]> git.ipfire.org Git - ipfire-2.x.git/blob - src/patches/samba/CVE-2016-2111-v3-6.patch
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
[ipfire-2.x.git] / src / patches / samba / CVE-2016-2111-v3-6.patch
1 From ee105156fa151ebfd34b8febc2928e144b3b7b0e Mon Sep 17 00:00:00 2001
2 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3 Date: Sat, 26 Sep 2015 01:29:10 +0200
4 Subject: [PATCH 01/15] CVE-2016-2111: s3:rpc_server/netlogon: always go
5 through netr_creds_server_step_check()
6
7 The ensures we apply the "server schannel = yes" restrictions.
8
9 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
10
11 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
12
13 Signed-off-by: Guenther Deschner <gd@samba.org>
14 Signed-off-by: Stefan Metzmacher <metze@samba.org>
15 ---
16 source3/rpc_server/netlogon/srv_netlog_nt.c | 24 ++++++++++++++----------
17 1 file changed, 14 insertions(+), 10 deletions(-)
18
19 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
20 index 4734bfe..54b8c5c 100644
21 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
22 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
23 @@ -2271,11 +2271,13 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p,
24
25 /* TODO: check server name */
26
27 - status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
28 - r->in.computer_name,
29 - r->in.credential,
30 - r->out.return_authenticator,
31 - &creds);
32 + become_root();
33 + status = netr_creds_server_step_check(p, p->mem_ctx,
34 + r->in.computer_name,
35 + r->in.credential,
36 + r->out.return_authenticator,
37 + &creds);
38 + unbecome_root();
39 if (!NT_STATUS_IS_OK(status)) {
40 return status;
41 }
42 @@ -2371,11 +2373,13 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p,
43
44 /* TODO: check server name */
45
46 - status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
47 - r->in.computer_name,
48 - r->in.credential,
49 - r->out.return_authenticator,
50 - &creds);
51 + become_root();
52 + status = netr_creds_server_step_check(p, p->mem_ctx,
53 + r->in.computer_name,
54 + r->in.credential,
55 + r->out.return_authenticator,
56 + &creds);
57 + unbecome_root();
58 if (!NT_STATUS_IS_OK(status)) {
59 return status;
60 }
61 --
62 2.8.1
63
64
65 From f93668be5dffea9b67c5ec2d49ebf7495b74c7fc Mon Sep 17 00:00:00 2001
66 From: Stefan Metzmacher <metze@samba.org>
67 Date: Fri, 7 Aug 2015 13:33:17 +0200
68 Subject: [PATCH 02/15] CVE-2016-2111: s3:rpc_server/netlogon: require
69 DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
70 MIME-Version: 1.0
71 Content-Type: text/plain; charset=UTF-8
72 Content-Transfer-Encoding: 8bit
73
74 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
75
76 Signed-off-by: Stefan Metzmacher <metze@samba.org>
77 Reviewed-by: Günther Deschner <gd@samba.org>
78 ---
79 source3/rpc_server/netlogon/srv_netlog_nt.c | 8 ++++++++
80 1 file changed, 8 insertions(+)
81
82 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
83 index 54b8c5c..30e1bc0 100644
84 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
85 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
86 @@ -1636,6 +1636,14 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
87 r->out.validation->sam3);
88 break;
89 case 6:
90 + /* Only allow this if the pipe is protected. */
91 + if (p->auth.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
92 + DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
93 + get_remote_machine_name()));
94 + status = NT_STATUS_INVALID_PARAMETER;
95 + break;
96 + }
97 +
98 status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
99 r->out.validation->sam6);
100 break;
101 --
102 2.8.1
103
104
105 From 70f12940ef563f83310d5c82cf0a3fc5876d98ac Mon Sep 17 00:00:00 2001
106 From: Stefan Metzmacher <metze@samba.org>
107 Date: Sat, 12 Dec 2015 22:23:18 +0100
108 Subject: [PATCH 03/15] CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon
109 ntlmv2 test
110 MIME-Version: 1.0
111 Content-Type: text/plain; charset=UTF-8
112 Content-Transfer-Encoding: 8bit
113
114 The computer name of the NTLMv2 blob needs to match
115 the schannel connection.
116
117 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
118
119 Signed-off-by: Stefan Metzmacher <metze@samba.org>
120 Reviewed-by: Günther Deschner <gd@samba.org>
121 ---
122 source4/torture/rpc/samba3rpc.c | 4 ++--
123 1 file changed, 2 insertions(+), 2 deletions(-)
124
125 diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
126 index 26bed19..d39cf55 100644
127 --- a/source4/torture/rpc/samba3rpc.c
128 +++ b/source4/torture/rpc/samba3rpc.c
129 @@ -1122,8 +1122,8 @@ static bool schan(struct torture_context *tctx,
130 generate_random_buffer(chal.data, chal.length);
131 names_blob = NTLMv2_generate_names_blob(
132 mem_ctx,
133 - cli_credentials_get_workstation(user_creds),
134 - cli_credentials_get_domain(user_creds));
135 + cli_credentials_get_workstation(wks_creds),
136 + cli_credentials_get_domain(wks_creds));
137 status = cli_credentials_get_ntlm_response(
138 user_creds, mem_ctx, &flags, chal, names_blob,
139 &lm_resp, &nt_resp, NULL, NULL);
