]>
Commit | Line | Data |
---|---|---|
77ecb239 AF |
1 | From ee105156fa151ebfd34b8febc2928e144b3b7b0e Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> | |
3 | Date: Sat, 26 Sep 2015 01:29:10 +0200 | |
4 | Subject: [PATCH 01/15] CVE-2016-2111: s3:rpc_server/netlogon: always go | |
5 | through netr_creds_server_step_check() | |
6 | ||
7 | The ensures we apply the "server schannel = yes" restrictions. | |
8 | ||
9 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
10 | ||
11 | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> | |
12 | ||
13 | Signed-off-by: Guenther Deschner <gd@samba.org> | |
14 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
15 | --- | |
16 | source3/rpc_server/netlogon/srv_netlog_nt.c | 24 ++++++++++++++---------- | |
17 | 1 file changed, 14 insertions(+), 10 deletions(-) | |
18 | ||
19 | diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c | |
20 | index 4734bfe..54b8c5c 100644 | |
21 | --- a/source3/rpc_server/netlogon/srv_netlog_nt.c | |
22 | +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c | |
23 | @@ -2271,11 +2271,13 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p, | |
24 | ||
25 | /* TODO: check server name */ | |
26 | ||
27 | - status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(), | |
28 | - r->in.computer_name, | |
29 | - r->in.credential, | |
30 | - r->out.return_authenticator, | |
31 | - &creds); | |
32 | + become_root(); | |
33 | + status = netr_creds_server_step_check(p, p->mem_ctx, | |
34 | + r->in.computer_name, | |
35 | + r->in.credential, | |
36 | + r->out.return_authenticator, | |
37 | + &creds); | |
38 | + unbecome_root(); | |
39 | if (!NT_STATUS_IS_OK(status)) { | |
40 | return status; | |
41 | } | |
42 | @@ -2371,11 +2373,13 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p, | |
43 | ||
44 | /* TODO: check server name */ | |
45 | ||
46 | - status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(), | |
47 | - r->in.computer_name, | |
48 | - r->in.credential, | |
49 | - r->out.return_authenticator, | |
50 | - &creds); | |
51 | + become_root(); | |
52 | + status = netr_creds_server_step_check(p, p->mem_ctx, | |
53 | + r->in.computer_name, | |
54 | + r->in.credential, | |
55 | + r->out.return_authenticator, | |
56 | + &creds); | |
57 | + unbecome_root(); | |
58 | if (!NT_STATUS_IS_OK(status)) { | |
59 | return status; | |
60 | } | |
61 | -- | |
62 | 2.8.1 | |
63 | ||
64 | ||
65 | From f93668be5dffea9b67c5ec2d49ebf7495b74c7fc Mon Sep 17 00:00:00 2001 | |
66 | From: Stefan Metzmacher <metze@samba.org> | |
67 | Date: Fri, 7 Aug 2015 13:33:17 +0200 | |
68 | Subject: [PATCH 02/15] CVE-2016-2111: s3:rpc_server/netlogon: require | |
69 | DCERPC_AUTH_LEVEL_PRIVACY for validation level 6 | |
70 | MIME-Version: 1.0 | |
71 | Content-Type: text/plain; charset=UTF-8 | |
72 | Content-Transfer-Encoding: 8bit | |
73 | ||
74 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
75 | ||
76 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
77 | Reviewed-by: Günther Deschner <gd@samba.org> | |
78 | --- | |
79 | source3/rpc_server/netlogon/srv_netlog_nt.c | 8 ++++++++ | |
80 | 1 file changed, 8 insertions(+) | |
81 | ||
82 | diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c | |
83 | index 54b8c5c..30e1bc0 100644 | |
84 | --- a/source3/rpc_server/netlogon/srv_netlog_nt.c | |
85 | +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c | |
86 | @@ -1636,6 +1636,14 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, | |
87 | r->out.validation->sam3); | |
88 | break; | |
89 | case 6: | |
90 | + /* Only allow this if the pipe is protected. */ | |
91 | + if (p->auth.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) { | |
92 | + DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n", | |
93 | + get_remote_machine_name())); | |
94 | + status = NT_STATUS_INVALID_PARAMETER; | |
95 | + break; | |
96 | + } | |
97 | + | |
98 | status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16, | |
99 | r->out.validation->sam6); | |
100 | break; | |
101 | -- | |
102 | 2.8.1 | |
103 | ||
104 | ||
105 | From 70f12940ef563f83310d5c82cf0a3fc5876d98ac Mon Sep 17 00:00:00 2001 | |
106 | From: Stefan Metzmacher <metze@samba.org> | |
107 | Date: Sat, 12 Dec 2015 22:23:18 +0100 | |
108 | Subject: [PATCH 03/15] CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon | |
109 | ntlmv2 test | |
110 | MIME-Version: 1.0 | |
111 | Content-Type: text/plain; charset=UTF-8 | |
112 | Content-Transfer-Encoding: 8bit | |
113 | ||
114 | The computer name of the NTLMv2 blob needs to match | |
115 | the schannel connection. | |
116 | ||
117 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
118 | ||
119 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
120 | Reviewed-by: Günther Deschner <gd@samba.org> | |
121 | --- | |
122 | source4/torture/rpc/samba3rpc.c | 4 ++-- | |
123 | 1 file changed, 2 insertions(+), 2 deletions(-) | |
124 | ||
125 | diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c | |
126 | index 26bed19..d39cf55 100644 | |
127 | --- a/source4/torture/rpc/samba3rpc.c | |
128 | +++ b/source4/torture/rpc/samba3rpc.c | |
129 | @@ -1122,8 +1122,8 @@ static bool schan(struct torture_context *tctx, | |
130 | generate_random_buffer(chal.data, chal.length); | |
131 | names_blob = NTLMv2_generate_names_blob( | |
132 | mem_ctx, | |
133 | - cli_credentials_get_workstation(user_creds), | |
134 | - cli_credentials_get_domain(user_creds)); | |
135 | + cli_credentials_get_workstation(wks_creds), | |
136 | + cli_credentials_get_domain(wks_creds)); | |
137 | status = cli_credentials_get_ntlm_response( | |
138 | user_creds, mem_ctx, &flags, chal, names_blob, | |
