]>
Commit | Line | Data |
---|---|---|
77ecb239 AF |
1 | From 9519f8f5123be055a4e845f87badef8b80ab2ee4 Mon Sep 17 00:00:00 2001 |
2 | From: Stefan Metzmacher <metze@samba.org> | |
3 | Date: Tue, 15 Dec 2015 14:49:36 +0100 | |
4 | Subject: [PATCH 01/10] CVE-2016-2118: s3: rpcclient: change the default auth | |
5 | level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY | |
6 | ||
7 | ncacn_ip_tcp:server should get the same protection as ncacn_np:server | |
8 | if authentication and smb signing is used. | |
9 | ||
10 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 | |
11 | ||
12 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
13 | ||
14 | (cherry picked from commit dab41dee8a4fb27dbf3913b0e44a4cc726e3ac98) | |
15 | --- | |
16 | source3/rpcclient/rpcclient.c | 5 ++--- | |
17 | 1 file changed, 2 insertions(+), 3 deletions(-) | |
18 | ||
19 | diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c | |
20 | index 949e14c..81c5f42 100644 | |
21 | --- a/source3/rpcclient/rpcclient.c | |
22 | +++ b/source3/rpcclient/rpcclient.c | |
23 | @@ -1062,10 +1062,9 @@ out_free: | |
24 | } | |
25 | } | |
26 | if (pipe_default_auth_type != DCERPC_AUTH_TYPE_NONE) { | |
27 | - /* If neither Integrity or Privacy are requested then | |
28 | - * Use just Connect level */ | |
29 | + /* If nothing is requested then default to integrity */ | |
30 | if (pipe_default_auth_level == DCERPC_AUTH_LEVEL_NONE) { | |
31 | - pipe_default_auth_level = DCERPC_AUTH_LEVEL_CONNECT; | |
32 | + pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; | |
33 | } | |
34 | } | |
35 | ||
36 | -- | |
37 | 2.8.1 | |
38 | ||
39 | ||
40 | From 0e00f6da40e6f76d9bd56187e74841c85ea86c55 Mon Sep 17 00:00:00 2001 | |
41 | From: Stefan Metzmacher <metze@samba.org> | |
42 | Date: Fri, 11 Mar 2016 16:02:25 +0100 | |
43 | Subject: [PATCH 02/10] CVE-2016-2118: s4:librpc: use integrity by default for | |
44 | authenticated binds | |
45 | ||
46 | ncacn_ip_tcp:server should get the same protection as ncacn_np:server | |
47 | if authentication and smb signing is used. | |
48 | ||
49 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 | |
50 | ||
51 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
52 | (cherry picked from commit 7847ee85d278adb9ce4fc7da7cf171917227c93f) | |
53 | --- | |
54 | source4/librpc/rpc/dcerpc_util.c | 12 ++++++------ | |
55 | 1 file changed, 6 insertions(+), 6 deletions(-) | |
56 | ||
57 | diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c | |
58 | index 2cd9499..a6d0df5 100644 | |
59 | --- a/source4/librpc/rpc/dcerpc_util.c | |
60 | +++ b/source4/librpc/rpc/dcerpc_util.c | |
61 | @@ -593,15 +593,15 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, | |
62 | ||
63 | /* Perform an authenticated DCE-RPC bind | |
64 | */ | |
65 | - if (!(conn->flags & (DCERPC_SIGN|DCERPC_SEAL))) { | |
66 | + if (!(conn->flags & (DCERPC_CONNECT|DCERPC_SEAL))) { | |
67 | /* | |
68 | we are doing an authenticated connection, | |
69 | - but not using sign or seal. We must force | |
70 | - the CONNECT dcerpc auth type as a NONE auth | |
71 | - type doesn't allow authentication | |
72 | - information to be passed. | |
73 | + which needs to use [connect], [sign] or [seal]. | |
74 | + If nothing is specified, we default to [sign] now. | |
75 | + This give roughly the same protection as | |
76 | + ncacn_np with smb signing. | |
77 | */ | |
78 | - conn->flags |= DCERPC_CONNECT; | |
79 | + conn->flags |= DCERPC_SIGN; | |
80 | } | |
81 | ||
82 | if (s->binding->flags & DCERPC_AUTH_SPNEGO) { | |
83 | -- | |
84 | 2.8.1 | |
85 | ||
86 | ||
87 | From 8d53761dbcbea6439f4bfaef86ff79f42b682b22 Mon Sep 17 00:00:00 2001 | |
88 | From: Stefan Metzmacher <metze@samba.org> | |
89 | Date: Thu, 10 Mar 2016 17:03:59 +0100 | |
90 | Subject: [PATCH 03/10] CVE-2016-2118: docs-xml: add "allow dcerpc auth level | |