140 --
141 2.8.1
142
143
144 From d8e061a1bcbb88ab6ba0f0dffbcac16a5e1db4f9 Mon Sep 17 00:00:00 2001
145 From: Stefan Metzmacher <metze@samba.org>
146 Date: Tue, 23 Feb 2016 19:08:31 +0100
147 Subject: [PATCH 04/15] CVE-2016-2111: libcli/auth: add
148 NTLMv2_RESPONSE_verify_netlogon_creds() helper function
149 MIME-Version: 1.0
150 Content-Type: text/plain; charset=UTF-8
151 Content-Transfer-Encoding: 8bit
152
153 This is the function that prevents spoofing like
154 Microsoft's CVE-2015-0005.
155
156 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
157
158 Signed-off-by: Stefan Metzmacher <metze@samba.org>
159 Reviewed-by: Günther Deschner <gd@samba.org>
160 ---
161 libcli/auth/proto.h | 5 ++
162 libcli/auth/smbencrypt.c | 142 +++++++++++++++++++++++++++++++++++++++++++++-
163 libcli/auth/wscript_build | 2 +-
164 source3/Makefile.in | 27 +++++----
165 4 files changed, 163 insertions(+), 13 deletions(-)
166
167 diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
168 index 11b720df..558a6eb 100644
169 --- a/libcli/auth/proto.h
170 +++ b/libcli/auth/proto.h
171 @@ -139,6 +139,11 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
172 const DATA_BLOB *names_blob,
173 DATA_BLOB *lm_response, DATA_BLOB *nt_response,
174 DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
175 +NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
176 + const char *account_domain,
177 + const DATA_BLOB response,
178 + const struct netlogon_creds_CredentialState *creds,
179 + const char *workgroup);
180
181 /***********************************************************
182 encode a password buffer with a unicode password. The buffer
183 diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
184 index 8fe606e..7c3142c 100644
185 --- a/libcli/auth/smbencrypt.c
186 +++ b/libcli/auth/smbencrypt.c
187 @@ -26,7 +26,7 @@
188 #include "../libcli/auth/msrpc_parse.h"
189 #include "../lib/crypto/crypto.h"
190 #include "../libcli/auth/libcli_auth.h"
191 -#include "../librpc/gen_ndr/ntlmssp.h"
192 +#include "../librpc/gen_ndr/ndr_ntlmssp.h"
193
194 void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24])
195 {
196 @@ -522,6 +522,146 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
197 lm_response, nt_response, lm_session_key, user_session_key);
198 }
199
200 +NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
201 + const char *account_domain,
202 + const DATA_BLOB response,
203 + const struct netlogon_creds_CredentialState *creds,
204 + const char *workgroup)
205 +{
206 + TALLOC_CTX *frame = NULL;
207 + /* RespType + HiRespType */
208 + static const char *magic = "\x01\x01";
209 + int cmp;
210 + struct NTLMv2_RESPONSE v2_resp;
211 + enum ndr_err_code err;
212 + const struct AV_PAIR *av_nb_cn = NULL;
213 + const struct AV_PAIR *av_nb_dn = NULL;
214 +
215 + if (response.length < 48) {
216 + /*
217 + * NTLMv2_RESPONSE has at least 48 bytes.
218 + */
219 + return NT_STATUS_OK;
220 + }
221 +
222 + cmp = memcmp(response.data + 16, magic, 2);
223 + if (cmp != 0) {
224 + /*
225 + * It doesn't look like a valid NTLMv2_RESPONSE
226 + */
227 + return NT_STATUS_OK;
228 + }
229 +
230 + frame = talloc_stackframe();
231 +
232 + err = ndr_pull_struct_blob(&response, frame, &v2_resp,
233 + (ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
234 + if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
235 + NTSTATUS status;
236 + status = ndr_map_error2ntstatus(err);
237 + DEBUG(2,("Failed to parse NTLMv2_RESPONSE "
238 + "length %u - %s - %s\n",
239 + (unsigned)response.length,
240 + ndr_map_error2string(err),
241 + nt_errstr(status)));
242 + dump_data(2, response.data, response.length);
243 + TALLOC_FREE(frame);
244 + return status;
245 + }
246 +
247 + if (DEBUGLVL(10)) {
248 + NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp);
249 + }
250 +
251 + /*
252 + * Make sure the netbios computer name in the
253 + * NTLMv2_RESPONSE matches the computer name
254 + * in the secure channel credentials for workstation
255 + * trusts.
256 + *
257 + * And the netbios domain name matches our
258 + * workgroup.
259 + *
260 + * This prevents workstations from requesting
261 + * the session key of NTLMSSP sessions of clients
262 + * to other hosts.