139 | &lm_resp, &nt_resp, NULL, NULL); | |
140 | -- | |
141 | 2.8.1 | |
142 | ||
143 | ||
144 | From d8e061a1bcbb88ab6ba0f0dffbcac16a5e1db4f9 Mon Sep 17 00:00:00 2001 | |
145 | From: Stefan Metzmacher <metze@samba.org> | |
146 | Date: Tue, 23 Feb 2016 19:08:31 +0100 | |
147 | Subject: [PATCH 04/15] CVE-2016-2111: libcli/auth: add | |
148 | NTLMv2_RESPONSE_verify_netlogon_creds() helper function | |
149 | MIME-Version: 1.0 | |
150 | Content-Type: text/plain; charset=UTF-8 | |
151 | Content-Transfer-Encoding: 8bit | |
152 | ||
153 | This is the function that prevents spoofing like | |
154 | Microsoft's CVE-2015-0005. | |
155 | ||
156 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
157 | ||
158 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
159 | Reviewed-by: Günther Deschner <gd@samba.org> | |
160 | --- | |
161 | libcli/auth/proto.h | 5 ++ | |
162 | libcli/auth/smbencrypt.c | 142 +++++++++++++++++++++++++++++++++++++++++++++- | |
163 | libcli/auth/wscript_build | 2 +- | |
164 | source3/Makefile.in | 27 +++++---- | |
165 | 4 files changed, 163 insertions(+), 13 deletions(-) | |
166 | ||
167 | diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h | |
168 | index 11b720df..558a6eb 100644 | |
169 | --- a/libcli/auth/proto.h | |
170 | +++ b/libcli/auth/proto.h | |
171 | @@ -139,6 +139,11 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx, | |
172 | const DATA_BLOB *names_blob, | |
173 | DATA_BLOB *lm_response, DATA_BLOB *nt_response, | |
174 | DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ; | |
175 | +NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name, | |
176 | + const char *account_domain, | |
177 | + const DATA_BLOB response, | |
178 | + const struct netlogon_creds_CredentialState *creds, | |
179 | + const char *workgroup); | |
180 | ||
181 | /*********************************************************** | |
182 | encode a password buffer with a unicode password. The buffer | |
183 | diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c | |
184 | index 8fe606e..7c3142c 100644 | |
185 | --- a/libcli/auth/smbencrypt.c | |
186 | +++ b/libcli/auth/smbencrypt.c | |
187 | @@ -26,7 +26,7 @@ | |
188 | #include "../libcli/auth/msrpc_parse.h" | |
189 | #include "../lib/crypto/crypto.h" | |
190 | #include "../libcli/auth/libcli_auth.h" | |
191 | -#include "../librpc/gen_ndr/ntlmssp.h" | |
192 | +#include "../librpc/gen_ndr/ndr_ntlmssp.h" | |
193 | ||
194 | void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24]) | |
195 | { | |
196 | @@ -522,6 +522,146 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx, | |
197 | lm_response, nt_response, lm_session_key, user_session_key); | |
198 | } | |
199 | ||
200 | +NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name, | |
201 | + const char *account_domain, | |
202 | + const DATA_BLOB response, | |
203 | + const struct netlogon_creds_CredentialState *creds, | |
204 | + const char *workgroup) | |
205 | +{ | |
206 | + TALLOC_CTX *frame = NULL; | |
207 | + /* RespType + HiRespType */ | |
208 | + static const char *magic = "\x01\x01"; | |
209 | + int cmp; | |
210 | + struct NTLMv2_RESPONSE v2_resp; | |
211 | + enum ndr_err_code err; | |
212 | + const struct AV_PAIR *av_nb_cn = NULL; | |
213 | + const struct AV_PAIR *av_nb_dn = NULL; | |
214 | + | |
215 | + if (response.length < 48) { | |
216 | + /* | |
217 | + * NTLMv2_RESPONSE has at least 48 bytes. | |
218 | + */ | |
219 | + return NT_STATUS_OK; | |
220 | + } | |
221 | + | |
222 | + cmp = memcmp(response.data + 16, magic, 2); | |
223 | + if (cmp != 0) { | |
224 | + /* | |
225 | + * It doesn't look like a valid NTLMv2_RESPONSE | |
226 | + */ | |
227 | + return NT_STATUS_OK; | |
228 | + } | |
229 | + | |
230 | + frame = talloc_stackframe(); | |
231 | + | |
232 | + err = ndr_pull_struct_blob(&response, frame, &v2_resp, | |
233 | + (ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE); | |
234 | + if (!NDR_ERR_CODE_IS_SUCCESS(err)) { | |
235 | + NTSTATUS status; | |
236 | + status = ndr_map_error2ntstatus(err); | |
237 | + DEBUG(2,("Failed to parse NTLMv2_RESPONSE " | |
238 | + "length %u - %s - %s\n", | |
239 | + (unsigned)response.length, | |
240 | + ndr_map_error2string(err), | |
241 | + nt_errstr(status))); | |
242 | + dump_data(2, response.data, response.length); | |
243 | + TALLOC_FREE(frame); | |
244 | + return status; | |
245 | + } | |
246 | + | |
247 | + if (DEBUGLVL(10)) { | |
248 | + NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp); | |
249 | + } | |
250 | + | |
251 | + /* | |
252 | + * Make sure the netbios computer name in the | |
253 | + * NTLMv2_RESPONSE matches the computer name | |
254 | + * in the secure channel credentials for workstation | |
255 | + * trusts. | |
256 | + * | |
257 | + * And the netbios domain name matches our | |
258 | + * workgroup. | |
259 | + * | |
260 | + * This prevents workstations from requesting | |
261 | + * the session key of NTLMSSP sessions of clients | |
262 | + * to other hosts. | |
263 | + */ | |
264 | + if (creds->secure_channel_type == SEC_CHAN_WKSTA) { | |
265 | + av_nb_cn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs, | |
266 | + MsvAvNbComputerName); | |
267 | + av_nb_dn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs, | |
268 | + MsvAvNbDomainName); | |
269 | + } | |
270 | + | |
271 | + if (av_nb_cn != NULL) { | |
272 | + const char *v = NULL; | |
273 | + char *a = NULL; | |
274 | + size_t len; | |
275 | + | |
276 | + v = av_nb_cn->Value.AvNbComputerName; | |
277 | + | |
278 | + a = talloc_strdup(frame, creds->account_name); | |
279 | + if (a == NULL) { | |
280 | + TALLOC_FREE(frame); | |
281 | + return NT_STATUS_NO_MEMORY; | |
282 | + } | |