91 | connect" defaulting to "yes" | |
92 | MIME-Version: 1.0 | |
93 | Content-Type: text/plain; charset=UTF-8 | |
94 | Content-Transfer-Encoding: 8bit | |
95 | ||
96 | We sadly need to allow this for now by default. | |
97 | ||
98 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 | |
99 | ||
100 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
101 | Reviewed-by: Günther Deschner <gd@samba.org> | |
102 | (backported from commit 56baca8619ba9ae1734c3d77524fc705ebcbd8d2) | |
103 | --- | |
104 | .../security/allowdcerpcauthlevelconnect.xml | 24 ++++++++++++++++++++++ | |
105 | 1 file changed, 24 insertions(+) | |
106 | create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | |
107 | ||
108 | diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | |
109 | new file mode 100644 | |
110 | index 0000000..5552112 | |
111 | --- /dev/null | |
112 | +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | |
113 | @@ -0,0 +1,24 @@ | |
114 | +<samba:parameter name="allow dcerpc auth level connect" | |
115 | + context="G" | |
116 | + type="boolean" | |
117 | + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> | |
118 | +<description> | |
119 | + <para>This option controls whether DCERPC services are allowed to | |
120 | + be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, | |
121 | + but no per message integrity nor privacy protection.</para> | |
122 | + | |
123 | + <para>The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc, | |
124 | + winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option.</para> | |
125 | + | |
126 | + <para>This option yields precedence to the implentation specific restrictions. | |
127 | + E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. | |
128 | + While others like samr and lsarpc have a hardcoded default of <constant>no</constant>. | |
129 | + </para> | |
130 | + | |
131 | + <para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para> | |
132 | +</description> | |
133 | + | |
134 | +<value type="default">yes</value> | |
135 | +<value type="example">no</value> | |
136 | + | |
137 | +</samba:parameter> | |
138 | -- | |
139 | 2.8.1 | |
140 | ||
141 | ||
142 | From 9a0e8182314c631681f2dd47da5d790168066279 Mon Sep 17 00:00:00 2001 | |
143 | From: Ralph Boehme <slow@samba.org> | |
144 | Date: Fri, 18 Mar 2016 08:45:11 +0100 | |
145 | Subject: [PATCH 04/10] CVE-2016-2118: param: add "allow dcerpc auth level | |
146 | connect" defaulting to "yes" | |
147 | ||
148 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 | |
149 | ||
150 | Signed-off-by: Ralph Boehme <slow@samba.org> | |
151 | Reviewed-by: Stefan Metzmacher <metze@samba.org> | |
152 | (backported from commit 6e3ada2c36f527077d77a8278bd41bbc030f48cd) | |
153 | ||
154 | (cherry picked from commit 74172d061597c96f0e733c11daee6cb15f3277dc) | |
155 | Signed-off-by: Aurelien Aptel <aaptel@suse.com> | |
156 | --- | |
157 | source3/include/proto.h | 1 + | |
158 | source3/param/loadparm.c | 13 +++++++++++++ | |
159 | 2 files changed, 14 insertions(+) | |
160 | ||
161 | diff --git a/source3/include/proto.h b/source3/include/proto.h | |
162 | index ac1540f..2ed6547 100644 | |
163 | --- a/source3/include/proto.h | |
164 | +++ b/source3/include/proto.h | |
165 | @@ -1821,6 +1821,7 @@ char* lp_perfcount_module(void); | |
166 | void lp_set_passdb_backend(const char *backend); | |
167 | void widelinks_warning(int snum); | |
168 | char *lp_ncalrpc_dir(void); | |
169 | +bool lp_allow_dcerpc_auth_level_connect(void); | |
170 | ||
171 | /* The following definitions come from param/loadparm_server_role.c */ | |
172 | ||
173 | diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c | |
174 | index fdc9407..87d33c5 100644 | |
175 | --- a/source3/param/loadparm.c | |
176 | +++ b/source3/param/loadparm.c | |
177 | @@ -355,6 +355,7 @@ struct global { | |
178 | bool bUseMmap; | |