263 + */
264 + if (creds->secure_channel_type == SEC_CHAN_WKSTA) {
265 + av_nb_cn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
266 + MsvAvNbComputerName);
267 + av_nb_dn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
268 + MsvAvNbDomainName);
269 + }
270 +
271 + if (av_nb_cn != NULL) {
272 + const char *v = NULL;
273 + char *a = NULL;
274 + size_t len;
275 +
276 + v = av_nb_cn->Value.AvNbComputerName;
277 +
278 + a = talloc_strdup(frame, creds->account_name);
279 + if (a == NULL) {
280 + TALLOC_FREE(frame);
281 + return NT_STATUS_NO_MEMORY;
282 + }
283 + len = strlen(a);
284 + if (len > 0 && a[len - 1] == '$') {
285 + a[len - 1] = '\0';
286 + }
287 +
288 +#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
289 + cmp = strcasecmp_m(a, v);
290 +#else /* smbd */
291 + cmp = StrCaseCmp(a, v);
292 +#endif
293 + if (cmp != 0) {
294 + DEBUG(2,("%s: NTLMv2_RESPONSE with "
295 + "NbComputerName[%s] rejected "
296 + "for user[%s\\%s] "
297 + "against SEC_CHAN_WKSTA[%s/%s] "
298 + "in workgroup[%s]\n",
299 + __func__, v,
300 + account_domain,
301 + account_name,
302 + creds->computer_name,
303 + creds->account_name,
304 + workgroup));
305 + TALLOC_FREE(frame);
306 + return NT_STATUS_LOGON_FAILURE;
307 + }
308 + }
309 + if (av_nb_dn != NULL) {
310 + const char *v = NULL;
311 +
312 + v = av_nb_dn->Value.AvNbDomainName;
313 +
314 +#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
315 + cmp = strcasecmp_m(workgroup, v);
316 +#else /* smbd */
317 + cmp = StrCaseCmp(workgroup, v);
318 +#endif
319 + if (cmp != 0) {
320 + DEBUG(2,("%s: NTLMv2_RESPONSE with "
321 + "NbDomainName[%s] rejected "
322 + "for user[%s\\%s] "
323 + "against SEC_CHAN_WKSTA[%s/%s] "
324 + "in workgroup[%s]\n",
325 + __func__, v,
326 + account_domain,
327 + account_name,
328 + creds->computer_name,
329 + creds->account_name,
330 + workgroup));
331 + TALLOC_FREE(frame);
332 + return NT_STATUS_LOGON_FAILURE;
333 + }
334 + }
335 +
336 + TALLOC_FREE(frame);
337 + return NT_STATUS_OK;
338 +}
339 +
340 /***********************************************************
341 encode a password buffer with a unicode password. The buffer
342 is filled with random data to make it harder to attack.
343 diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
344 index 0f0e22b..dce6c80 100644
345 --- a/libcli/auth/wscript_build
346 +++ b/libcli/auth/wscript_build
347 @@ -19,7 +19,7 @@ bld.SAMBA_SUBSYSTEM('MSRPC_PARSE',
348
349 bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
350 source='credentials.c session.c smbencrypt.c smbdes.c',
351 - public_deps='MSRPC_PARSE',
352 + public_deps='MSRPC_PARSE NDR_NTLMSSP',
353 public_headers='credentials.h:domain_credentials.h'
354 )
355
356 diff --git a/source3/Makefile.in b/source3/Makefile.in
357 index 2668a6b..d562d17 100644
358 --- a/source3/Makefile.in
359 +++ b/source3/Makefile.in
360 @@ -783,6 +783,7 @@ GROUPDB_OBJ = groupdb/mapping.o groupdb/mapping_tdb.o
361 PROFILE_OBJ = profile/profile.o
362 PROFILES_OBJ = utils/profiles.o \
363 $(LIBSMB_ERR_OBJ) \
364 + $(LIBNDR_NTLMSSP_OBJ) \
365 $(PARAM_OBJ) \
366 $(LIB_OBJ) $(LIB_DUMMY_OBJ) \
367 $(POPT_LIB_OBJ) \
368 @@ -995,10 +996,10 @@ SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(PRINTING_OBJ) $(PRINTBASE_OBJ) $(LIBSMB_O
369 STATUS_OBJ = utils/status.o utils/status_profile.o \
370 $(LOCKING_OBJ) $(PARAM_OBJ) \
371 $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
372 - $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
373 + $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
374
375 SMBCONTROL_OBJ = utils/smbcontrol.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
376 - $(LIBSMB_ERR_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
377 + $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
378
379 SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \
380 $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_OBJ) \
381 @@ -1012,11 +1013,11 @@ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \
382
383 TESTPARM_OBJ = utils/testparm.o \
384 $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
385 - $(LIBSMB_ERR_OBJ)
386 + $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
387
388 SMBTA_UTIL_OBJ = utils/smbta-util.o $(PARAM_OBJ) $(POPT_LIB_OBJ) \
389 $(LIB_NONSMBD_OBJ) \
390 - $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
391 + $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
392
393 TEST_LP_LOAD_OBJ = param/test_lp_load.o \
394 $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
395 @@ -1146,6 +1147,7 @@ SMBCONFTORT_OBJ = $(SMBCONFTORT_OBJ0) \
396 $(LIB_NONSMBD_OBJ) \
397 $(PARAM_OBJ) \
398 $(LIBSMB_ERR_OBJ) \
399 + $(LIBNDR_NTLMSSP_OBJ) \
400 $(POPT_LIB_OBJ)
401
402 PTHREADPOOLTEST_OBJ = lib/pthreadpool/pthreadpool.o \
403 @@ -1229,7 +1231,7 @@ CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
404 $(LIBNDR_GEN_OBJ0)
405
406 NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) \
407 - $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
408 + $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
409
410 SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/utable.o \
411 torture/denytest.o torture/mangle_test.o \