283 | + len = strlen(a); | |
284 | + if (len > 0 && a[len - 1] == '$') { | |
285 | + a[len - 1] = '\0'; | |
286 | + } | |
287 | + | |
288 | +#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */ | |
289 | + cmp = strcasecmp_m(a, v); | |
290 | +#else /* smbd */ | |
291 | + cmp = StrCaseCmp(a, v); | |
292 | +#endif | |
293 | + if (cmp != 0) { | |
294 | + DEBUG(2,("%s: NTLMv2_RESPONSE with " | |
295 | + "NbComputerName[%s] rejected " | |
296 | + "for user[%s\\%s] " | |
297 | + "against SEC_CHAN_WKSTA[%s/%s] " | |
298 | + "in workgroup[%s]\n", | |
299 | + __func__, v, | |
300 | + account_domain, | |
301 | + account_name, | |
302 | + creds->computer_name, | |
303 | + creds->account_name, | |
304 | + workgroup)); | |
305 | + TALLOC_FREE(frame); | |
306 | + return NT_STATUS_LOGON_FAILURE; | |
307 | + } | |
308 | + } | |
309 | + if (av_nb_dn != NULL) { | |
310 | + const char *v = NULL; | |
311 | + | |
312 | + v = av_nb_dn->Value.AvNbDomainName; | |
313 | + | |
314 | +#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */ | |
315 | + cmp = strcasecmp_m(workgroup, v); | |
316 | +#else /* smbd */ | |
317 | + cmp = StrCaseCmp(workgroup, v); | |
318 | +#endif | |
319 | + if (cmp != 0) { | |
320 | + DEBUG(2,("%s: NTLMv2_RESPONSE with " | |
321 | + "NbDomainName[%s] rejected " | |
322 | + "for user[%s\\%s] " | |
323 | + "against SEC_CHAN_WKSTA[%s/%s] " | |
324 | + "in workgroup[%s]\n", | |
325 | + __func__, v, | |
326 | + account_domain, | |
327 | + account_name, | |
328 | + creds->computer_name, | |
329 | + creds->account_name, | |
330 | + workgroup)); | |
331 | + TALLOC_FREE(frame); | |
332 | + return NT_STATUS_LOGON_FAILURE; | |
333 | + } | |
334 | + } | |
335 | + | |
336 | + TALLOC_FREE(frame); | |
337 | + return NT_STATUS_OK; | |
338 | +} | |
339 | + | |
340 | /*********************************************************** | |
341 | encode a password buffer with a unicode password. The buffer | |
342 | is filled with random data to make it harder to attack. | |
343 | diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build | |
344 | index 0f0e22b..dce6c80 100644 | |
345 | --- a/libcli/auth/wscript_build | |
346 | +++ b/libcli/auth/wscript_build | |
347 | @@ -19,7 +19,7 @@ bld.SAMBA_SUBSYSTEM('MSRPC_PARSE', | |
348 | ||
349 | bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH', | |
350 | source='credentials.c session.c smbencrypt.c smbdes.c', | |
351 | - public_deps='MSRPC_PARSE', | |
352 | + public_deps='MSRPC_PARSE NDR_NTLMSSP', | |
353 | public_headers='credentials.h:domain_credentials.h' | |
354 | ) | |
355 | ||
356 | diff --git a/source3/Makefile.in b/source3/Makefile.in | |
357 | index 2668a6b..d562d17 100644 | |
358 | --- a/source3/Makefile.in | |
359 | +++ b/source3/Makefile.in | |
360 | @@ -783,6 +783,7 @@ GROUPDB_OBJ = groupdb/mapping.o groupdb/mapping_tdb.o | |
361 | PROFILE_OBJ = profile/profile.o | |
362 | PROFILES_OBJ = utils/profiles.o \ | |
363 | $(LIBSMB_ERR_OBJ) \ | |
364 | + $(LIBNDR_NTLMSSP_OBJ) \ | |
365 | $(PARAM_OBJ) \ | |
366 | $(LIB_OBJ) $(LIB_DUMMY_OBJ) \ | |
367 | $(POPT_LIB_OBJ) \ | |
368 | @@ -995,10 +996,10 @@ SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(PRINTING_OBJ) $(PRINTBASE_OBJ) $(LIBSMB_O | |
369 | STATUS_OBJ = utils/status.o utils/status_profile.o \ | |
370 | $(LOCKING_OBJ) $(PARAM_OBJ) \ | |
371 | $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \ | |
372 | - $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ) | |
373 | + $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ) | |
374 | ||
375 | SMBCONTROL_OBJ = utils/smbcontrol.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \ | |
376 | - $(LIBSMB_ERR_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ) | |
377 | + $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ) | |
378 | ||
379 | SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \ | |
380 | $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_OBJ) \ | |
381 | @@ -1012,11 +1013,11 @@ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \ | |
382 | ||
383 | TESTPARM_OBJ = utils/testparm.o \ | |
384 | $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \ | |
385 | - $(LIBSMB_ERR_OBJ) | |
386 | + $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) | |
387 | ||
388 | SMBTA_UTIL_OBJ = utils/smbta-util.o $(PARAM_OBJ) $(POPT_LIB_OBJ) \ | |
389 | $(LIB_NONSMBD_OBJ) \ | |
390 | - $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ) | |
391 | + $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ) | |
392 | ||
393 | TEST_LP_LOAD_OBJ = param/test_lp_load.o \ | |
394 | $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \ | |
395 | @@ -1146,6 +1147,7 @@ SMBCONFTORT_OBJ = $(SMBCONFTORT_OBJ0) \ | |
396 | $(LIB_NONSMBD_OBJ) \ | |
397 | $(PARAM_OBJ) \ | |
398 | $(LIBSMB_ERR_OBJ) \ | |
399 | + $(LIBNDR_NTLMSSP_OBJ) \ | |
400 | $(POPT_LIB_OBJ) | |
401 | ||
402 | PTHREADPOOLTEST_OBJ = lib/pthreadpool/pthreadpool.o \ | |
403 | @@ -1229,7 +1231,7 @@ CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) \ | |
404 | $(LIBNDR_GEN_OBJ0) | |
405 | ||
406 | NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) \ | |
407 | - $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) | |
408 | + $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) | |
409 | ||
410 | SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/utable.o \ | |
411 | torture/denytest.o torture/mangle_test.o \ | |
412 | @@ -1253,6 +1255,7 @@ MASKTEST_OBJ = torture/masktest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ | |
413 | $(LIBNDR_GEN_OBJ0) | |
414 | ||
415 | MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_ERR_OBJ) \ | |
416 | + $(LIBNDR_NTLMSSP_OBJ) \ | |
417 | $(LIB_NONSMBD_OBJ) \ | |
