]> git.ipfire.org Git - ipfire-2.x.git/blob - src/patches/samba/CVE-2016-2118-v3-6.patch
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
[ipfire-2.x.git] / src / patches / samba / CVE-2016-2118-v3-6.patch
1 From 9519f8f5123be055a4e845f87badef8b80ab2ee4 Mon Sep 17 00:00:00 2001
2 From: Stefan Metzmacher <metze@samba.org>
3 Date: Tue, 15 Dec 2015 14:49:36 +0100
4 Subject: [PATCH 01/10] CVE-2016-2118: s3: rpcclient: change the default auth
5 level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
6
7 ncacn_ip_tcp:server should get the same protection as ncacn_np:server
8 if authentication and smb signing is used.
9
10 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
11
12 Signed-off-by: Stefan Metzmacher <metze@samba.org>
13
14 (cherry picked from commit dab41dee8a4fb27dbf3913b0e44a4cc726e3ac98)
15 ---
16 source3/rpcclient/rpcclient.c | 5 ++---
17 1 file changed, 2 insertions(+), 3 deletions(-)
18
19 diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
20 index 949e14c..81c5f42 100644
21 --- a/source3/rpcclient/rpcclient.c
22 +++ b/source3/rpcclient/rpcclient.c
23 @@ -1062,10 +1062,9 @@ out_free:
24 }
25 }
26 if (pipe_default_auth_type != DCERPC_AUTH_TYPE_NONE) {
27 - /* If neither Integrity or Privacy are requested then
28 - * Use just Connect level */
29 + /* If nothing is requested then default to integrity */
30 if (pipe_default_auth_level == DCERPC_AUTH_LEVEL_NONE) {
31 - pipe_default_auth_level = DCERPC_AUTH_LEVEL_CONNECT;
32 + pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
33 }
34 }
35
36 --
37 2.8.1
38
39
40 From 0e00f6da40e6f76d9bd56187e74841c85ea86c55 Mon Sep 17 00:00:00 2001
41 From: Stefan Metzmacher <metze@samba.org>
42 Date: Fri, 11 Mar 2016 16:02:25 +0100
43 Subject: [PATCH 02/10] CVE-2016-2118: s4:librpc: use integrity by default for
44 authenticated binds
45
46 ncacn_ip_tcp:server should get the same protection as ncacn_np:server
47 if authentication and smb signing is used.
48
49 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
50
51 Signed-off-by: Stefan Metzmacher <metze@samba.org>
52 (cherry picked from commit 7847ee85d278adb9ce4fc7da7cf171917227c93f)
53 ---
54 source4/librpc/rpc/dcerpc_util.c | 12 ++++++------
55 1 file changed, 6 insertions(+), 6 deletions(-)
56
57 diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
58 index 2cd9499..a6d0df5 100644
59 --- a/source4/librpc/rpc/dcerpc_util.c
60 +++ b/source4/librpc/rpc/dcerpc_util.c
61 @@ -593,15 +593,15 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
62
63 /* Perform an authenticated DCE-RPC bind
64 */
65 - if (!(conn->flags & (DCERPC_SIGN|DCERPC_SEAL))) {
66 + if (!(conn->flags & (DCERPC_CONNECT|DCERPC_SEAL))) {
67 /*
68 we are doing an authenticated connection,
69 - but not using sign or seal. We must force
70 - the CONNECT dcerpc auth type as a NONE auth
71 - type doesn't allow authentication
72 - information to be passed.
73 + which needs to use [connect], [sign] or [seal].
74 + If nothing is specified, we default to [sign] now.
75 + This give roughly the same protection as
76 + ncacn_np with smb signing.
77 */
78 - conn->flags |= DCERPC_CONNECT;
79 + conn->flags |= DCERPC_SIGN;
80 }
81
82 if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
83 --
84 2.8.1
85
86
87 From 8d53761dbcbea6439f4bfaef86ff79f42b682b22 Mon Sep 17 00:00:00 2001
88 From: Stefan Metzmacher <metze@samba.org>
89 Date: Thu, 10 Mar 2016 17:03:59 +0100
90 Subject: [PATCH 03/10] CVE-2016-2118: docs-xml: add "allow dcerpc auth level
91 connect" defaulting to "yes"