412 @@ -1253,6 +1255,7 @@ MASKTEST_OBJ = torture/masktest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
413 $(LIBNDR_GEN_OBJ0)
414
415 MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_ERR_OBJ) \
416 + $(LIBNDR_NTLMSSP_OBJ) \
417 $(LIB_NONSMBD_OBJ) \
418 $(LIBNDR_GEN_OBJ0)
419
420 @@ -1269,7 +1272,7 @@ PDBTEST_OBJ = torture/pdbtest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
421
422 VFSTEST_OBJ = torture/cmd_vfs.o torture/vfstest.o $(SMBD_OBJ_BASE) $(READLINE_OBJ)
423
424 -SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
425 +SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
426
427 LOG2PCAP_OBJ = utils/log2pcaphex.o
428
429 @@ -1297,17 +1300,17 @@ SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
430 EVTLOGADM_OBJ0 = utils/eventlogadm.o
431
432 EVTLOGADM_OBJ = $(EVTLOGADM_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
433 - $(LIBSMB_ERR_OBJ) $(LIB_EVENTLOG_OBJ) \
434 + $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIB_EVENTLOG_OBJ) \
435 librpc/gen_ndr/ndr_eventlog.o \
436 librpc/gen_ndr/ndr_lsa.o
437
438 SHARESEC_OBJ0 = utils/sharesec.o
439 SHARESEC_OBJ = $(SHARESEC_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
440 - $(LIBSMB_ERR_OBJ) \
441 + $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) \
442 $(POPT_LIB_OBJ)
443
444 TALLOCTORT_OBJ = @tallocdir@/testsuite.o @tallocdir@/testsuite_main.o \
445 - $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ)
446 + $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
447
448 REPLACETORT_OBJ = @libreplacedir@/test/testsuite.o \
449 @libreplacedir@/test/getifaddrs.o \
450 @@ -1323,7 +1326,7 @@ SMBFILTER_OBJ = utils/smbfilter.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
451 $(LIBNDR_GEN_OBJ0)
452
453 WINBIND_WINS_NSS_OBJ = ../nsswitch/wins.o $(PARAM_OBJ) \
454 - $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNMB_OBJ)
455 + $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIBNMB_OBJ)
456
457 PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
458 pam_smbpass/pam_smb_acct.o pam_smbpass/support.o ../lib/util/asn1.o
459 @@ -1531,12 +1534,14 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.o \
460 DBWRAP_TOOL_OBJ = utils/dbwrap_tool.o \
461 $(PARAM_OBJ) \
462 $(LIB_NONSMBD_OBJ) \
463 - $(LIBSMB_ERR_OBJ)
464 + $(LIBSMB_ERR_OBJ) \
465 + $(LIBNDR_NTLMSSP_OBJ)
466
467 DBWRAP_TORTURE_OBJ = utils/dbwrap_torture.o \
468 $(PARAM_OBJ) \
469 $(LIB_NONSMBD_OBJ) \
470 $(LIBSMB_ERR_OBJ) \
471 + $(LIBNDR_NTLMSSP_OBJ) \
472 $(POPT_LIB_OBJ)
473
474 SPLIT_TOKENS_OBJ = utils/split_tokens.o \
475 --
476 2.8.1
477
478
479 From d49e3329a639a570db8e99a13796713fb5a23616 Mon Sep 17 00:00:00 2001
480 From: Stefan Metzmacher <metze@samba.org>
481 Date: Wed, 9 Dec 2015 13:12:43 +0100
482 Subject: [PATCH 05/15] CVE-2016-2111: s3:rpc_server/netlogon: check
483 NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
484 MIME-Version: 1.0
485 Content-Type: text/plain; charset=UTF-8
486 Content-Transfer-Encoding: 8bit
487
488 This prevents spoofing like Microsoft's CVE-2015-0005.
489
490 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
491
492 Signed-off-by: Stefan Metzmacher <metze@samba.org>
493 Reviewed-by: Günther Deschner <gd@samba.org>
494 ---
495 source3/rpc_server/netlogon/srv_netlog_nt.c | 9 +++++++++
496 1 file changed, 9 insertions(+)
497
498 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
499 index 30e1bc0..a630b47 100644
500 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
501 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
502 @@ -1508,6 +1508,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
503 case NetlogonNetworkTransitiveInformation:
504 {
505 const char *wksname = nt_workstation;
506 + const char *workgroup = lp_workgroup();
507
508 status = make_auth_context_fixed(talloc_tos(), &auth_context,
509 logon->network->challenge);
510 @@ -1532,6 +1533,14 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
511 logon->network->nt.length)) {
512 status = NT_STATUS_NO_MEMORY;
513 }
514 +
515 + if (NT_STATUS_IS_OK(status)) {
516 + status = NTLMv2_RESPONSE_verify_netlogon_creds(
517 + user_info->client.account_name,
518 + user_info->client.domain_name,
519 + user_info->password.response.nt,
520 + creds, workgroup);
521 + }
522 break;
523 }
524 case NetlogonInteractiveInformation:
525 --
526 2.8.1
527
528
529 From bded435d42be34099d28db69258b1b5ef95ced48 Mon Sep 17 00:00:00 2001
530 From: Stefan Metzmacher <metze@samba.org>
531 Date: Sat, 26 Mar 2016 22:24:23 +0100
532 Subject: [PATCH 06/15] CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos
533 connection in raw.samba3badpath
534
535 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
536
537 Signed-off-by: Stefan Metzmacher <metze@samba.org>
538 Reviewed-by: Alexander Bokovoy <ab@samba.org>
539 ---
540 source4/torture/raw/samba3misc.c | 20 ++++++++++++--------
541 1 file changed, 12 insertions(+), 8 deletions(-)
542
543 diff --git a/source4/torture/raw/samba3misc.c b/source4/torture/raw/samba3misc.c
544 index a603111..b99d40f 100644
545 --- a/source4/torture/raw/samba3misc.c
546 +++ b/source4/torture/raw/samba3misc.c