418 | $(LIBNDR_GEN_OBJ0) | |
419 | ||
420 | @@ -1269,7 +1272,7 @@ PDBTEST_OBJ = torture/pdbtest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ | |
421 | ||
422 | VFSTEST_OBJ = torture/cmd_vfs.o torture/vfstest.o $(SMBD_OBJ_BASE) $(READLINE_OBJ) | |
423 | ||
424 | -SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) | |
425 | +SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) | |
426 | ||
427 | LOG2PCAP_OBJ = utils/log2pcaphex.o | |
428 | ||
429 | @@ -1297,17 +1300,17 @@ SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ | |
430 | EVTLOGADM_OBJ0 = utils/eventlogadm.o | |
431 | ||
432 | EVTLOGADM_OBJ = $(EVTLOGADM_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \ | |
433 | - $(LIBSMB_ERR_OBJ) $(LIB_EVENTLOG_OBJ) \ | |
434 | + $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIB_EVENTLOG_OBJ) \ | |
435 | librpc/gen_ndr/ndr_eventlog.o \ | |
436 | librpc/gen_ndr/ndr_lsa.o | |
437 | ||
438 | SHARESEC_OBJ0 = utils/sharesec.o | |
439 | SHARESEC_OBJ = $(SHARESEC_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \ | |
440 | - $(LIBSMB_ERR_OBJ) \ | |
441 | + $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) \ | |
442 | $(POPT_LIB_OBJ) | |
443 | ||
444 | TALLOCTORT_OBJ = @tallocdir@/testsuite.o @tallocdir@/testsuite_main.o \ | |
445 | - $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) | |
446 | + $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) | |
447 | ||
448 | REPLACETORT_OBJ = @libreplacedir@/test/testsuite.o \ | |
449 | @libreplacedir@/test/getifaddrs.o \ | |
450 | @@ -1323,7 +1326,7 @@ SMBFILTER_OBJ = utils/smbfilter.o $(PARAM_OBJ) $(LIBSMB_OBJ) \ | |
451 | $(LIBNDR_GEN_OBJ0) | |
452 | ||
453 | WINBIND_WINS_NSS_OBJ = ../nsswitch/wins.o $(PARAM_OBJ) \ | |
454 | - $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNMB_OBJ) | |
455 | + $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIBNMB_OBJ) | |
456 | ||
457 | PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \ | |
458 | pam_smbpass/pam_smb_acct.o pam_smbpass/support.o ../lib/util/asn1.o | |
459 | @@ -1531,12 +1534,14 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.o \ | |
460 | DBWRAP_TOOL_OBJ = utils/dbwrap_tool.o \ | |
461 | $(PARAM_OBJ) \ | |
462 | $(LIB_NONSMBD_OBJ) \ | |
463 | - $(LIBSMB_ERR_OBJ) | |
464 | + $(LIBSMB_ERR_OBJ) \ | |
465 | + $(LIBNDR_NTLMSSP_OBJ) | |
466 | ||
467 | DBWRAP_TORTURE_OBJ = utils/dbwrap_torture.o \ | |
468 | $(PARAM_OBJ) \ | |
469 | $(LIB_NONSMBD_OBJ) \ | |
470 | $(LIBSMB_ERR_OBJ) \ | |
471 | + $(LIBNDR_NTLMSSP_OBJ) \ | |
472 | $(POPT_LIB_OBJ) | |
473 | ||
474 | SPLIT_TOKENS_OBJ = utils/split_tokens.o \ | |
475 | -- | |
476 | 2.8.1 | |
477 | ||
478 | ||
479 | From d49e3329a639a570db8e99a13796713fb5a23616 Mon Sep 17 00:00:00 2001 | |
480 | From: Stefan Metzmacher <metze@samba.org> | |
481 | Date: Wed, 9 Dec 2015 13:12:43 +0100 | |
482 | Subject: [PATCH 05/15] CVE-2016-2111: s3:rpc_server/netlogon: check | |
483 | NTLMv2_RESPONSE values for SEC_CHAN_WKSTA | |
484 | MIME-Version: 1.0 | |
485 | Content-Type: text/plain; charset=UTF-8 | |
486 | Content-Transfer-Encoding: 8bit | |
487 | ||
488 | This prevents spoofing like Microsoft's CVE-2015-0005. | |
489 | ||
490 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
491 | ||
492 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
493 | Reviewed-by: Günther Deschner <gd@samba.org> | |
494 | --- | |
495 | source3/rpc_server/netlogon/srv_netlog_nt.c | 9 +++++++++ | |
496 | 1 file changed, 9 insertions(+) | |
497 | ||
498 | diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c | |
499 | index 30e1bc0..a630b47 100644 | |
500 | --- a/source3/rpc_server/netlogon/srv_netlog_nt.c | |
501 | +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c | |
502 | @@ -1508,6 +1508,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, | |
503 | case NetlogonNetworkTransitiveInformation: | |
504 | { | |
505 | const char *wksname = nt_workstation; | |
506 | + const char *workgroup = lp_workgroup(); | |
507 | ||
508 | status = make_auth_context_fixed(talloc_tos(), &auth_context, | |
509 | logon->network->challenge); | |
510 | @@ -1532,6 +1533,14 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, | |
511 | logon->network->nt.length)) { | |
512 | status = NT_STATUS_NO_MEMORY; | |
513 | } | |
514 | + | |
515 | + if (NT_STATUS_IS_OK(status)) { | |
516 | + status = NTLMv2_RESPONSE_verify_netlogon_creds( | |
517 | + user_info->client.account_name, | |
518 | + user_info->client.domain_name, | |
519 | + user_info->password.response.nt, | |
520 | + creds, workgroup); | |
521 | + } | |
522 | break; | |
523 | } | |
524 | case NetlogonInteractiveInformation: | |
525 | -- | |
526 | 2.8.1 | |
527 | ||
528 | ||
529 | From bded435d42be34099d28db69258b1b5ef95ced48 Mon Sep 17 00:00:00 2001 | |
530 | From: Stefan Metzmacher <metze@samba.org> | |
531 | Date: Sat, 26 Mar 2016 22:24:23 +0100 | |
532 | Subject: [PATCH 06/15] CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos | |
533 | connection in raw.samba3badpath | |
534 | ||
535 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
536 | ||
537 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
538 | Reviewed-by: Alexander Bokovoy <ab@samba.org> | |
539 | --- | |
540 | source4/torture/raw/samba3misc.c | 20 ++++++++++++-------- | |
541 | 1 file changed, 12 insertions(+), 8 deletions(-) | |
542 | ||
543 | diff --git a/source4/torture/raw/samba3misc.c b/source4/torture/raw/samba3misc.c | |
544 | index a603111..b99d40f 100644 | |
545 | --- a/source4/torture/raw/samba3misc.c | |
546 | +++ b/source4/torture/raw/samba3misc.c | |
547 | @@ -340,6 +340,7 @@ bool torture_samba3_badpath(struct torture_context *torture) | |