179 | bool bHostnameLookups; | |
180 | bool bUnixExtensions; | |
181 | + bool bAllowDcerpcAuthLevelConnect; | |
182 | bool bDisableNetbios; | |
183 | char * szDedicatedKeytabFile; | |
184 | int iKerberosMethod; | |
185 | @@ -2303,6 +2304,15 @@ static struct parm_struct parm_table[] = { | |
186 | .flags = FLAG_ADVANCED, | |
187 | }, | |
188 | { | |
189 | + .label = "allow dcerpc auth level connect", | |
190 | + .type = P_BOOL, | |
191 | + .p_class = P_GLOBAL, | |
192 | + .ptr = &Globals.bAllowDcerpcAuthLevelConnect, | |
193 | + .special = NULL, | |
194 | + .enum_list = NULL, | |
195 | + .flags = FLAG_ADVANCED, | |
196 | + }, | |
197 | + { | |
198 | .label = "use spnego", | |
199 | .type = P_BOOL, | |
200 | .p_class = P_GLOBAL, | |
201 | @@ -5371,6 +5381,8 @@ static void init_globals(bool reinit_globals) | |
202 | Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ | |
203 | /* Note, that we will also use NTLM2 session security (which is different), if it is available */ | |
204 | ||
205 | + Globals.bAllowDcerpcAuthLevelConnect = true; /* we need to allow this for now by default */ | |
206 | + | |
207 | Globals.map_to_guest = 0; /* By Default, "Never" */ | |
208 | Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */ | |
209 | Globals.enhanced_browsing = true; | |
210 | @@ -5745,6 +5757,7 @@ FN_GLOBAL_INTEGER(lp_username_map_cache_time, &Globals.iUsernameMapCacheTime) | |
211 | ||
212 | FN_GLOBAL_STRING(lp_check_password_script, &Globals.szCheckPasswordScript) | |
213 | ||
214 | +FN_GLOBAL_BOOL(lp_allow_dcerpc_auth_level_connect, &Globals.bAllowDcerpcAuthLevelConnect) | |
215 | FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook) | |
216 | FN_GLOBAL_CONST_STRING(lp_template_homedir, &Globals.szTemplateHomedir) | |
217 | FN_GLOBAL_CONST_STRING(lp_template_shell, &Globals.szTemplateShell) | |
218 | -- | |
219 | 2.8.1 | |
220 | ||
221 | ||
222 | From 82a245ff842ea33c050a8fbe415a531497232d3d Mon Sep 17 00:00:00 2001 | |
223 | From: Stefan Metzmacher <metze@samba.org> | |
224 | Date: Fri, 18 Mar 2016 04:40:30 +0100 | |
225 | Subject: [PATCH 05/10] CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc | |
226 | auth level connect" | |
227 | MIME-Version: 1.0 | |
228 | Content-Type: text/plain; charset=UTF-8 | |
229 | Content-Transfer-Encoding: 8bit | |
230 | ||
231 | With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY}, | |
232 | this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED. | |
233 | ||
234 | We sadly need to keep this enabled by default for now. | |
235 | ||
236 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 | |
237 | ||
238 | Pair-Programmed-With: Günther Deschner <gd@samba.org> | |
239 | ||
240 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
241 | Signed-off-by: Günther Deschner <gd@samba.org> | |
242 | (cherry picked from commit 1fa0bad3da921fca1d34971062522b4cc3e6db2c) | |
243 | (cherry picked from commit 46744bbe5e3616613b2dbee7cf6fdf0d8d5caab3) | |
244 | Signed-off-by: Aurelien Aptel <aaptel@suse.com> | |
245 | --- | |
246 | source3/include/ntdomain.h | 4 ++++ | |
247 | source3/rpc_server/srv_pipe.c | 49 ++++++++++++++++++++++++++++++++++++++++++- | |
248 | 2 files changed, 52 insertions(+), 1 deletion(-) | |
249 | ||
250 | diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h | |
251 | index 2fbeabc..650f1d0 100644 | |
252 | --- a/source3/include/ntdomain.h | |
253 | +++ b/source3/include/ntdomain.h | |
254 | @@ -89,6 +89,10 @@ typedef struct pipe_rpc_fns { | |
255 | uint32 context_id; | |
256 | struct ndr_syntax_id syntax; | |
257 | ||
258 | + /* | |
259 | + * shall we allow "connect" auth level for this interface ? | |
260 | + */ | |
261 | + bool allow_connect; | |
262 | } PIPE_RPC_FNS; | |
263 | ||
264 | /* | |
265 | diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c | |