547 @@ -340,6 +340,7 @@ bool torture_samba3_badpath(struct torture_context *torture)
548 bool ret = true;
549 TALLOC_CTX *mem_ctx;
550 bool nt_status_support;
551 + bool client_ntlmv2_auth;
552
553 if (!(mem_ctx = talloc_init("torture_samba3_badpath"))) {
554 d_printf("talloc_init failed\n");
555 @@ -347,20 +348,17 @@ bool torture_samba3_badpath(struct torture_context *torture)
556 }
557
558 nt_status_support = lpcfg_nt_status_support(torture->lp_ctx);
559 + client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(torture->lp_ctx);
560
561 - if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes")) {
562 - printf("Could not set 'nt status support = yes'\n");
563 - goto fail;
564 - }
565 + torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes"), ret, fail, "Could not set 'nt status support = yes'\n");
566 + torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "yes"), ret, fail, "Could not set 'client ntlmv2 auth = yes'\n");
567
568 if (!torture_open_connection(&cli_nt, torture, 0)) {
569 goto fail;
570 }
571
572 - if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no")) {
573 - printf("Could not set 'nt status support = yes'\n");
574 - goto fail;
575 - }
576 + torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no"), ret, fail, "Could not set 'nt status support = no'\n");
577 + torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "no"), ret, fail, "Could not set 'client ntlmv2 auth = no'\n");
578
579 if (!torture_open_connection(&cli_dos, torture, 1)) {
580 goto fail;
581 @@ -373,6 +371,12 @@ bool torture_samba3_badpath(struct torture_context *torture)
582 }
583
584 smbcli_deltree(cli_nt->tree, dirname);
585 + torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support",
586 + nt_status_support ? "yes":"no"),
587 + ret, fail, "Could not set 'nt status support' back to where it was\n");
588 + torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth",
589 + client_ntlmv2_auth ? "yes":"no"),
590 + ret, fail, "Could not set 'client ntlmv2 auth' back to where it was\n");
591
592 status = smbcli_mkdir(cli_nt->tree, dirname);
593 if (!NT_STATUS_IS_OK(status)) {
594 --
595 2.8.1
596
597
598 From 12c908158213b1b82aca5c4485961da89299b6cf Mon Sep 17 00:00:00 2001
599 From: Stefan Metzmacher <metze@samba.org>
600 Date: Sat, 26 Mar 2016 22:24:23 +0100
601 Subject: [PATCH 07/15] CVE-2016-2111: s4:torture/base: don't use ntlmv2 for
602 dos connection in base.samba3error
603
604 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
605
606 Signed-off-by: Stefan Metzmacher <metze@samba.org>
607 Reviewed-by: Alexander Bokovoy <ab@samba.org>
608 ---
609 source4/torture/basic/base.c | 19 +++++++++++++++++--
610 1 file changed, 17 insertions(+), 2 deletions(-)
611
612 diff --git a/source4/torture/basic/base.c b/source4/torture/basic/base.c
613 index d7bac45..7f74bb9 100644
614 --- a/source4/torture/basic/base.c
615 +++ b/source4/torture/basic/base.c
616 @@ -1476,6 +1476,7 @@ static bool torture_chkpath_test(struct torture_context *tctx,
617 static bool torture_samba3_errorpaths(struct torture_context *tctx)
618 {
619 bool nt_status_support;
620 + bool client_ntlmv2_auth;
621 struct smbcli_state *cli_nt = NULL, *cli_dos = NULL;
622 bool result = false;
623 int fnum;
624 @@ -1485,18 +1486,27 @@ static bool torture_samba3_errorpaths(struct torture_context *tctx)
625 NTSTATUS status;
626
627 nt_status_support = lpcfg_nt_status_support(tctx->lp_ctx);
628 + client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(tctx->lp_ctx);
629
630 if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "yes")) {
631 torture_comment(tctx, "Could not set 'nt status support = yes'\n");
632 goto fail;
633 }
634 + if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "yes")) {
635 + torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = yes'\n");
636 + goto fail;
637 + }
638
639 if (!torture_open_connection(&cli_nt, tctx, 0)) {
640 goto fail;
641 }
642
643 if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "no")) {
644 - torture_comment(tctx, "Could not set 'nt status support = yes'\n");
645 + torture_result(tctx, TORTURE_FAIL, "Could not set 'nt status support = no'\n");
646 + goto fail;
647 + }
648 + if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "no")) {
649 + torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = no'\n");
650 goto fail;
651 }
652
653 @@ -1506,7 +1516,12 @@ static bool torture_samba3_errorpaths(struct torture_context *tctx)
654
655 if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support",
656 nt_status_support ? "yes":"no")) {
657 - torture_comment(tctx, "Could not reset 'nt status support = yes'");
658 + torture_result(tctx, TORTURE_FAIL, "Could not reset 'nt status support'");
659 + goto fail;
660 + }
661 + if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth",
662 + client_ntlmv2_auth ? "yes":"no")) {
663 + torture_result(tctx, TORTURE_FAIL, "Could not reset 'client ntlmv2 auth'");
664 goto fail;
665 }
666
667 --
668 2.8.1
669
670
671 From 0b659fd0d7b684244c9791e01cc1370c0696e3f7 Mon Sep 17 00:00:00 2001
672 From: Stefan Metzmacher <metze@samba.org>
673 Date: Sat, 26 Mar 2016 18:08:16 +0100