548 | bool ret = true; | |
549 | TALLOC_CTX *mem_ctx; | |
550 | bool nt_status_support; | |
551 | + bool client_ntlmv2_auth; | |
552 | ||
553 | if (!(mem_ctx = talloc_init("torture_samba3_badpath"))) { | |
554 | d_printf("talloc_init failed\n"); | |
555 | @@ -347,20 +348,17 @@ bool torture_samba3_badpath(struct torture_context *torture) | |
556 | } | |
557 | ||
558 | nt_status_support = lpcfg_nt_status_support(torture->lp_ctx); | |
559 | + client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(torture->lp_ctx); | |
560 | ||
561 | - if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes")) { | |
562 | - printf("Could not set 'nt status support = yes'\n"); | |
563 | - goto fail; | |
564 | - } | |
565 | + torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes"), ret, fail, "Could not set 'nt status support = yes'\n"); | |
566 | + torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "yes"), ret, fail, "Could not set 'client ntlmv2 auth = yes'\n"); | |
567 | ||
568 | if (!torture_open_connection(&cli_nt, torture, 0)) { | |
569 | goto fail; | |
570 | } | |
571 | ||
572 | - if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no")) { | |
573 | - printf("Could not set 'nt status support = yes'\n"); | |
574 | - goto fail; | |
575 | - } | |
576 | + torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no"), ret, fail, "Could not set 'nt status support = no'\n"); | |
577 | + torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "no"), ret, fail, "Could not set 'client ntlmv2 auth = no'\n"); | |
578 | ||
579 | if (!torture_open_connection(&cli_dos, torture, 1)) { | |
580 | goto fail; | |
581 | @@ -373,6 +371,12 @@ bool torture_samba3_badpath(struct torture_context *torture) | |
582 | } | |
583 | ||
584 | smbcli_deltree(cli_nt->tree, dirname); | |
585 | + torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", | |
586 | + nt_status_support ? "yes":"no"), | |
587 | + ret, fail, "Could not set 'nt status support' back to where it was\n"); | |
588 | + torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", | |
589 | + client_ntlmv2_auth ? "yes":"no"), | |
590 | + ret, fail, "Could not set 'client ntlmv2 auth' back to where it was\n"); | |
591 | ||
592 | status = smbcli_mkdir(cli_nt->tree, dirname); | |
593 | if (!NT_STATUS_IS_OK(status)) { | |
594 | -- | |
595 | 2.8.1 | |
596 | ||
597 | ||
598 | From 12c908158213b1b82aca5c4485961da89299b6cf Mon Sep 17 00:00:00 2001 | |
599 | From: Stefan Metzmacher <metze@samba.org> | |
600 | Date: Sat, 26 Mar 2016 22:24:23 +0100 | |
601 | Subject: [PATCH 07/15] CVE-2016-2111: s4:torture/base: don't use ntlmv2 for | |
602 | dos connection in base.samba3error | |
603 | ||
604 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
605 | ||
606 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
607 | Reviewed-by: Alexander Bokovoy <ab@samba.org> | |
608 | --- | |
609 | source4/torture/basic/base.c | 19 +++++++++++++++++-- | |
610 | 1 file changed, 17 insertions(+), 2 deletions(-) | |
611 | ||
612 | diff --git a/source4/torture/basic/base.c b/source4/torture/basic/base.c | |
613 | index d7bac45..7f74bb9 100644 | |
614 | --- a/source4/torture/basic/base.c | |
615 | +++ b/source4/torture/basic/base.c | |
616 | @@ -1476,6 +1476,7 @@ static bool torture_chkpath_test(struct torture_context *tctx, | |
617 | static bool torture_samba3_errorpaths(struct torture_context *tctx) | |
618 | { | |
619 | bool nt_status_support; | |
620 | + bool client_ntlmv2_auth; | |
621 | struct smbcli_state *cli_nt = NULL, *cli_dos = NULL; | |
622 | bool result = false; | |
623 | int fnum; | |
624 | @@ -1485,18 +1486,27 @@ static bool torture_samba3_errorpaths(struct torture_context *tctx) | |
625 | NTSTATUS status; | |
626 | ||
627 | nt_status_support = lpcfg_nt_status_support(tctx->lp_ctx); | |
628 | + client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(tctx->lp_ctx); | |
629 | ||
630 | if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "yes")) { | |
631 | torture_comment(tctx, "Could not set 'nt status support = yes'\n"); | |
632 | goto fail; | |
633 | } | |
634 | + if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "yes")) { | |
635 | + torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = yes'\n"); | |
636 | + goto fail; | |
637 | + } | |
638 | ||
639 | if (!torture_open_connection(&cli_nt, tctx, 0)) { | |
640 | goto fail; | |
641 | } | |
642 | ||
643 | if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "no")) { | |
644 | - torture_comment(tctx, "Could not set 'nt status support = yes'\n"); | |
645 | + torture_result(tctx, TORTURE_FAIL, "Could not set 'nt status support = no'\n"); | |
646 | + goto fail; | |
647 | + } | |
648 | + if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "no")) { | |
649 | + torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = no'\n"); | |
650 | goto fail; | |
651 | } | |
652 | ||
653 | @@ -1506,7 +1516,12 @@ static bool torture_samba3_errorpaths(struct torture_context *tctx) | |
654 | ||
655 | if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", | |
656 | nt_status_support ? "yes":"no")) { | |
657 | - torture_comment(tctx, "Could not reset 'nt status support = yes'"); | |
658 | + torture_result(tctx, TORTURE_FAIL, "Could not reset 'nt status support'"); | |
659 | + goto fail; | |
660 | + } | |
661 | + if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", | |
662 | + client_ntlmv2_auth ? "yes":"no")) { | |
663 | + torture_result(tctx, TORTURE_FAIL, "Could not reset 'client ntlmv2 auth'"); | |
664 | goto fail; | |
665 | } | |
666 | ||
667 | -- | |
668 | 2.8.1 | |
669 | ||
670 | ||
671 | From 0b659fd0d7b684244c9791e01cc1370c0696e3f7 Mon Sep 17 00:00:00 2001 | |