266 | index d659705..c462dcf 100644 | |
267 | --- a/source3/rpc_server/srv_pipe.c | |
268 | +++ b/source3/rpc_server/srv_pipe.c | |
269 | @@ -335,6 +335,7 @@ static bool check_bind_req(struct pipes_struct *p, | |
270 | uint32 context_id) | |
271 | { | |
272 | struct pipe_rpc_fns *context_fns; | |
273 | + const char *interface_name = NULL; | |
274 | ||
275 | DEBUG(3,("check_bind_req for %s\n", | |
276 | get_pipe_name_from_syntax(talloc_tos(), abstract))); | |
277 | @@ -355,12 +356,29 @@ static bool check_bind_req(struct pipes_struct *p, | |
278 | return False; | |
279 | } | |
280 | ||
281 | + interface_name = get_pipe_name_from_syntax(talloc_tos(), | |
282 | + abstract); | |
283 | + | |
284 | + SMB_ASSERT(interface_name != NULL); | |
285 | + | |
286 | context_fns->next = context_fns->prev = NULL; | |
287 | context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract); | |
288 | context_fns->cmds = rpc_srv_get_pipe_cmds(abstract); | |
289 | context_fns->context_id = context_id; | |
290 | context_fns->syntax = *abstract; | |
291 | ||
292 | + context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect(); | |
293 | + /* | |
294 | + * every interface can be modified to allow "connect" auth_level by | |
295 | + * using a parametric option like: | |
296 | + * allow dcerpc auth level connect:<interface> | |
297 | + * e.g. | |
298 | + * allow dcerpc auth level connect:samr = yes | |
299 | + */ | |
300 | + context_fns->allow_connect = lp_parm_bool(-1, | |
301 | + "allow dcerpc auth level connect", | |
302 | + interface_name, context_fns->allow_connect); | |
303 | + | |
304 | /* add to the list of open contexts */ | |
305 | ||
306 | DLIST_ADD( p->contexts, context_fns ); | |
307 | @@ -1592,6 +1610,7 @@ static bool api_pipe_request(struct pipes_struct *p, | |
308 | TALLOC_CTX *frame = talloc_stackframe(); | |
309 | bool ret = False; | |
310 | PIPE_RPC_FNS *pipe_fns; | |
311 | + const char *interface_name = NULL; | |
312 | ||
313 | if (!p->pipe_bound) { | |
314 | DEBUG(1, ("Pipe not bound!\n")); | |
315 | @@ -1613,8 +1632,36 @@ static bool api_pipe_request(struct pipes_struct *p, | |
316 | return false; | |
317 | } | |
318 | ||
319 | + interface_name = get_pipe_name_from_syntax(talloc_tos(), | |
320 | + &pipe_fns->syntax); | |
321 | + | |
322 | + SMB_ASSERT(interface_name != NULL); | |
323 | + | |
324 | DEBUG(5, ("Requested \\PIPE\\%s\n", | |
325 | - get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax))); | |
326 | + interface_name)); | |
327 | + | |
328 | + switch (p->auth.auth_level) { | |
329 | + case DCERPC_AUTH_LEVEL_NONE: | |
330 | + case DCERPC_AUTH_LEVEL_INTEGRITY: | |
331 | + case DCERPC_AUTH_LEVEL_PRIVACY: | |
332 | + break; | |
333 | + default: | |
334 | + if (!pipe_fns->allow_connect) { | |
335 | + DEBUG(1, ("%s: restrict auth_level_connect access " | |
336 | + "to [%s] with auth[type=0x%x,level=0x%x] " | |
337 | + "on [%s] from [%s]\n", | |
338 | + __func__, interface_name, | |
339 | + p->auth.auth_type, | |
340 | + p->auth.auth_level, | |
341 | + derpc_transport_string_by_transport(p->transport), | |
342 | + p->client_id->name)); | |
343 | + | |
344 | + setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED)); | |
345 | + TALLOC_FREE(frame); | |
346 | + return true; | |
347 | + } | |
348 | + break; | |
349 | + } | |
350 | ||
351 | if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) { | |
352 | DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n")); | |
353 | -- | |
354 | 2.8.1 | |
355 | ||
356 | ||
357 | From b68b204307e0b24bc2879ea667a706e11925166d Mon Sep 17 00:00:00 2001 | |
358 | From: Stefan Metzmacher <metze@samba.org> | |
359 | Date: Fri, 7 Aug 2015 09:50:30 +0200 | |
360 | Subject: [PATCH 06/10] CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: | |
361 | reject DCERPC_AUTH_LEVEL_CONNECT by default | |
362 | MIME-Version: 1.0 | |