674 Subject: [PATCH 08/15] CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2
675 response when we want to use spnego
676
677 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
678
679 Signed-off-by: Stefan Metzmacher <metze@samba.org>
680 Reviewed-by: Alexander Bokovoy <ab@samba.org>
681 ---
682 source3/libsmb/cliconnect.c | 11 +++++++++++
683 1 file changed, 11 insertions(+)
684
685 diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
686 index 8653ba7..4c0abdf 100644
687 --- a/source3/libsmb/cliconnect.c
688 +++ b/source3/libsmb/cliconnect.c
689 @@ -2077,6 +2077,17 @@ NTSTATUS cli_session_setup(struct cli_state *cli,
690 NTSTATUS status;
691
692 /* otherwise do a NT1 style session setup */
693 + if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) {
694 + /*
695 + * Don't send an NTLMv2 response without NTLMSSP
696 + * if we want to use spnego support
697 + */
698 + DEBUG(1, ("Server does not support EXTENDED_SECURITY "
699 + " but 'client use spnego = yes"
700 + " and 'client ntlmv2 auth = yes'\n"));
701 + return NT_STATUS_ACCESS_DENIED;
702 + }
703 +
704 status = cli_session_setup_nt1(cli, user, pass, passlen,
705 ntpass, ntpasslen, workgroup);
706 if (!NT_STATUS_IS_OK(status)) {
707 --
708 2.8.1
709
710
711 From 5ed1b3a84a1e3d9707a788a89698aa28769a79be Mon Sep 17 00:00:00 2001
712 From: Stefan Metzmacher <metze@samba.org>
713 Date: Sun, 27 Mar 2016 01:09:05 +0100
714 Subject: [PATCH 09/15] CVE-2016-2111: docs-xml: document the new "client
715 NTLMv2 auth" and "client use spnego" interaction
716
717 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
718
719 Signed-off-by: Stefan Metzmacher <metze@samba.org>
720 Reviewed-by: Alexander Bokovoy <ab@samba.org>
721 ---
722 docs-xml/smbdotconf/protocol/clientusespnego.xml | 5 +++++
723 docs-xml/smbdotconf/security/clientntlmv2auth.xml | 5 +++++
724 2 files changed, 10 insertions(+)
725
726 diff --git a/docs-xml/smbdotconf/protocol/clientusespnego.xml b/docs-xml/smbdotconf/protocol/clientusespnego.xml
727 index c688a65..e538745 100644
728 --- a/docs-xml/smbdotconf/protocol/clientusespnego.xml
729 +++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml
730 @@ -9,6 +9,11 @@
731 supporting servers (including WindowsXP, Windows2000 and Samba
732 3.0) to agree upon an authentication
733 mechanism. This enables Kerberos authentication in particular.</para>
734 +
735 + <para>When <smbconfoption name="client NTLMv2 auth"/> is also set to
736 + <constant>yes</constant> extended security (SPNEGO) is required
737 + in order to use NTLMv2 only within NTLMSSP. This behavior was
738 + introduced with the patches for CVE-2016-2111.</para>
739 </description>
740
741 <value type="default">yes</value>
742 diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
743 index b151df2..1b6d887 100644
744 --- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml
745 +++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
746 @@ -28,6 +28,11 @@
747 NTLMv2 by default, and some sites (particularly those following
748 'best practice' security polices) only allow NTLMv2 responses, and
749 not the weaker LM or NTLM.</para>
750 +
751 + <para>When <smbconfoption name="client use spnego"/> is also set to
752 + <constant>yes</constant> extended security (SPNEGO) is required
753 + in order to use NTLMv2 only within NTLMSSP. This behavior was
754 + introduced with the patches for CVE-2016-2111.</para>
755 </description>
756 <value type="default">yes</value>
757 </samba:parameter>
758 --
759 2.8.1
760
761
762 From 8ac4cd75a89732938b1e3161a884f9d5df68ffaf Mon Sep 17 00:00:00 2001
763 From: Stefan Metzmacher <metze@samba.org>
764 Date: Tue, 15 Mar 2016 21:02:34 +0100
765 Subject: [PATCH 10/15] CVE-2016-2111: docs-xml: add "raw NTLMv2 auth"
766 defaulting to "yes"
767 MIME-Version: 1.0
768 Content-Type: text/plain; charset=UTF-8
769 Content-Transfer-Encoding: 8bit
770
771 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
772
773 Signed-off-by: Stefan Metzmacher <metze@samba.org>
774 Reviewed-by: Günther Deschner <gd@samba.org>
775 ---
776 docs-xml/smbdotconf/security/rawntlmv2auth.xml | 20 ++++++++++++++++++++
777 source3/include/proto.h | 1 +
778 source3/param/loadparm.c | 3 +++
779 3 files changed, 24 insertions(+)
780 create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml
781
782 diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
783 new file mode 100644
784 index 0000000..ef26297
785 --- /dev/null
786 +++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
787 @@ -0,0 +1,20 @@
788 +<samba:parameter name="raw NTLMv2 auth"
789 + context="G"
790 + type="boolean"
791 + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
792 +<description>
793 + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
794 + <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without
795 + extended security (without SPNEGO) to use NTLMv2 authentication.</para>
796 +
797 + <para>If this option, <command moreinfo="none">lanman auth</command>
798 + and <command moreinfo="none">ntlm auth</command> are all disabled,
799 + then only clients with SPNEGO support will be permitted.