672 | From: Stefan Metzmacher <metze@samba.org> | |
673 | Date: Sat, 26 Mar 2016 18:08:16 +0100 | |
674 | Subject: [PATCH 08/15] CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 | |
675 | response when we want to use spnego | |
676 | ||
677 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
678 | ||
679 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
680 | Reviewed-by: Alexander Bokovoy <ab@samba.org> | |
681 | --- | |
682 | source3/libsmb/cliconnect.c | 11 +++++++++++ | |
683 | 1 file changed, 11 insertions(+) | |
684 | ||
685 | diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c | |
686 | index 8653ba7..4c0abdf 100644 | |
687 | --- a/source3/libsmb/cliconnect.c | |
688 | +++ b/source3/libsmb/cliconnect.c | |
689 | @@ -2077,6 +2077,17 @@ NTSTATUS cli_session_setup(struct cli_state *cli, | |
690 | NTSTATUS status; | |
691 | ||
692 | /* otherwise do a NT1 style session setup */ | |
693 | + if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) { | |
694 | + /* | |
695 | + * Don't send an NTLMv2 response without NTLMSSP | |
696 | + * if we want to use spnego support | |
697 | + */ | |
698 | + DEBUG(1, ("Server does not support EXTENDED_SECURITY " | |
699 | + " but 'client use spnego = yes" | |
700 | + " and 'client ntlmv2 auth = yes'\n")); | |
701 | + return NT_STATUS_ACCESS_DENIED; | |
702 | + } | |
703 | + | |
704 | status = cli_session_setup_nt1(cli, user, pass, passlen, | |
705 | ntpass, ntpasslen, workgroup); | |
706 | if (!NT_STATUS_IS_OK(status)) { | |
707 | -- | |
708 | 2.8.1 | |
709 | ||
710 | ||
711 | From 5ed1b3a84a1e3d9707a788a89698aa28769a79be Mon Sep 17 00:00:00 2001 | |
712 | From: Stefan Metzmacher <metze@samba.org> | |
713 | Date: Sun, 27 Mar 2016 01:09:05 +0100 | |
714 | Subject: [PATCH 09/15] CVE-2016-2111: docs-xml: document the new "client | |
715 | NTLMv2 auth" and "client use spnego" interaction | |
716 | ||
717 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
718 | ||
719 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
720 | Reviewed-by: Alexander Bokovoy <ab@samba.org> | |
721 | --- | |
722 | docs-xml/smbdotconf/protocol/clientusespnego.xml | 5 +++++ | |
723 | docs-xml/smbdotconf/security/clientntlmv2auth.xml | 5 +++++ | |
724 | 2 files changed, 10 insertions(+) | |
725 | ||
726 | diff --git a/docs-xml/smbdotconf/protocol/clientusespnego.xml b/docs-xml/smbdotconf/protocol/clientusespnego.xml | |
727 | index c688a65..e538745 100644 | |
728 | --- a/docs-xml/smbdotconf/protocol/clientusespnego.xml | |
729 | +++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml | |
730 | @@ -9,6 +9,11 @@ | |
731 | supporting servers (including WindowsXP, Windows2000 and Samba | |
732 | 3.0) to agree upon an authentication | |
733 | mechanism. This enables Kerberos authentication in particular.</para> | |
734 | + | |
735 | + <para>When <smbconfoption name="client NTLMv2 auth"/> is also set to | |
736 | + <constant>yes</constant> extended security (SPNEGO) is required | |
737 | + in order to use NTLMv2 only within NTLMSSP. This behavior was | |
738 | + introduced with the patches for CVE-2016-2111.</para> | |
739 | </description> | |
740 | ||
741 | <value type="default">yes</value> | |
742 | diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml | |
743 | index b151df2..1b6d887 100644 | |
744 | --- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml | |
745 | +++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml | |
746 | @@ -28,6 +28,11 @@ | |
747 | NTLMv2 by default, and some sites (particularly those following | |
748 | 'best practice' security polices) only allow NTLMv2 responses, and | |
749 | not the weaker LM or NTLM.</para> | |
750 | + | |
751 | + <para>When <smbconfoption name="client use spnego"/> is also set to | |
752 | + <constant>yes</constant> extended security (SPNEGO) is required | |
753 | + in order to use NTLMv2 only within NTLMSSP. This behavior was | |
754 | + introduced with the patches for CVE-2016-2111.</para> | |
755 | </description> | |
756 | <value type="default">yes</value> | |
757 | </samba:parameter> | |
758 | -- | |
759 | 2.8.1 | |
760 | ||
761 | ||
762 | From 8ac4cd75a89732938b1e3161a884f9d5df68ffaf Mon Sep 17 00:00:00 2001 | |
763 | From: Stefan Metzmacher <metze@samba.org> | |
764 | Date: Tue, 15 Mar 2016 21:02:34 +0100 | |
765 | Subject: [PATCH 10/15] CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" | |
766 | defaulting to "yes" | |
767 | MIME-Version: 1.0 | |
768 | Content-Type: text/plain; charset=UTF-8 | |
769 | Content-Transfer-Encoding: 8bit | |
770 | ||
771 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
772 | ||
773 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
774 | Reviewed-by: Günther Deschner <gd@samba.org> | |
775 | --- | |
776 | docs-xml/smbdotconf/security/rawntlmv2auth.xml | 20 ++++++++++++++++++++ | |
777 | source3/include/proto.h | 1 + | |
778 | source3/param/loadparm.c | 3 +++ | |
779 | 3 files changed, 24 insertions(+) | |
780 | create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml | |
781 | ||
782 | diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml | |
783 | new file mode 100644 | |
784 | index 0000000..ef26297 | |
785 | --- /dev/null | |
786 | +++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml | |
787 | @@ -0,0 +1,20 @@ | |
788 | +<samba:parameter name="raw NTLMv2 auth" | |
789 | + context="G" | |
790 | + type="boolean" | |
791 | + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> | |
792 | +<description> | |
793 | + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> | |
794 | + <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without | |