92 MIME-Version: 1.0
93 Content-Type: text/plain; charset=UTF-8
94 Content-Transfer-Encoding: 8bit
95
96 We sadly need to allow this for now by default.
97
98 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
99
100 Signed-off-by: Stefan Metzmacher <metze@samba.org>
101 Reviewed-by: Günther Deschner <gd@samba.org>
102 (backported from commit 56baca8619ba9ae1734c3d77524fc705ebcbd8d2)
103 ---
104 .../security/allowdcerpcauthlevelconnect.xml | 24 ++++++++++++++++++++++
105 1 file changed, 24 insertions(+)
106 create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
107
108 diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
109 new file mode 100644
110 index 0000000..5552112
111 --- /dev/null
112 +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
113 @@ -0,0 +1,24 @@
114 +<samba:parameter name="allow dcerpc auth level connect"
115 + context="G"
116 + type="boolean"
117 + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
118 +<description>
119 + <para>This option controls whether DCERPC services are allowed to
120 + be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
121 + but no per message integrity nor privacy protection.</para>
122 +
123 + <para>The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
124 + winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option.</para>
125 +
126 + <para>This option yields precedence to the implentation specific restrictions.
127 + E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
128 + While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
129 + </para>
130 +
131 + <para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para>
132 +</description>
133 +
134 +<value type="default">yes</value>
135 +<value type="example">no</value>
136 +
137 +</samba:parameter>
138 --
139 2.8.1
140
141
142 From 9a0e8182314c631681f2dd47da5d790168066279 Mon Sep 17 00:00:00 2001
143 From: Ralph Boehme <slow@samba.org>
144 Date: Fri, 18 Mar 2016 08:45:11 +0100
145 Subject: [PATCH 04/10] CVE-2016-2118: param: add "allow dcerpc auth level
146 connect" defaulting to "yes"
147
148 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
149
150 Signed-off-by: Ralph Boehme <slow@samba.org>
151 Reviewed-by: Stefan Metzmacher <metze@samba.org>
152 (backported from commit 6e3ada2c36f527077d77a8278bd41bbc030f48cd)
153
154 (cherry picked from commit 74172d061597c96f0e733c11daee6cb15f3277dc)
155 Signed-off-by: Aurelien Aptel <aaptel@suse.com>
156 ---
157 source3/include/proto.h | 1 +
158 source3/param/loadparm.c | 13 +++++++++++++
159 2 files changed, 14 insertions(+)
160
161 diff --git a/source3/include/proto.h b/source3/include/proto.h
162 index ac1540f..2ed6547 100644
163 --- a/source3/include/proto.h
164 +++ b/source3/include/proto.h
165 @@ -1821,6 +1821,7 @@ char* lp_perfcount_module(void);
166 void lp_set_passdb_backend(const char *backend);
167 void widelinks_warning(int snum);
168 char *lp_ncalrpc_dir(void);
169 +bool lp_allow_dcerpc_auth_level_connect(void);
170
171 /* The following definitions come from param/loadparm_server_role.c */
172
173 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
174 index fdc9407..87d33c5 100644
175 --- a/source3/param/loadparm.c
176 +++ b/source3/param/loadparm.c
177 @@ -355,6 +355,7 @@ struct global {
178 bool bUseMmap;
179 bool bHostnameLookups;
180 bool bUnixExtensions;
181 + bool bAllowDcerpcAuthLevelConnect;
182 bool bDisableNetbios;
183 char * szDedicatedKeytabFile;
184 int iKerberosMethod;
185 @@ -2303,6 +2304,15 @@ static struct parm_struct parm_table[] = {
186 .flags = FLAG_ADVANCED,
187 },
188 {
189 + .label = "allow dcerpc auth level connect",
190 + .type = P_BOOL,
191 + .p_class = P_GLOBAL,
192 + .ptr = &Globals.bAllowDcerpcAuthLevelConnect,
193 + .special = NULL,
194 + .enum_list = NULL,
195 + .flags = FLAG_ADVANCED,
196 + },
197 + {
198 .label = "use spnego",
199 .type = P_BOOL,