800 + That means NTLMv2 is only supported within NTLMSSP.</para>
801 +
802 + <para>Note that the default will change to "no" with Samba 4.5.</para>
803 +</description>
804 +
805 +<value type="default">yes</value>
806 +<value type="example">no</value>
807 +</samba:parameter>
808 diff --git a/source3/include/proto.h b/source3/include/proto.h
809 index 8491d54..32b4e3d 100644
810 --- a/source3/include/proto.h
811 +++ b/source3/include/proto.h
812 @@ -1489,6 +1489,7 @@ bool lp_map_untrusted_to_domain(void);
813 int lp_restrict_anonymous(void);
814 bool lp_lanman_auth(void);
815 bool lp_ntlm_auth(void);
816 +bool lp_raw_ntlmv2_auth(void);
817 bool lp_client_plaintext_auth(void);
818 bool lp_client_lanman_auth(void);
819 bool lp_client_ntlmv2_auth(void);
820 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
821 index 753252a..42ddcf5 100644
822 --- a/source3/param/loadparm.c
823 +++ b/source3/param/loadparm.c
824 @@ -336,6 +336,7 @@ struct global {
825 bool bAllowTrustedDomains;
826 bool bLanmanAuth;
827 bool bNTLMAuth;
828 + bool bRawNTLMv2Auth;
829 bool bUseSpnego;
830 bool bClientLanManAuth;
831 bool bClientNTLMv2Auth;
832 @@ -5337,6 +5338,7 @@ static void init_globals(bool reinit_globals)
833 Globals.bClientPlaintextAuth = False; /* Do NOT use a plaintext password even if is requested by the server */
834 Globals.bLanmanAuth = False; /* Do NOT use the LanMan hash, even if it is supplied */
835 Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
836 + Globals.bRawNTLMv2Auth = true; /* Allow NTLMv2 without NTLMSSP */
837 Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
838 /* Note, that we will also use NTLM2 session security (which is different), if it is available */
839
840 @@ -5819,6 +5821,7 @@ FN_GLOBAL_BOOL(lp_map_untrusted_to_domain, &Globals.bMapUntrustedToDomain)
841 FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous)
842 FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth)
843 FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth)
844 +FN_GLOBAL_BOOL(lp_raw_ntlmv2_auth, &Globals.bRawNTLMv2Auth)
845 FN_GLOBAL_BOOL(lp_client_plaintext_auth, &Globals.bClientPlaintextAuth)
846 FN_GLOBAL_BOOL(lp_client_lanman_auth, &Globals.bClientLanManAuth)
847 FN_GLOBAL_BOOL(lp_client_ntlmv2_auth, &Globals.bClientNTLMv2Auth)
848 --
849 2.8.1
850
851
852 From de2ba16834dece138d8c0761cc3c834da42dfd33 Mon Sep 17 00:00:00 2001
853 From: Stefan Metzmacher <metze@samba.org>
854 Date: Tue, 15 Mar 2016 21:02:34 +0100
855 Subject: [PATCH 11/15] CVE-2016-2111(<=4.3): loadparm: add "raw NTLMv2 auth"
856 to param_table
857 MIME-Version: 1.0
858 Content-Type: text/plain; charset=UTF-8
859 Content-Transfer-Encoding: 8bit
860
861 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
862
863 Signed-off-by: Stefan Metzmacher <metze@samba.org>
864 Reviewed-by: Günther Deschner <gd@samba.org>
865 Reviewed-by: Ralph Boehme <slow@samba.org>
866 ---
867 source3/param/loadparm.c | 9 +++++++++
868 1 file changed, 9 insertions(+)
869
870 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
871 index 42ddcf5..f806788 100644
872 --- a/source3/param/loadparm.c
873 +++ b/source3/param/loadparm.c
874 @@ -1384,6 +1384,15 @@ static struct parm_struct parm_table[] = {
875 .flags = FLAG_ADVANCED,
876 },
877 {
878 + .label = "raw NTLMv2 auth",
879 + .type = P_BOOL,
880 + .p_class = P_GLOBAL,
881 + .ptr = &Globals.bRawNTLMv2Auth,
882 + .special = NULL,
883 + .enum_list = NULL,
884 + .flags = FLAG_ADVANCED,
885 + },
886 + {
887 .label = "client NTLMv2 auth",
888 .type = P_BOOL,
889 .p_class = P_GLOBAL,
890 --
891 2.8.1
892
893
894 From 094fb71d1dda38894be501674c7ec3e4ec03078e Mon Sep 17 00:00:00 2001
895 From: Stefan Metzmacher <metze@samba.org>
896 Date: Tue, 1 Mar 2016 10:25:54 +0100
897 Subject: [PATCH 12/15] CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth"
898 checks
899 MIME-Version: 1.0
900 Content-Type: text/plain; charset=UTF-8
901 Content-Transfer-Encoding: 8bit
902
903 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
904
905 Signed-off-by: Stefan Metzmacher <metze@samba.org>
906 Reviewed-by: Günther Deschner <gd@samba.org>
907 ---
908 source3/auth/auth_util.c | 14 ++++++++++++++
909 1 file changed, 14 insertions(+)
910
911 diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
912 index 288f461..98bbbef 100644
913 --- a/source3/auth/auth_util.c
914 +++ b/source3/auth/auth_util.c
915 @@ -30,6 +30,7 @@
916 #include "../lib/util/util_pw.h"
917 #include "lib/winbind_util.h"
918 #include "passdb.h"
919 +#include "../lib/tsocket/tsocket.h"
920
921 #undef DBGC_CLASS
922 #define DBGC_CLASS DBGC_AUTH
923 @@ -367,6 +368,19 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
924 const char *client_domain,
925 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
926 {
927 + bool allow_raw = lp_raw_ntlmv2_auth();
928 +
929 + if (!allow_raw && nt_resp.length >= 48) {
930 + /*
931 + * NTLMv2_RESPONSE has at least 48 bytes
932 + * and should only be supported via NTLMSSP.