363 | Content-Type: text/plain; charset=UTF-8 | |
364 | Content-Transfer-Encoding: 8bit | |
365 | ||
366 | This prevents man in the middle downgrade attacks. | |
367 | ||
368 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 | |
369 | ||
370 | Pair-Programmed-With: Günther Deschner <gd@samba.org> | |
371 | ||
372 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
373 | Signed-off-by: Günther Deschner <gd@samba.org> | |
374 | (cherry picked from commit 51dd08951eb4ab9d297678f96cde61f508937721) | |
375 | Signed-off-by: Aurelien Aptel <aaptel@suse.com> | |
376 | ||
377 | Conflicts: | |
378 | selftest/knownfail | |
379 | source3/rpc_server/srv_pipe.c | |
380 | ||
381 | selftest/knownfail is ignored in 3.6 | |
382 | --- | |
383 | source3/rpc_server/srv_pipe.c | 20 ++++++++++++++++++++ | |
384 | source3/selftest/knownfail | 1 + | |
385 | source3/selftest/tests.py | 2 ++ | |
386 | 3 files changed, 23 insertions(+) | |
387 | ||
388 | diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c | |
389 | index c462dcf..3086b9e 100644 | |
390 | --- a/source3/rpc_server/srv_pipe.c | |
391 | +++ b/source3/rpc_server/srv_pipe.c | |
392 | @@ -43,6 +43,9 @@ | |
393 | #include "ntdomain.h" | |
394 | #include "rpc_server/srv_pipe.h" | |
395 | #include "../librpc/ndr/ndr_dcerpc.h" | |
396 | +#include "../librpc/gen_ndr/ndr_samr.h" | |
397 | +#include "../librpc/gen_ndr/ndr_lsa.h" | |
398 | +#include "../librpc/gen_ndr/ndr_netlogon.h" | |
399 | ||
400 | #undef DBGC_CLASS | |
401 | #define DBGC_CLASS DBGC_RPC_SRV | |
402 | @@ -336,6 +339,7 @@ static bool check_bind_req(struct pipes_struct *p, | |
403 | { | |
404 | struct pipe_rpc_fns *context_fns; | |
405 | const char *interface_name = NULL; | |
406 | + bool ok; | |
407 | ||
408 | DEBUG(3,("check_bind_req for %s\n", | |
409 | get_pipe_name_from_syntax(talloc_tos(), abstract))); | |
410 | @@ -369,6 +373,22 @@ static bool check_bind_req(struct pipes_struct *p, | |
411 | ||
412 | context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect(); | |
413 | /* | |
414 | + * for the samr and the lsarpc interfaces we don't allow "connect" | |
415 | + * auth_level by default. | |
416 | + */ | |
417 | + ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id); | |
418 | + if (ok) { | |
419 | + context_fns->allow_connect = false; | |
420 | + } | |
421 | + ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id); | |
422 | + if (ok) { | |
423 | + context_fns->allow_connect = false; | |
424 | + } | |
425 | + ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id); | |
426 | + if (ok) { | |
427 | + context_fns->allow_connect = false; | |
428 | + } | |
429 | + /* | |
430 | * every interface can be modified to allow "connect" auth_level by | |
431 | * using a parametric option like: | |
432 | * allow dcerpc auth level connect:<interface> | |
433 | diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail | |
434 | index bda1fe0..8717a4d 100644 | |
435 | --- a/source3/selftest/knownfail | |
436 | +++ b/source3/selftest/knownfail | |
437 | @@ -18,3 +18,4 @@ samba3.posix_s3.nbt.dgram.*netlogon2 | |
438 | samba3.*rap.sam.*.useradd # Not provided by Samba 3 | |
439 | samba3.*rap.sam.*.userdelete # Not provided by Samba 3 | |
440 | samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3 | |
441 | +samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore | |
442 | diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py | |
443 | index a733f14..8dfbf1e 100755 | |
444 | --- a/source3/selftest/tests.py | |
445 | +++ b/source3/selftest/tests.py | |
446 | @@ -201,6 +201,8 @@ if sub.returncode == 0: | |
447 | plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD') | |
448 | elif t == "raw.samba3posixtimedlock": | |
449 | plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/dc/share') | |
450 | + elif t == "rpc.samr.passwords.validate": | |