200 .p_class = P_GLOBAL,
201 @@ -5371,6 +5381,8 @@ static void init_globals(bool reinit_globals)
202 Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
203 /* Note, that we will also use NTLM2 session security (which is different), if it is available */
204
205 + Globals.bAllowDcerpcAuthLevelConnect = true; /* we need to allow this for now by default */
206 +
207 Globals.map_to_guest = 0; /* By Default, "Never" */
208 Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */
209 Globals.enhanced_browsing = true;
210 @@ -5745,6 +5757,7 @@ FN_GLOBAL_INTEGER(lp_username_map_cache_time, &Globals.iUsernameMapCacheTime)
211
212 FN_GLOBAL_STRING(lp_check_password_script, &Globals.szCheckPasswordScript)
213
214 +FN_GLOBAL_BOOL(lp_allow_dcerpc_auth_level_connect, &Globals.bAllowDcerpcAuthLevelConnect)
215 FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
216 FN_GLOBAL_CONST_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
217 FN_GLOBAL_CONST_STRING(lp_template_shell, &Globals.szTemplateShell)
218 --
219 2.8.1
220
221
222 From 82a245ff842ea33c050a8fbe415a531497232d3d Mon Sep 17 00:00:00 2001
223 From: Stefan Metzmacher <metze@samba.org>
224 Date: Fri, 18 Mar 2016 04:40:30 +0100
225 Subject: [PATCH 05/10] CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc
226 auth level connect"
227 MIME-Version: 1.0
228 Content-Type: text/plain; charset=UTF-8
229 Content-Transfer-Encoding: 8bit
230
231 With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY},
232 this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED.
233
234 We sadly need to keep this enabled by default for now.
235
236 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
237
238 Pair-Programmed-With: Günther Deschner <gd@samba.org>
239
240 Signed-off-by: Stefan Metzmacher <metze@samba.org>
241 Signed-off-by: Günther Deschner <gd@samba.org>
242 (cherry picked from commit 1fa0bad3da921fca1d34971062522b4cc3e6db2c)
243 (cherry picked from commit 46744bbe5e3616613b2dbee7cf6fdf0d8d5caab3)
244 Signed-off-by: Aurelien Aptel <aaptel@suse.com>
245 ---
246 source3/include/ntdomain.h | 4 ++++
247 source3/rpc_server/srv_pipe.c | 49 ++++++++++++++++++++++++++++++++++++++++++-
248 2 files changed, 52 insertions(+), 1 deletion(-)
249
250 diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h
251 index 2fbeabc..650f1d0 100644
252 --- a/source3/include/ntdomain.h
253 +++ b/source3/include/ntdomain.h
254 @@ -89,6 +89,10 @@ typedef struct pipe_rpc_fns {
255 uint32 context_id;
256 struct ndr_syntax_id syntax;
257
258 + /*
259 + * shall we allow "connect" auth level for this interface ?
260 + */
261 + bool allow_connect;
262 } PIPE_RPC_FNS;
263
264 /*
265 diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
266 index d659705..c462dcf 100644
267 --- a/source3/rpc_server/srv_pipe.c
268 +++ b/source3/rpc_server/srv_pipe.c
269 @@ -335,6 +335,7 @@ static bool check_bind_req(struct pipes_struct *p,
270 uint32 context_id)
271 {
272 struct pipe_rpc_fns *context_fns;
273 + const char *interface_name = NULL;
274
275 DEBUG(3,("check_bind_req for %s\n",
276 get_pipe_name_from_syntax(talloc_tos(), abstract)));
277 @@ -355,12 +356,29 @@ static bool check_bind_req(struct pipes_struct *p,
278 return False;
279 }
280
281 + interface_name = get_pipe_name_from_syntax(talloc_tos(),
282 + abstract);
283 +
284 + SMB_ASSERT(interface_name != NULL);
285 +
286 context_fns->next = context_fns->prev = NULL;
287 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
288 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
289 context_fns->context_id = context_id;
290 context_fns->syntax = *abstract;
291
292 + context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
293 + /*
294 + * every interface can be modified to allow "connect" auth_level by
295 + * using a parametric option like:
296 + * allow dcerpc auth level connect:<interface>
297 + * e.g.
