1 From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001
2 From: Stefan Metzmacher <metze@samba.org>
3 Date: Tue, 1 Dec 2015 08:46:45 +0100
4 Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use
5 ntlmssp_state->allow_lm_key
7 Content-Type: text/plain; charset=UTF-8
8 Content-Transfer-Encoding: 8bit
10 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
12 Signed-off-by: Stefan Metzmacher <metze@samba.org>
13 Reviewed-by: Günther Deschner <gd@samba.org>
15 source3/libsmb/ntlmssp.c | 4 +++-
16 1 file changed, 3 insertions(+), 1 deletion(-)
18 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
19 index 1de6189..20a5987 100644
20 --- a/source3/libsmb/ntlmssp.c
21 +++ b/source3/libsmb/ntlmssp.c
22 @@ -530,7 +530,8 @@ noccache:
23 DEBUG(3, ("Got challenge flags:\n"));
24 debug_ntlmssp_flags(chal_flags);
26 - ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
27 + ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags,
28 + ntlmssp_state->allow_lm_key);
30 if (ntlmssp_state->unicode) {
31 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
32 @@ -769,6 +770,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
33 ntlmssp_state->unicode = True;
35 ntlmssp_state->use_ntlmv2 = use_ntlmv2;
36 + ntlmssp_state->allow_lm_key = lp_client_lanman_auth();
38 ntlmssp_state->expected_state = NTLMSSP_INITIAL;
44 From a701bc5f8a76584a2e0680b2c3dd9afb77f12430 Mon Sep 17 00:00:00 2001
45 From: Stefan Metzmacher <metze@samba.org>
46 Date: Fri, 11 Dec 2015 14:50:23 +0100
47 Subject: [PATCH 02/10] CVE-2016-2110: s3:ntlmssp: add
48 ntlmssp3_handle_neg_flags()
50 Content-Type: text/plain; charset=UTF-8
51 Content-Transfer-Encoding: 8bit
53 This is a copy of ntlmssp_handle_neg_flags(), which will be changed
54 in an incompatible way in the following commits.
56 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
58 Signed-off-by: Stefan Metzmacher <metze@samba.org>
59 Reviewed-by: Günther Deschner <gd@samba.org>
61 source3/libsmb/ntlmssp.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++--
62 1 file changed, 56 insertions(+), 2 deletions(-)
64 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
65 index 20a5987..ad09f9f 100644
66 --- a/source3/libsmb/ntlmssp.c
67 +++ b/source3/libsmb/ntlmssp.c
68 @@ -422,6 +422,60 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
69 return NT_STATUS_MORE_PROCESSING_REQUIRED;
72 +static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
73 + uint32_t neg_flags, bool allow_lm)
75 + if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
76 + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
77 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
78 + ntlmssp_state->unicode = true;
80 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
81 + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
82 + ntlmssp_state->unicode = false;
85 + if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
86 + /* other end forcing us to use LM */
87 + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
88 + ntlmssp_state->use_ntlmv2 = false;
90 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
93 + if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
94 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
97 + if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
98 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
101 + if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
102 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
105 + if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
106 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
109 + if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
110 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
113 + if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
114 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
117 + if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
118 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
121 + if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
122 + ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
127 * Next state function for the Challenge Packet. Generate an auth packet.
129 @@ -530,8 +584,8 @@ noccache:
130 DEBUG(3, ("Got challenge flags:\n"));
131 debug_ntlmssp_flags(chal_flags);
133 - ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags,
134 - ntlmssp_state->allow_lm_key);
135 + ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags,
136 + ntlmssp_state->allow_lm_key);
138 if (ntlmssp_state->unicode) {
139 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
144 From 92b2f5315d135b7b83a3ae106b43d18181be2f02 Mon Sep 17 00:00:00 2001
145 From: Andreas Schneider <asn@cryptomilk.org>
146 Date: Thu, 31 Mar 2016 12:39:50 +0200
147 Subject: [PATCH 03/10] CVE-2016-2110: s3:ntlmssp: let
148 ntlmssp3_handle_neg_flags() return NTSTATUS
150 Content-Type: text/plain; charset=UTF-8
151 Content-Transfer-Encoding: 8bit
153 In future we can do a more fine granted negotiation
154 and assert specific security features.
