projects / people / pmueller / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| 77ecb239 AF |
1 | From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001 |
| 2 | From: Stefan Metzmacher <metze@samba.org> | |
| 3 | Date: Tue, 1 Dec 2015 08:46:45 +0100 | |
| 4 | Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use | |
| 5 | ntlmssp_state->allow_lm_key | |
| 6 | MIME-Version: 1.0 | |
| 7 | Content-Type: text/plain; charset=UTF-8 | |
| 8 | Content-Transfer-Encoding: 8bit | |
| 9 | ||
| 10 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 | |
| 11 | ||
| 12 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
| 13 | Reviewed-by: Günther Deschner <gd@samba.org> | |
| 14 | --- | |
| 15 | source3/libsmb/ntlmssp.c | 4 +++- | |
| 16 | 1 file changed, 3 insertions(+), 1 deletion(-) | |
| 17 | ||
| 18 | diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c | |
| 19 | index 1de6189..20a5987 100644 | |
| 20 | --- a/source3/libsmb/ntlmssp.c | |
| 21 | +++ b/source3/libsmb/ntlmssp.c | |
| 22 | @@ -530,7 +530,8 @@ noccache: | |
| 23 | DEBUG(3, ("Got challenge flags:\n")); | |
| 24 | debug_ntlmssp_flags(chal_flags); | |
| 25 | ||
| 26 | - ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth()); | |
| 27 | + ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, | |
| 28 | + ntlmssp_state->allow_lm_key); | |
| 29 | ||
| 30 | if (ntlmssp_state->unicode) { | |
| 31 | if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { | |
| 32 | @@ -769,6 +770,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, | |
| 33 | ntlmssp_state->unicode = True; | |
| 34 | ||
| 35 | ntlmssp_state->use_ntlmv2 = use_ntlmv2; | |
| 36 | + ntlmssp_state->allow_lm_key = lp_client_lanman_auth(); | |
| 37 | ||
| 38 | ntlmssp_state->expected_state = NTLMSSP_INITIAL; | |
| 39 | ||
| 40 | -- | |
| 41 | 2.8.1 | |
| 42 | ||
| 43 | ||
| 44 | From a701bc5f8a76584a2e0680b2c3dd9afb77f12430 Mon Sep 17 00:00:00 2001 | |
| 45 | From: Stefan Metzmacher <metze@samba.org> | |
| 46 | Date: Fri, 11 Dec 2015 14:50:23 +0100 | |
| 47 | Subject: [PATCH 02/10] CVE-2016-2110: s3:ntlmssp: add | |
| 48 | ntlmssp3_handle_neg_flags() | |
| 49 | MIME-Version: 1.0 | |
| 50 | Content-Type: text/plain; charset=UTF-8 | |
| 51 | Content-Transfer-Encoding: 8bit | |
| 52 | ||
| 53 | This is a copy of ntlmssp_handle_neg_flags(), which will be changed | |
| 54 | in an incompatible way in the following commits. | |
| 55 | ||
| 56 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 | |
| 57 | ||
| 58 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
| 59 | Reviewed-by: Günther Deschner <gd@samba.org> | |
| 60 | --- | |
| 61 | source3/libsmb/ntlmssp.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++-- | |
| 62 | 1 file changed, 56 insertions(+), 2 deletions(-) | |
| 63 | ||
| 64 | diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c | |
| 65 | index 20a5987..ad09f9f 100644 | |
| 66 | --- a/source3/libsmb/ntlmssp.c | |
| 67 | +++ b/source3/libsmb/ntlmssp.c | |
| 68 | @@ -422,6 +422,60 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, | |
| 69 | return NT_STATUS_MORE_PROCESSING_REQUIRED; | |
| 70 | } | |
| 71 | ||
| 72 | +static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, | |
| 73 | + uint32_t neg_flags, bool allow_lm) | |
| 74 | +{ | |
| 75 | + if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) { | |
| 76 | + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; | |
| 77 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM; | |
| 78 | + ntlmssp_state->unicode = true; | |
| 79 | + } else { | |
| 80 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE; | |
| 81 | + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM; | |
| 82 | + ntlmssp_state->unicode = false; | |
| 83 | + } | |
| 84 | + | |
| 85 | + if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) { | |
| 86 | + /* other end forcing us to use LM */ | |
| 87 | + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; | |
| 88 | + ntlmssp_state->use_ntlmv2 = false; | |
| 89 | + } else { | |
| 90 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; | |
| 91 | + } | |
| 92 | + | |
| 93 | + if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) { | |
| 94 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN; | |
| 95 | + } | |
| 96 | + | |
| 97 | + if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) { | |
| 98 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; | |
| 99 | + } | |
| 100 | + | |
| 101 | + if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) { | |
| 102 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128; | |
| 103 | + } | |
| 104 | + | |
| 105 | + if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) { | |
| 106 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56; | |
| 107 | + } | |
| 108 | + | |
| 109 | + if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { | |
| 110 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH; | |
| 111 | + } | |
| 112 | + | |
| 113 | + if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { | |
| 114 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; | |
| 115 | + } | |
| 116 | + | |