795 | + extended security (without SPNEGO) to use NTLMv2 authentication.</para> | |
796 | + | |
797 | + <para>If this option, <command moreinfo="none">lanman auth</command> | |
798 | + and <command moreinfo="none">ntlm auth</command> are all disabled, | |
799 | + then only clients with SPNEGO support will be permitted. | |
800 | + That means NTLMv2 is only supported within NTLMSSP.</para> | |
801 | + | |
802 | + <para>Note that the default will change to "no" with Samba 4.5.</para> | |
803 | +</description> | |
804 | + | |
805 | +<value type="default">yes</value> | |
806 | +<value type="example">no</value> | |
807 | +</samba:parameter> | |
808 | diff --git a/source3/include/proto.h b/source3/include/proto.h | |
809 | index 8491d54..32b4e3d 100644 | |
810 | --- a/source3/include/proto.h | |
811 | +++ b/source3/include/proto.h | |
812 | @@ -1489,6 +1489,7 @@ bool lp_map_untrusted_to_domain(void); | |
813 | int lp_restrict_anonymous(void); | |
814 | bool lp_lanman_auth(void); | |
815 | bool lp_ntlm_auth(void); | |
816 | +bool lp_raw_ntlmv2_auth(void); | |
817 | bool lp_client_plaintext_auth(void); | |
818 | bool lp_client_lanman_auth(void); | |
819 | bool lp_client_ntlmv2_auth(void); | |
820 | diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c | |
821 | index 753252a..42ddcf5 100644 | |
822 | --- a/source3/param/loadparm.c | |
823 | +++ b/source3/param/loadparm.c | |
824 | @@ -336,6 +336,7 @@ struct global { | |
825 | bool bAllowTrustedDomains; | |
826 | bool bLanmanAuth; | |
827 | bool bNTLMAuth; | |
828 | + bool bRawNTLMv2Auth; | |
829 | bool bUseSpnego; | |
830 | bool bClientLanManAuth; | |
831 | bool bClientNTLMv2Auth; | |
832 | @@ -5337,6 +5338,7 @@ static void init_globals(bool reinit_globals) | |
833 | Globals.bClientPlaintextAuth = False; /* Do NOT use a plaintext password even if is requested by the server */ | |
834 | Globals.bLanmanAuth = False; /* Do NOT use the LanMan hash, even if it is supplied */ | |
835 | Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */ | |
836 | + Globals.bRawNTLMv2Auth = true; /* Allow NTLMv2 without NTLMSSP */ | |
837 | Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ | |
838 | /* Note, that we will also use NTLM2 session security (which is different), if it is available */ | |
839 | ||
840 | @@ -5819,6 +5821,7 @@ FN_GLOBAL_BOOL(lp_map_untrusted_to_domain, &Globals.bMapUntrustedToDomain) | |
841 | FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous) | |
842 | FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth) | |
843 | FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth) | |
844 | +FN_GLOBAL_BOOL(lp_raw_ntlmv2_auth, &Globals.bRawNTLMv2Auth) | |
845 | FN_GLOBAL_BOOL(lp_client_plaintext_auth, &Globals.bClientPlaintextAuth) | |
846 | FN_GLOBAL_BOOL(lp_client_lanman_auth, &Globals.bClientLanManAuth) | |
847 | FN_GLOBAL_BOOL(lp_client_ntlmv2_auth, &Globals.bClientNTLMv2Auth) | |
848 | -- | |
849 | 2.8.1 | |
850 | ||
851 | ||
852 | From de2ba16834dece138d8c0761cc3c834da42dfd33 Mon Sep 17 00:00:00 2001 | |
853 | From: Stefan Metzmacher <metze@samba.org> | |
854 | Date: Tue, 15 Mar 2016 21:02:34 +0100 | |
855 | Subject: [PATCH 11/15] CVE-2016-2111(<=4.3): loadparm: add "raw NTLMv2 auth" | |
856 | to param_table | |
857 | MIME-Version: 1.0 | |
858 | Content-Type: text/plain; charset=UTF-8 | |
859 | Content-Transfer-Encoding: 8bit | |
860 | ||
861 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
862 | ||
863 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
864 | Reviewed-by: Günther Deschner <gd@samba.org> | |
865 | Reviewed-by: Ralph Boehme <slow@samba.org> | |
866 | --- | |
867 | source3/param/loadparm.c | 9 +++++++++ | |
868 | 1 file changed, 9 insertions(+) | |
869 | ||
870 | diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c | |
871 | index 42ddcf5..f806788 100644 | |
872 | --- a/source3/param/loadparm.c | |
873 | +++ b/source3/param/loadparm.c | |
874 | @@ -1384,6 +1384,15 @@ static struct parm_struct parm_table[] = { | |
875 | .flags = FLAG_ADVANCED, | |
876 | }, | |
877 | { | |
878 | + .label = "raw NTLMv2 auth", | |
879 | + .type = P_BOOL, | |
880 | + .p_class = P_GLOBAL, | |
881 | + .ptr = &Globals.bRawNTLMv2Auth, | |
882 | + .special = NULL, | |
883 | + .enum_list = NULL, | |
884 | + .flags = FLAG_ADVANCED, | |
885 | + }, | |
886 | + { | |
887 | .label = "client NTLMv2 auth", | |
888 | .type = P_BOOL, | |
889 | .p_class = P_GLOBAL, | |
890 | -- | |
891 | 2.8.1 | |
892 | ||
893 | ||
894 | From 094fb71d1dda38894be501674c7ec3e4ec03078e Mon Sep 17 00:00:00 2001 | |
895 | From: Stefan Metzmacher <metze@samba.org> | |
896 | Date: Tue, 1 Mar 2016 10:25:54 +0100 | |
897 | Subject: [PATCH 12/15] CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" | |
898 | checks | |
899 | MIME-Version: 1.0 | |
900 | Content-Type: text/plain; charset=UTF-8 | |
901 | Content-Transfer-Encoding: 8bit | |
902 | ||
903 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
904 | ||
905 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
906 | Reviewed-by: Günther Deschner <gd@samba.org> | |
907 | --- | |
908 | source3/auth/auth_util.c | 14 ++++++++++++++ | |
909 | 1 file changed, 14 insertions(+) | |
910 | ||
911 | diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c | |
912 | index 288f461..98bbbef 100644 | |
913 | --- a/source3/auth/auth_util.c | |
914 | +++ b/source3/auth/auth_util.c | |
915 | @@ -30,6 +30,7 @@ | |
916 | #include "../lib/util/util_pw.h" | |
917 | #include "lib/winbind_util.h" | |
918 | #include "passdb.h" | |
919 | +#include "../lib/tsocket/tsocket.h" | |
920 | ||
921 | #undef DBGC_CLASS | |
922 | #define DBGC_CLASS DBGC_AUTH | |