156 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
158 Signed-off-by: Stefan Metzmacher <metze@samba.org>
159 Reviewed-by: Günther Deschner <gd@samba.org>
161 source3/libsmb/ntlmssp.c | 33 +++++++++++++++++++--------------
162 1 file changed, 19 insertions(+), 14 deletions(-)
164 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
165 index ad09f9f..81a85ce 100644
166 --- a/source3/libsmb/ntlmssp.c
167 +++ b/source3/libsmb/ntlmssp.c
168 @@ -422,10 +422,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
169 return NT_STATUS_MORE_PROCESSING_REQUIRED;
172 -static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
173 - uint32_t neg_flags, bool allow_lm)
174 +static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
177 - if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
178 + if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
179 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
180 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
181 ntlmssp_state->unicode = true;
182 @@ -435,7 +435,7 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
183 ntlmssp_state->unicode = false;
186 - if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
187 + if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
188 /* other end forcing us to use LM */
189 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
190 ntlmssp_state->use_ntlmv2 = false;
191 @@ -443,37 +443,39 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
192 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
195 - if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
196 + if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
197 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
200 - if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
201 + if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
202 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
205 - if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
206 + if (!(flags & NTLMSSP_NEGOTIATE_128)) {
207 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
210 - if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
211 + if (!(flags & NTLMSSP_NEGOTIATE_56)) {
212 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
215 - if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
216 + if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
217 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
220 - if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
221 + if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
222 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
225 - if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
226 + if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
227 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
230 - if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
231 + if ((flags & NTLMSSP_REQUEST_TARGET)) {
232 ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
235 + return NT_STATUS_OK;
239 @@ -584,8 +586,11 @@ noccache:
240 DEBUG(3, ("Got challenge flags:\n"));
241 debug_ntlmssp_flags(chal_flags);
243 - ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags,
244 - ntlmssp_state->allow_lm_key);
245 + nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
246 + if (!NT_STATUS_IS_OK(nt_status)) {
251 if (ntlmssp_state->unicode) {
252 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
257 From a239a337e3c0081af1a41aaac8957bb1aa0771f8 Mon Sep 17 00:00:00 2001
258 From: Stefan Metzmacher <metze@samba.org>
259 Date: Tue, 1 Dec 2015 15:01:09 +0100
260 Subject: [PATCH 04/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
263 Content-Type: text/plain; charset=UTF-8
264 Content-Transfer-Encoding: 8bit
266 man smb.conf says "client ntlmv2 auth = yes" the default disables,
267 "client lanman auth = yes":
270 Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
271 logins will be attempted.
274 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
276 Signed-off-by: Stefan Metzmacher <metze@samba.org>
277 Reviewed-by: Günther Deschner <gd@samba.org>
279 source3/libsmb/ntlmssp.c | 4 ++++
280 1 file changed, 4 insertions(+)
282 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
283 index 81a85ce..23a5e5d 100644
284 --- a/source3/libsmb/ntlmssp.c
285 +++ b/source3/libsmb/ntlmssp.c
286 @@ -841,6 +841,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
287 NTLMSSP_NEGOTIATE_KEY_EXCH |
288 NTLMSSP_REQUEST_TARGET;
290 + if (ntlmssp_state->use_ntlmv2) {
291 + ntlmssp_state->allow_lm_key = false;
294 ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
295 if (!ntlmssp_state->client.netbios_name) {
296 talloc_free(ntlmssp_state);