298 + * allow dcerpc auth level connect:samr = yes
299 + */
300 + context_fns->allow_connect = lp_parm_bool(-1,
301 + "allow dcerpc auth level connect",
302 + interface_name, context_fns->allow_connect);
303 +
304 /* add to the list of open contexts */
305
306 DLIST_ADD( p->contexts, context_fns );
307 @@ -1592,6 +1610,7 @@ static bool api_pipe_request(struct pipes_struct *p,
308 TALLOC_CTX *frame = talloc_stackframe();
309 bool ret = False;
310 PIPE_RPC_FNS *pipe_fns;
311 + const char *interface_name = NULL;
312
313 if (!p->pipe_bound) {
314 DEBUG(1, ("Pipe not bound!\n"));
315 @@ -1613,8 +1632,36 @@ static bool api_pipe_request(struct pipes_struct *p,
316 return false;
317 }
318
319 + interface_name = get_pipe_name_from_syntax(talloc_tos(),
320 + &pipe_fns->syntax);
321 +
322 + SMB_ASSERT(interface_name != NULL);
323 +
324 DEBUG(5, ("Requested \\PIPE\\%s\n",
325 - get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
326 + interface_name));
327 +
328 + switch (p->auth.auth_level) {
329 + case DCERPC_AUTH_LEVEL_NONE:
330 + case DCERPC_AUTH_LEVEL_INTEGRITY:
331 + case DCERPC_AUTH_LEVEL_PRIVACY:
332 + break;
333 + default:
334 + if (!pipe_fns->allow_connect) {
335 + DEBUG(1, ("%s: restrict auth_level_connect access "
336 + "to [%s] with auth[type=0x%x,level=0x%x] "
337 + "on [%s] from [%s]\n",
338 + __func__, interface_name,
339 + p->auth.auth_type,
340 + p->auth.auth_level,
341 + derpc_transport_string_by_transport(p->transport),
342 + p->client_id->name));
343 +
344 + setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
345 + TALLOC_FREE(frame);
346 + return true;
347 + }
348 + break;
349 + }
350
351 if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) {
352 DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n"));
353 --
354 2.8.1
355
356
357 From b68b204307e0b24bc2879ea667a706e11925166d Mon Sep 17 00:00:00 2001
358 From: Stefan Metzmacher <metze@samba.org>
359 Date: Fri, 7 Aug 2015 09:50:30 +0200
360 Subject: [PATCH 06/10] CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}:
361 reject DCERPC_AUTH_LEVEL_CONNECT by default
362 MIME-Version: 1.0
363 Content-Type: text/plain; charset=UTF-8
364 Content-Transfer-Encoding: 8bit
365
366 This prevents man in the middle downgrade attacks.
367
368 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
369
370 Pair-Programmed-With: Günther Deschner <gd@samba.org>
371
372 Signed-off-by: Stefan Metzmacher <metze@samba.org>
373 Signed-off-by: Günther Deschner <gd@samba.org>
374 (cherry picked from commit 51dd08951eb4ab9d297678f96cde61f508937721)
375 Signed-off-by: Aurelien Aptel <aaptel@suse.com>
376
377 Conflicts:
378 selftest/knownfail
379 source3/rpc_server/srv_pipe.c
380
381 selftest/knownfail is ignored in 3.6
382 ---
383 source3/rpc_server/srv_pipe.c | 20 ++++++++++++++++++++
384 source3/selftest/knownfail | 1 +
385 source3/selftest/tests.py | 2 ++
386 3 files changed, 23 insertions(+)
387
388 diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
389 index c462dcf..3086b9e 100644
390 --- a/source3/rpc_server/srv_pipe.c
391 +++ b/source3/rpc_server/srv_pipe.c
392 @@ -43,6 +43,9 @@
393 #include "ntdomain.h"
394 #include "rpc_server/srv_pipe.h"
395 #include "../librpc/ndr/ndr_dcerpc.h"
396 +#include "../librpc/gen_ndr/ndr_samr.h"
397 +#include "../librpc/gen_ndr/ndr_lsa.h"
398 +#include "../librpc/gen_ndr/ndr_netlogon.h"
399
400 #undef DBGC_CLASS
401 #define DBGC_CLASS DBGC_RPC_SRV
402 @@ -336,6 +339,7 @@ static bool check_bind_req(struct pipes_struct *p,
403 {
404 struct pipe_rpc_fns *context_fns;
405 const char *interface_name = NULL;
406 + bool ok;
407
408 DEBUG(3,("check_bind_req for %s\n",
409 get_pipe_name_from_syntax(talloc_tos(), abstract)));
410 @@ -369,6 +373,22 @@ static bool check_bind_req(struct pipes_struct *p,
411
412 context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
413 /*
414 + * for the samr and the lsarpc interfaces we don't allow "connect"
415 + * auth_level by default.