923 | @@ -367,6 +368,19 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, | |
924 | const char *client_domain, | |
925 | DATA_BLOB lm_resp, DATA_BLOB nt_resp) | |
926 | { | |
927 | + bool allow_raw = lp_raw_ntlmv2_auth(); | |
928 | + | |
929 | + if (!allow_raw && nt_resp.length >= 48) { | |
930 | + /* | |
931 | + * NTLMv2_RESPONSE has at least 48 bytes | |
932 | + * and should only be supported via NTLMSSP. | |
933 | + */ | |
934 | + DEBUG(2,("Rejecting raw NTLMv2 authentication with " | |
935 | + "user [%s\\%s]\n", | |
936 | + client_domain, smb_name)); | |
937 | + return NT_STATUS_INVALID_PARAMETER; | |
938 | + } | |
939 | + | |
940 | return make_user_info_map(user_info, smb_name, | |
941 | client_domain, | |
942 | get_remote_machine_name(), | |
943 | -- | |
944 | 2.8.1 | |
945 | ||
946 | ||
947 | From a2ef1fb0cf0b83a2799b95795d31b8fb03da11bb Mon Sep 17 00:00:00 2001 | |
948 | From: Stefan Metzmacher <metze@samba.org> | |
949 | Date: Sat, 26 Mar 2016 22:08:38 +0100 | |
950 | Subject: [PATCH 13/15] CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = | |
951 | yes" for s3dc | |
952 | ||
953 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
954 | ||
955 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
956 | Reviewed-by: Alexander Bokovoy <ab@samba.org> | |
957 | --- | |
958 | selftest/target/Samba3.pm | 1 + | |
959 | 1 file changed, 1 insertion(+) | |
960 | ||
961 | diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm | |
962 | index 01a1c47..ee3696e 100644 | |
963 | --- a/selftest/target/Samba3.pm | |
964 | +++ b/selftest/target/Samba3.pm | |
965 | @@ -127,6 +127,7 @@ sub setup_dc($$) | |
966 | domain master = yes | |
967 | domain logons = yes | |
968 | lanman auth = yes | |
969 | + raw NTLMv2 auth = yes | |
970 | "; | |
971 | ||
972 | my $vars = $self->provision($path, | |
973 | -- | |
974 | 2.8.1 | |
975 | ||
976 | ||
977 | From 74da0e00f3b817dd20d6429f7ba7748f66b9b6a4 Mon Sep 17 00:00:00 2001 | |
978 | From: Stefan Metzmacher <metze@samba.org> | |
979 | Date: Tue, 15 Mar 2016 21:59:42 +0100 | |
980 | Subject: [PATCH 14/15] CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 | |
981 | auth" to "no" | |
982 | ||
983 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
984 | ||
985 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
986 | Reviewed-by: Alexander Bokovoy <ab@samba.org> | |
987 | --- | |
988 | docs-xml/smbdotconf/security/rawntlmv2auth.xml | 7 +++---- | |
989 | source3/param/loadparm.c | 2 +- | |
990 | 2 files changed, 4 insertions(+), 5 deletions(-) | |
991 | ||
992 | diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml | |
993 | index ef26297..30e7280 100644 | |
994 | --- a/docs-xml/smbdotconf/security/rawntlmv2auth.xml | |
995 | +++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml | |
996 | @@ -11,10 +11,9 @@ | |
997 | and <command moreinfo="none">ntlm auth</command> are all disabled, | |
998 | then only clients with SPNEGO support will be permitted. | |
999 | That means NTLMv2 is only supported within NTLMSSP.</para> | |
1000 | - | |
1001 | - <para>Note that the default will change to "no" with Samba 4.5.</para> | |
1002 | </description> | |
1003 | ||
1004 | -<value type="default">yes</value> | |
1005 | -<value type="example">no</value> | |
1006 | +<related>lanman auth</related> | |
1007 | +<related>ntlm auth</related> | |
1008 | +<value type="default">no</value> | |
1009 | </samba:parameter> | |
1010 | diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c | |
1011 | index f806788..7065cf6 100644 | |
1012 | --- a/source3/param/loadparm.c | |
1013 | +++ b/source3/param/loadparm.c | |
1014 | @@ -5347,7 +5347,7 @@ static void init_globals(bool reinit_globals) | |
1015 | Globals.bClientPlaintextAuth = False; /* Do NOT use a plaintext password even if is requested by the server */ | |
1016 | Globals.bLanmanAuth = False; /* Do NOT use the LanMan hash, even if it is supplied */ | |
1017 | Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */ | |
1018 | - Globals.bRawNTLMv2Auth = true; /* Allow NTLMv2 without NTLMSSP */ | |
1019 | + Globals.bRawNTLMv2Auth = false; /* Allow NTLMv2 without NTLMSSP */ | |
1020 | Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ | |
1021 | /* Note, that we will also use NTLM2 session security (which is different), if it is available */ | |
1022 | ||
1023 | -- | |
1024 | 2.8.1 | |
1025 | ||
1026 | ||
1027 | From 44530ad870745f8d649aff9cc18480aaeeccf01a Mon Sep 17 00:00:00 2001 | |
1028 | From: Andreas Schneider <asn@samba.org> | |
1029 | Date: Mon, 4 Apr 2016 16:44:39 +0200 | |
1030 | Subject: [PATCH 15/15] CVE-2016-2111: s3:selftest: Disable client ntlmv2 auth | |
1031 | for secserver | |
1032 | ||
1033 | The client connects with ntlmv1 to the secserver (server with | |
1034 | security = share). So the secserver needs to allow to connect with | |
1035 | NTLMv1 to the password server to verify the user or it will fail. | |
1036 | ||
1037 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 | |
1038 | ||
1039 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
1040 | --- | |
1041 | selftest/target/Samba3.pm | 1 + | |
1042 | 1 file changed, 1 insertion(+) | |
1043 | ||
1044 | diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm | |
1045 | index ee3696e..7326b22 100644 | |
1046 | --- a/selftest/target/Samba3.pm | |
1047 | +++ b/selftest/target/Samba3.pm | |
1048 | @@ -231,6 +231,7 @@ sub setup_secserver($$$) | |
1049 | my $secserver_options = " | |
1050 | security = server | |
1051 | password server = $s3dcvars->{SERVER_IP} | |
1052 | + client ntlmv2 auth = no | |
1053 | "; | |
1054 | ||
1055 | my $ret = $self->provision($prefix, | |
1056 | -- | |
1057 | 2.8.1 | |
1058 |