301 From e11dc9aa90420947f9fc82365b55ecb08353451c Mon Sep 17 00:00:00 2001
302 From: Stefan Metzmacher <metze@samba.org>
303 Date: Thu, 31 Mar 2016 12:59:05 +0200
304 Subject: [PATCH 05/10] CVE-2016-2110: s3:ntlmssp: maintain a required_flags
307 Content-Type: text/plain; charset=UTF-8
308 Content-Transfer-Encoding: 8bit
310 We now give an error when required flags are missing.
312 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
314 Signed-off-by: Stefan Metzmacher <metze@samba.org>
315 Reviewed-by: Günther Deschner <gd@samba.org>
317 libcli/auth/ntlmssp.h | 1 +
318 source3/libsmb/ntlmssp.c | 20 ++++++++++++++++++++
319 2 files changed, 21 insertions(+)
321 diff --git a/libcli/auth/ntlmssp.h b/libcli/auth/ntlmssp.h
322 index 495d94f..88a049b 100644
323 --- a/libcli/auth/ntlmssp.h
324 +++ b/libcli/auth/ntlmssp.h
325 @@ -83,6 +83,7 @@ struct ntlmssp_state
327 DATA_BLOB session_key;
329 + uint32_t required_flags;
330 uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
333 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
334 index 23a5e5d..48d7d45 100644
335 --- a/source3/libsmb/ntlmssp.c
336 +++ b/source3/libsmb/ntlmssp.c
337 @@ -425,6 +425,8 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
338 static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
341 + uint32_t missing_flags = ntlmssp_state->required_flags;
343 if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
344 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
345 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
346 @@ -475,6 +477,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
347 ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
350 + missing_flags &= ~ntlmssp_state->neg_flags;
351 + if (missing_flags != 0) {
352 + NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR;
353 + DEBUG(1, ("%s: Got challenge flags[0x%08x] "
354 + "- possible downgrade detected! "
355 + "missing_flags[0x%08x] - %s\n",
358 + (unsigned)missing_flags,
359 + nt_errstr(status)));
360 + debug_ntlmssp_flags(missing_flags);
361 + DEBUGADD(4, ("neg_flags[0x%08x]\n",
362 + (unsigned)ntlmssp_state->neg_flags));
363 + debug_ntlmssp_flags(ntlmssp_state->neg_flags);
375 From 06ca5b7655e577ff6e2d5817cf221c05f9bb5c86 Mon Sep 17 00:00:00 2001
376 From: Stefan Metzmacher <metze@samba.org>
377 Date: Thu, 31 Mar 2016 13:03:24 +0200
378 Subject: [PATCH 06/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
381 Content-Type: text/plain; charset=UTF-8
382 Content-Transfer-Encoding: 8bit
384 man smb.conf says "client ntlmv2 auth = yes" the default disables,
385 "client lanman auth = yes":
388 Likewise, if the client ntlmv2 auth parameter is enabled, then only
389 NTLMv2 logins will be attempted.
392 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
394 Signed-off-by: Stefan Metzmacher <metze@samba.org>
395 Reviewed-by: Günther Deschner <gd@samba.org>
397 source3/libsmb/ntlmssp.c | 1 +
398 1 file changed, 1 insertion(+)
400 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
401 index 48d7d45..bf40404 100644
402 --- a/source3/libsmb/ntlmssp.c
403 +++ b/source3/libsmb/ntlmssp.c
404 @@ -388,6 +388,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
406 if (ntlmssp_state->use_ntlmv2) {
407 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
408 + ntlmssp_state->allow_lm_key = false;
411 /* generate the ntlmssp negotiate packet */
416 From f99d4469a8b09dd93eb7124f2814e15869915671 Mon Sep 17 00:00:00 2001
417 From: Andreas Schneider <asn@samba.org>
418 Date: Mon, 11 Apr 2016 16:18:44 +0200
419 Subject: [PATCH 07/10] CVE-2016-2110: auth/ntlmssp: don't let
420 ntlmssp3_handle_neg_flags() change ntlmssp_state->use_ntlmv2
422 ntlmssp_handle_neg_flags() can only disable flags, but not
423 set them. All supported flags are set at start time.
425 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
427 Signed-off-by: Andreas Schneider <asn@samba.org>
428 Reviewed-by: Guenther Deschner <gd@samba.org>
430 source3/libsmb/ntlmssp.c | 26 +++++++++++++++++---------
431 1 file changed, 17 insertions(+), 9 deletions(-)
433 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
434 index bf40404..7b17a43 100644
435 --- a/source3/libsmb/ntlmssp.c
436 +++ b/source3/libsmb/ntlmssp.c
437 @@ -391,6 +391,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
438 ntlmssp_state->allow_lm_key = false;
441 + if (ntlmssp_state->allow_lm_key) {
442 + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
445 /* generate the ntlmssp negotiate packet */
446 status = msrpc_gen(ntlmssp_state, next_request, "CddAA",
448 @@ -438,20 +442,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
449 ntlmssp_state->unicode = false;
452 - if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
453 - /* other end forcing us to use LM */
454 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
455 - ntlmssp_state->use_ntlmv2 = false;
458 + * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
459 + * has priority over NTLMSSP_NEGOTIATE_LM_KEY
461 + if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
462 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
465 + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
466 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
469 - if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
470 - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
471 + if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
472 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
475 - if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
476 - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
477 + if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
478 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