416 + */
417 + ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id);
418 + if (ok) {
419 + context_fns->allow_connect = false;
420 + }
421 + ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
422 + if (ok) {
423 + context_fns->allow_connect = false;
424 + }
425 + ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
426 + if (ok) {
427 + context_fns->allow_connect = false;
428 + }
429 + /*
430 * every interface can be modified to allow "connect" auth_level by
431 * using a parametric option like:
432 * allow dcerpc auth level connect:<interface>
433 diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail
434 index bda1fe0..8717a4d 100644
435 --- a/source3/selftest/knownfail
436 +++ b/source3/selftest/knownfail
437 @@ -18,3 +18,4 @@ samba3.posix_s3.nbt.dgram.*netlogon2
438 samba3.*rap.sam.*.useradd # Not provided by Samba 3
439 samba3.*rap.sam.*.userdelete # Not provided by Samba 3
440 samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3
441 +samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore
442 diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
443 index a733f14..8dfbf1e 100755
444 --- a/source3/selftest/tests.py
445 +++ b/source3/selftest/tests.py
446 @@ -201,6 +201,8 @@ if sub.returncode == 0:
447 plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
448 elif t == "raw.samba3posixtimedlock":
449 plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/dc/share')
450 + elif t == "rpc.samr.passwords.validate":
451 + plansmbtorturetestsuite(t, "s3dc", 'ncacn_np:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_np ')
452 else:
453 plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
454
455 --
456 2.8.1
457
458
459 From 720b9f861322c5fe804c53eb74e7d2d6a4d8b876 Mon Sep 17 00:00:00 2001
460 From: Andreas Schneider <asn@samba.org>
461 Date: Tue, 5 Apr 2016 09:54:38 +0200
462 Subject: [PATCH 07/10] CVE-2016-2118: s3:selftest: The lsa tests which use
463 connect need to fail
464
465 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
466
467 Signed-off-by: Andreas Schneider <asn@samba.org>
468 ---
469 source3/selftest/knownfail | 1 +
470 1 file changed, 1 insertion(+)
471
472 diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail
473 index 8717a4d..7d9275e 100644
474 --- a/source3/selftest/knownfail
475 +++ b/source3/selftest/knownfail
476 @@ -19,3 +19,4 @@ samba3.*rap.sam.*.useradd # Not provided by Samba 3
477 samba3.*rap.sam.*.userdelete # Not provided by Samba 3
478 samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3
479 samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore
480 +samba3.posix_s3.rpc.lsa.lookupsids.*ncacn_ip_tcp.*connect.* # we don't allow auth_level_connect anymore
481 --
482 2.8.1
483
484
485 From 9b2b563a1f8247f5ec7efde52d70efc666e30f56 Mon Sep 17 00:00:00 2001
486 From: Stefan Metzmacher <metze@samba.org>
487 Date: Sat, 26 Mar 2016 08:47:42 +0100
488 Subject: [PATCH 08/10] CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow
489 DCERPC_AUTH_LEVEL_CONNECT by default
490
491 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
492
493 Signed-off-by: Stefan Metzmacher <metze@samba.org>
494 Reviewed-by: Alexander Bokovoy <ab@samba.org>
495 (cherry picked from commit 98f1a85f23d3d2a4f1c665746588688574261d90)
496 ---
497 source3/rpc_server/srv_pipe.c | 14 ++++++++++++++
498 1 file changed, 14 insertions(+)
499
500 diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
501 index 3086b9e..964b843 100644
502 --- a/source3/rpc_server/srv_pipe.c
503 +++ b/source3/rpc_server/srv_pipe.c
504 @@ -46,6 +46,8 @@
505 #include "../librpc/gen_ndr/ndr_samr.h"
506 #include "../librpc/gen_ndr/ndr_lsa.h"
507 #include "../librpc/gen_ndr/ndr_netlogon.h"
508 +#include "../librpc/gen_ndr/ndr_epmapper.h"
509 +#include "../librpc/gen_ndr/ndr_echo.h"
510
511 #undef DBGC_CLASS
512 #define DBGC_CLASS DBGC_RPC_SRV
513 @@ -389,6 +391,18 @@ static bool check_bind_req(struct pipes_struct *p,
514 context_fns->allow_connect = false;
515 }
516 /*
517 + * for the epmapper and echo interfaces we allow "connect"
518 + * auth_level by default.