451 | + plansmbtorturetestsuite(t, "s3dc", 'ncacn_np:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_np ') | |
452 | else: | |
453 | plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD') | |
454 | ||
455 | -- | |
456 | 2.8.1 | |
457 | ||
458 | ||
459 | From 720b9f861322c5fe804c53eb74e7d2d6a4d8b876 Mon Sep 17 00:00:00 2001 | |
460 | From: Andreas Schneider <asn@samba.org> | |
461 | Date: Tue, 5 Apr 2016 09:54:38 +0200 | |
462 | Subject: [PATCH 07/10] CVE-2016-2118: s3:selftest: The lsa tests which use | |
463 | connect need to fail | |
464 | ||
465 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 | |
466 | ||
467 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
468 | --- | |
469 | source3/selftest/knownfail | 1 + | |
470 | 1 file changed, 1 insertion(+) | |
471 | ||
472 | diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail | |
473 | index 8717a4d..7d9275e 100644 | |
474 | --- a/source3/selftest/knownfail | |
475 | +++ b/source3/selftest/knownfail | |
476 | @@ -19,3 +19,4 @@ samba3.*rap.sam.*.useradd # Not provided by Samba 3 | |
477 | samba3.*rap.sam.*.userdelete # Not provided by Samba 3 | |
478 | samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3 | |
479 | samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore | |
480 | +samba3.posix_s3.rpc.lsa.lookupsids.*ncacn_ip_tcp.*connect.* # we don't allow auth_level_connect anymore | |
481 | -- | |
482 | 2.8.1 | |
483 | ||
484 | ||
485 | From 9b2b563a1f8247f5ec7efde52d70efc666e30f56 Mon Sep 17 00:00:00 2001 | |
486 | From: Stefan Metzmacher <metze@samba.org> | |
487 | Date: Sat, 26 Mar 2016 08:47:42 +0100 | |
488 | Subject: [PATCH 08/10] CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow | |
489 | DCERPC_AUTH_LEVEL_CONNECT by default | |
490 | ||
491 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 | |
492 | ||
493 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
494 | Reviewed-by: Alexander Bokovoy <ab@samba.org> | |
495 | (cherry picked from commit 98f1a85f23d3d2a4f1c665746588688574261d90) | |
496 | --- | |
497 | source3/rpc_server/srv_pipe.c | 14 ++++++++++++++ | |
498 | 1 file changed, 14 insertions(+) | |
499 | ||
500 | diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c | |
501 | index 3086b9e..964b843 100644 | |
502 | --- a/source3/rpc_server/srv_pipe.c | |
503 | +++ b/source3/rpc_server/srv_pipe.c | |
504 | @@ -46,6 +46,8 @@ | |
505 | #include "../librpc/gen_ndr/ndr_samr.h" | |
506 | #include "../librpc/gen_ndr/ndr_lsa.h" | |
507 | #include "../librpc/gen_ndr/ndr_netlogon.h" | |
508 | +#include "../librpc/gen_ndr/ndr_epmapper.h" | |
509 | +#include "../librpc/gen_ndr/ndr_echo.h" | |
510 | ||
511 | #undef DBGC_CLASS | |
512 | #define DBGC_CLASS DBGC_RPC_SRV | |
513 | @@ -389,6 +391,18 @@ static bool check_bind_req(struct pipes_struct *p, | |
514 | context_fns->allow_connect = false; | |
515 | } | |
516 | /* | |
517 | + * for the epmapper and echo interfaces we allow "connect" | |
518 | + * auth_level by default. | |
519 | + */ | |
520 | + ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id); | |
521 | + if (ok) { | |
522 | + context_fns->allow_connect = true; | |
523 | + } | |
524 | + ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id); | |
525 | + if (ok) { | |
526 | + context_fns->allow_connect = true; | |
527 | + } | |
528 | + /* | |
529 | * every interface can be modified to allow "connect" auth_level by | |
530 | * using a parametric option like: | |
531 | * allow dcerpc auth level connect:<interface> | |
532 | -- | |
533 | 2.8.1 | |
534 | ||
535 | ||
536 | From 21453f6887569b162be44faaf43e1b9a81423210 Mon Sep 17 00:00:00 2001 | |
537 | From: Stefan Metzmacher <metze@samba.org> | |
538 | Date: Thu, 10 Mar 2016 17:03:59 +0100 | |
539 | Subject: [PATCH 09/10] CVE-2016-2118: docs-xml/param: default "allow dcerpc | |