481 if (!(flags & NTLMSSP_NEGOTIATE_128)) {
486 From 71dda1c57c36a9816af7873f169306a766e0284a Mon Sep 17 00:00:00 2001
487 From: Stefan Metzmacher <metze@samba.org>
488 Date: Thu, 31 Mar 2016 14:21:12 +0200
489 Subject: [PATCH 08/10] CVE-2016-2110: s3:ntlmssp: let ntlmssp3_client_initial
490 require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
492 Content-Type: text/plain; charset=UTF-8
493 Content-Transfer-Encoding: 8bit
495 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
498 Reviewed-by: Günther Deschner <gd@samba.org>
500 source3/libsmb/ntlmssp.c | 2 +-
501 1 file changed, 1 insertion(+), 1 deletion(-)
503 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
504 index 7b17a43..d5c83fd 100644
505 --- a/source3/libsmb/ntlmssp.c
506 +++ b/source3/libsmb/ntlmssp.c
507 @@ -387,7 +387,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
510 if (ntlmssp_state->use_ntlmv2) {
511 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
512 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
513 ntlmssp_state->allow_lm_key = false;
520 From 911e171bd6fc66e2960cbcdf8c48f2f97d19313b Mon Sep 17 00:00:00 2001
521 From: Andreas Schneider <asn@cryptomilk.org>
522 Date: Thu, 31 Mar 2016 14:30:05 +0200
523 Subject: [PATCH 09/10] CVE-2016-2110: s3:ntlmssp: Change want_fetures to
526 Pair-Programmed-With: Ralph Boehme <slow@samba.org>
527 Signed-off-by: Andreas Schneider <asn@samba.org>
528 Signed-off-by: Ralph Boehme <slow@samba.org>
530 source3/libsmb/ntlmssp.c | 17 +++++++++++------
531 1 file changed, 11 insertions(+), 6 deletions(-)
533 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
534 index d5c83fd..309175b 100644
535 --- a/source3/libsmb/ntlmssp.c
536 +++ b/source3/libsmb/ntlmssp.c
537 @@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *featur
538 * also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
540 if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
541 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
542 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
544 if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
545 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
546 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
548 if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
549 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
550 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
552 if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
553 ntlmssp_state->use_ccache = true;
556 + ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
560 @@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature)
562 /* As per JRA's comment above */
563 if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
564 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
565 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
567 if (feature & NTLMSSP_FEATURE_SIGN) {
568 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
569 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
571 if (feature & NTLMSSP_FEATURE_SEAL) {
572 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
573 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
574 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
576 if (feature & NTLMSSP_FEATURE_CCACHE) {
577 ntlmssp_state->use_ccache = true;
580 + ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
588 From a95a44eff90cdbd42d683567e0d511e9d52026ad Mon Sep 17 00:00:00 2001
589 From: Andreas Schneider <asn@samba.org>
590 Date: Thu, 31 Mar 2016 15:02:11 +0200
591 Subject: [PATCH 10/10] CVE-2016-2110: s3:ntlmssp: Fix downgrade also for the
592 ntlmssp creds cache case
594 Pair-Programmed-With: Ralph Boehme <slow@samba.org>
595 Signed-off-by: Andreas Schneider <asn@samba.org>
596 Signed-off-by: Ralph Boehme <slow@samba.org>
598 source3/libsmb/ntlmssp.c | 42 ++++++++++++++++++++----------------------
599 1 file changed, 20 insertions(+), 22 deletions(-)
601 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
602 index 309175b..045dc87 100644
603 --- a/source3/libsmb/ntlmssp.c
604 +++ b/source3/libsmb/ntlmssp.c
605 @@ -538,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
606 DATA_BLOB encrypted_session_key = data_blob_null;
607 NTSTATUS nt_status = NT_STATUS_OK;
609 + if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
612 + &server_domain_blob,
614 + DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
615 + dump_data(2, reply.data, reply.length);
617 + return NT_STATUS_INVALID_PARAMETER;
619 + data_blob_free(&server_domain_blob);
621 + DEBUG(3, ("Got challenge flags:\n"));
622 + debug_ntlmssp_flags(chal_flags);
624 + nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
625 + if (!NT_STATUS_IS_OK(nt_status)) {
629 if (ntlmssp_state->use_ccache) {
630 struct wbcCredentialCacheParams params;
631 struct wbcCredentialCacheInfo *info = NULL;
632 @@ -588,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
636 - if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
639 - &server_domain_blob,
641 - DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
642 - dump_data(2, reply.data, reply.length);
644 - return NT_STATUS_INVALID_PARAMETER;
647 if (DEBUGLEVEL >= 10) {
648 struct CHALLENGE_MESSAGE *challenge = talloc(
649 talloc_tos(), struct CHALLENGE_MESSAGE);
650 @@ -615,17 +624,6 @@ noccache:
654 - data_blob_free(&server_domain_blob);
656 - DEBUG(3, ("Got challenge flags:\n"));
657 - debug_ntlmssp_flags(chal_flags);
659 - nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
660 - if (!NT_STATUS_IS_OK(nt_status)) {
665 if (ntlmssp_state->unicode) {
666 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
667 chal_parse_string = "CdUdbddB";