATCH 10/10] CVE-2016-2118: s3:rpc_server/samr: allow
- _samr_ValidatePassword only with PRIVACY...
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This requires transport encryption.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit d7c2f1e12544ee0f80438dcc1586e2d30c23b54a)
----
- source3/rpc_server/samr/srv_samr_nt.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
-index 0984984..37e2e4f 100644
---- a/source3/rpc_server/samr/srv_samr_nt.c
-+++ b/source3/rpc_server/samr/srv_samr_nt.c
-@@ -6628,6 +6628,11 @@ NTSTATUS _samr_ValidatePassword(struct pipes_struct *p,
- struct samr_GetDomPwInfo pw;
- struct samr_PwInfo dom_pw_info;
-
-+ if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
-+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+
- if (r->in.level < 1 || r->in.level > 3) {
- return NT_STATUS_INVALID_INFO_CLASS;
- }
---
-2.8.1
-
projects / ipfire-2.x.git / blobdiff