933 + */
934 + DEBUG(2,("Rejecting raw NTLMv2 authentication with "
935 + "user [%s\\%s]\n",
936 + client_domain, smb_name));
937 + return NT_STATUS_INVALID_PARAMETER;
938 + }
939 +
940 return make_user_info_map(user_info, smb_name,
941 client_domain,
942 get_remote_machine_name(),
943 --
944 2.8.1
945
946
947 From a2ef1fb0cf0b83a2799b95795d31b8fb03da11bb Mon Sep 17 00:00:00 2001
948 From: Stefan Metzmacher <metze@samba.org>
949 Date: Sat, 26 Mar 2016 22:08:38 +0100
950 Subject: [PATCH 13/15] CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth =
951 yes" for s3dc
952
953 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
954
955 Signed-off-by: Stefan Metzmacher <metze@samba.org>
956 Reviewed-by: Alexander Bokovoy <ab@samba.org>
957 ---
958 selftest/target/Samba3.pm | 1 +
959 1 file changed, 1 insertion(+)
960
961 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
962 index 01a1c47..ee3696e 100644
963 --- a/selftest/target/Samba3.pm
964 +++ b/selftest/target/Samba3.pm
965 @@ -127,6 +127,7 @@ sub setup_dc($$)
966 domain master = yes
967 domain logons = yes
968 lanman auth = yes
969 + raw NTLMv2 auth = yes
970 ";
971
972 my $vars = $self->provision($path,
973 --
974 2.8.1
975
976
977 From 74da0e00f3b817dd20d6429f7ba7748f66b9b6a4 Mon Sep 17 00:00:00 2001
978 From: Stefan Metzmacher <metze@samba.org>
979 Date: Tue, 15 Mar 2016 21:59:42 +0100
980 Subject: [PATCH 14/15] CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2
981 auth" to "no"
982
983 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
984
985 Signed-off-by: Stefan Metzmacher <metze@samba.org>
986 Reviewed-by: Alexander Bokovoy <ab@samba.org>
987 ---
988 docs-xml/smbdotconf/security/rawntlmv2auth.xml | 7 +++----
989 source3/param/loadparm.c | 2 +-
990 2 files changed, 4 insertions(+), 5 deletions(-)
991
992 diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
993 index ef26297..30e7280 100644
994 --- a/docs-xml/smbdotconf/security/rawntlmv2auth.xml
995 +++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
996 @@ -11,10 +11,9 @@
997 and <command moreinfo="none">ntlm auth</command> are all disabled,
998 then only clients with SPNEGO support will be permitted.
999 That means NTLMv2 is only supported within NTLMSSP.</para>
1000 -
1001 - <para>Note that the default will change to "no" with Samba 4.5.</para>
1002 </description>
1003
1004 -<value type="default">yes</value>
1005 -<value type="example">no</value>
1006 +<related>lanman auth</related>
1007 +<related>ntlm auth</related>
1008 +<value type="default">no</value>
1009 </samba:parameter>
1010 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
1011 index f806788..7065cf6 100644
1012 --- a/source3/param/loadparm.c
1013 +++ b/source3/param/loadparm.c
1014 @@ -5347,7 +5347,7 @@ static void init_globals(bool reinit_globals)
1015 Globals.bClientPlaintextAuth = False; /* Do NOT use a plaintext password even if is requested by the server */
1016 Globals.bLanmanAuth = False; /* Do NOT use the LanMan hash, even if it is supplied */
1017 Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
1018 - Globals.bRawNTLMv2Auth = true; /* Allow NTLMv2 without NTLMSSP */
1019 + Globals.bRawNTLMv2Auth = false; /* Allow NTLMv2 without NTLMSSP */
1020 Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
1021 /* Note, that we will also use NTLM2 session security (which is different), if it is available */
1022
1023 --
1024 2.8.1
1025
1026
1027 From 44530ad870745f8d649aff9cc18480aaeeccf01a Mon Sep 17 00:00:00 2001
1028 From: Andreas Schneider <asn@samba.org>
1029 Date: Mon, 4 Apr 2016 16:44:39 +0200
1030 Subject: [PATCH 15/15] CVE-2016-2111: s3:selftest: Disable client ntlmv2 auth
1031 for secserver
1032
1033 The client connects with ntlmv1 to the secserver (server with
1034 security = share). So the secserver needs to allow to connect with
1035 NTLMv1 to the password server to verify the user or it will fail.
1036
1037 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
1038
1039 Signed-off-by: Andreas Schneider <asn@samba.org>
1040 ---
1041 selftest/target/Samba3.pm | 1 +
1042 1 file changed, 1 insertion(+)
1043
1044 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
1045 index ee3696e..7326b22 100644
1046 --- a/selftest/target/Samba3.pm
1047 +++ b/selftest/target/Samba3.pm
1048 @@ -231,6 +231,7 @@ sub setup_secserver($$$)
1049 my $secserver_options = "
1050 security = server
1051 password server = $s3dcvars->{SERVER_IP}
1052 + client ntlmv2 auth = no
1053 ";
1054
1055 my $ret = $self->provision($prefix,
1056 --
1057 2.8.1
1058
IPFire 2.x development tree