540 | auth level connect" to "no" | |
541 | ||
542 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 | |
543 | ||
544 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
545 | Reviewed-by: Alexander Bokovoy <ab@samba.org> | |
546 | (backported from commit 6469e21af32a2a405dd4f43e7d96a2f87c4a9902) | |
547 | ||
548 | Conflicts: | |
549 | lib/param/loadparm.c | |
550 | source3/param/loadparm.c | |
551 | --- | |
552 | docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 6 ++---- | |
553 | source3/param/loadparm.c | 2 +- | |
554 | 2 files changed, 3 insertions(+), 5 deletions(-) | |
555 | ||
556 | diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | |
557 | index 5552112..c8e9d18 100644 | |
558 | --- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | |
559 | +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | |
560 | @@ -14,11 +14,9 @@ | |
561 | E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. | |
562 | While others like samr and lsarpc have a hardcoded default of <constant>no</constant>. | |
563 | </para> | |
564 | - | |
565 | - <para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para> | |
566 | </description> | |
567 | ||
568 | -<value type="default">yes</value> | |
569 | -<value type="example">no</value> | |
570 | +<value type="default">no</value> | |
571 | +<value type="example">yes</value> | |
572 | ||
573 | </samba:parameter> | |
574 | diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c | |
575 | index 87d33c5..a514727 100644 | |
576 | --- a/source3/param/loadparm.c | |
577 | +++ b/source3/param/loadparm.c | |
578 | @@ -5381,7 +5381,7 @@ static void init_globals(bool reinit_globals) | |
579 | Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ | |
580 | /* Note, that we will also use NTLM2 session security (which is different), if it is available */ | |
581 | ||
582 | - Globals.bAllowDcerpcAuthLevelConnect = true; /* we need to allow this for now by default */ | |
583 | + Globals.bAllowDcerpcAuthLevelConnect = false; /* we don't allow this by default */ | |
584 | ||
585 | Globals.map_to_guest = 0; /* By Default, "Never" */ | |
586 | Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */ | |
587 | -- | |
588 | 2.8.1 | |
589 | ||
590 | ||
591 | From a5aebec4ff2f1d3b824dfcc05091da712639220d Mon Sep 17 00:00:00 2001 | |
592 | From: Stefan Metzmacher <metze@samba.org> | |
593 | Date: Sun, 28 Feb 2016 22:48:11 +0100 | |
594 | Subject: [PATCH 10/10] CVE-2016-2118: s3:rpc_server/samr: allow | |
595 | _samr_ValidatePassword only with PRIVACY... | |
596 | MIME-Version: 1.0 | |
597 | Content-Type: text/plain; charset=UTF-8 | |
598 | Content-Transfer-Encoding: 8bit | |
599 | ||
600 | This requires transport encryption. | |
601 | ||
602 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 | |
603 | ||
604 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
605 | Reviewed-by: Günther Deschner <gd@samba.org> | |
606 | (cherry picked from commit d7c2f1e12544ee0f80438dcc1586e2d30c23b54a) | |
607 | --- | |
608 | source3/rpc_server/samr/srv_samr_nt.c | 5 +++++ | |
609 | 1 file changed, 5 insertions(+) | |
610 | ||
611 | diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c | |
612 | index 0984984..37e2e4f 100644 | |
613 | --- a/source3/rpc_server/samr/srv_samr_nt.c | |
614 | +++ b/source3/rpc_server/samr/srv_samr_nt.c | |
615 | @@ -6628,6 +6628,11 @@ NTSTATUS _samr_ValidatePassword(struct pipes_struct *p, | |
616 | struct samr_GetDomPwInfo pw; | |
617 | struct samr_PwInfo dom_pw_info; | |
618 | ||
619 | + if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { | |
620 | + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; | |
621 | + return NT_STATUS_ACCESS_DENIED; | |
622 | + } | |
623 | + | |
624 | if (r->in.level < 1 || r->in.level > 3) { | |
625 | return NT_STATUS_INVALID_INFO_CLASS; | |
626 | } | |
627 | -- | |
628 | 2.8.1 | |
629 |