519 + */
520 + ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id);
521 + if (ok) {
522 + context_fns->allow_connect = true;
523 + }
524 + ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
525 + if (ok) {
526 + context_fns->allow_connect = true;
527 + }
528 + /*
529 * every interface can be modified to allow "connect" auth_level by
530 * using a parametric option like:
531 * allow dcerpc auth level connect:<interface>
532 --
533 2.8.1
534
535
536 From 21453f6887569b162be44faaf43e1b9a81423210 Mon Sep 17 00:00:00 2001
537 From: Stefan Metzmacher <metze@samba.org>
538 Date: Thu, 10 Mar 2016 17:03:59 +0100
539 Subject: [PATCH 09/10] CVE-2016-2118: docs-xml/param: default "allow dcerpc
540 auth level connect" to "no"
541
542 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
543
544 Signed-off-by: Stefan Metzmacher <metze@samba.org>
545 Reviewed-by: Alexander Bokovoy <ab@samba.org>
546 (backported from commit 6469e21af32a2a405dd4f43e7d96a2f87c4a9902)
547
548 Conflicts:
549 lib/param/loadparm.c
550 source3/param/loadparm.c
551 ---
552 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 6 ++----
553 source3/param/loadparm.c | 2 +-
554 2 files changed, 3 insertions(+), 5 deletions(-)
555
556 diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
557 index 5552112..c8e9d18 100644
558 --- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
559 +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
560 @@ -14,11 +14,9 @@
561 E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
562 While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
563 </para>
564 -
565 - <para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para>
566 </description>
567
568 -<value type="default">yes</value>
569 -<value type="example">no</value>
570 +<value type="default">no</value>
571 +<value type="example">yes</value>
572
573 </samba:parameter>
574 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
575 index 87d33c5..a514727 100644
576 --- a/source3/param/loadparm.c
577 +++ b/source3/param/loadparm.c
578 @@ -5381,7 +5381,7 @@ static void init_globals(bool reinit_globals)
579 Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
580 /* Note, that we will also use NTLM2 session security (which is different), if it is available */
581
582 - Globals.bAllowDcerpcAuthLevelConnect = true; /* we need to allow this for now by default */
583 + Globals.bAllowDcerpcAuthLevelConnect = false; /* we don't allow this by default */
584
585 Globals.map_to_guest = 0; /* By Default, "Never" */
586 Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */
587 --
588 2.8.1
589
590
591 From a5aebec4ff2f1d3b824dfcc05091da712639220d Mon Sep 17 00:00:00 2001
592 From: Stefan Metzmacher <metze@samba.org>
593 Date: Sun, 28 Feb 2016 22:48:11 +0100
594 Subject: [PATCH 10/10] CVE-2016-2118: s3:rpc_server/samr: allow
595 _samr_ValidatePassword only with PRIVACY...
596 MIME-Version: 1.0
597 Content-Type: text/plain; charset=UTF-8
598 Content-Transfer-Encoding: 8bit
599
600 This requires transport encryption.
601
602 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
603
604 Signed-off-by: Stefan Metzmacher <metze@samba.org>
605 Reviewed-by: Günther Deschner <gd@samba.org>
606 (cherry picked from commit d7c2f1e12544ee0f80438dcc1586e2d30c23b54a)
607 ---
608 source3/rpc_server/samr/srv_samr_nt.c | 5 +++++
609 1 file changed, 5 insertions(+)
610
611 diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
612 index 0984984..37e2e4f 100644
613 --- a/source3/rpc_server/samr/srv_samr_nt.c
614 +++ b/source3/rpc_server/samr/srv_samr_nt.c
615 @@ -6628,6 +6628,11 @@ NTSTATUS _samr_ValidatePassword(struct pipes_struct *p,
616 struct samr_GetDomPwInfo pw;
617 struct samr_PwInfo dom_pw_info;
618
619 + if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
620 + p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
621 + return NT_STATUS_ACCESS_DENIED;
622 + }
623 +
624 if (r->in.level < 1 || r->in.level > 3) {
625 return NT_STATUS_INVALID_INFO_CLASS;
626 }
627 --
628 2.8.1
629
IPFire 2.x development tree