| 117 | + if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { | |
| 118 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; | |
| 119 | + } | |
| 120 | + | |
| 121 | + if ((neg_flags & NTLMSSP_REQUEST_TARGET)) { | |
| 122 | + ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET; | |
| 123 | + } | |
| 124 | +} | |
| 125 | + | |
| 126 | /** | |
| 127 | * Next state function for the Challenge Packet. Generate an auth packet. | |
| 128 | * | |
| 129 | @@ -530,8 +584,8 @@ noccache: | |
| 130 | DEBUG(3, ("Got challenge flags:\n")); | |
| 131 | debug_ntlmssp_flags(chal_flags); | |
| 132 | ||
| 133 | - ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, | |
| 134 | - ntlmssp_state->allow_lm_key); | |
| 135 | + ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags, | |
| 136 | + ntlmssp_state->allow_lm_key); | |
| 137 | ||
| 138 | if (ntlmssp_state->unicode) { | |
| 139 | if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { | |
| 140 | -- | |
| 141 | 2.8.1 | |
| 142 | ||
| 143 | ||
| 144 | From 92b2f5315d135b7b83a3ae106b43d18181be2f02 Mon Sep 17 00:00:00 2001 | |
| 145 | From: Andreas Schneider <asn@cryptomilk.org> | |
| 146 | Date: Thu, 31 Mar 2016 12:39:50 +0200 | |
| 147 | Subject: [PATCH 03/10] CVE-2016-2110: s3:ntlmssp: let | |
| 148 | ntlmssp3_handle_neg_flags() return NTSTATUS | |
| 149 | MIME-Version: 1.0 | |
| 150 | Content-Type: text/plain; charset=UTF-8 | |
| 151 | Content-Transfer-Encoding: 8bit | |
| 152 | ||
| 153 | In future we can do a more fine granted negotiation | |
| 154 | and assert specific security features. | |
| 155 | ||
| 156 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 | |
| 157 | ||
| 158 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
| 159 | Reviewed-by: Günther Deschner <gd@samba.org> | |
| 160 | --- | |
| 161 | source3/libsmb/ntlmssp.c | 33 +++++++++++++++++++-------------- | |
| 162 | 1 file changed, 19 insertions(+), 14 deletions(-) | |
| 163 | ||
| 164 | diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c | |
| 165 | index ad09f9f..81a85ce 100644 | |
| 166 | --- a/source3/libsmb/ntlmssp.c | |
| 167 | +++ b/source3/libsmb/ntlmssp.c | |
| 168 | @@ -422,10 +422,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, | |
| 169 | return NT_STATUS_MORE_PROCESSING_REQUIRED; | |
| 170 | } | |
| 171 | ||
| 172 | -static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, | |
| 173 | - uint32_t neg_flags, bool allow_lm) | |
| 174 | +static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, | |
| 175 | + uint32_t flags) | |
| 176 | { | |
| 177 | - if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) { | |
| 178 | + if (flags & NTLMSSP_NEGOTIATE_UNICODE) { | |
| 179 | ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; | |
| 180 | ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM; | |
| 181 | ntlmssp_state->unicode = true; | |
| 182 | @@ -435,7 +435,7 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, | |
| 183 | ntlmssp_state->unicode = false; | |
| 184 | } | |
| 185 | ||
| 186 | - if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) { | |
| 187 | + if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) { | |
| 188 | /* other end forcing us to use LM */ | |
| 189 | ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; | |
| 190 | ntlmssp_state->use_ntlmv2 = false; | |
| 191 | @@ -443,37 +443,39 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, | |
| 192 | ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; | |
| 193 | } | |
| 194 | ||
| 195 | - if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) { | |
| 196 | + if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) { | |
| 197 | ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN; | |
| 198 | } | |
| 199 | ||
| 200 | - if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) { | |
| 201 | + if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) { | |
| 202 | ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; | |
| 203 | } | |
| 204 | ||
| 205 | - if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) { | |
| 206 | + if (!(flags & NTLMSSP_NEGOTIATE_128)) { | |
| 207 | ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128; | |
| 208 | } | |
| 209 | ||
| 210 | - if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) { | |
| 211 | + if (!(flags & NTLMSSP_NEGOTIATE_56)) { | |
| 212 | ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56; | |
| 213 | } | |
| 214 | ||
| 215 | - if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { | |
| 216 | + if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { | |
| 217 | ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH; | |
| 218 | } | |
| 219 | ||
| 220 | - if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { | |
| 221 | + if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) { | |
| 222 | ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; | |
| 223 | } | |
| 224 | ||
| 225 | - if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { | |
| 226 | + if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) { | |
| 227 | ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; | |
| 228 | } | |
| 229 | ||
| 230 | - if ((neg_flags & NTLMSSP_REQUEST_TARGET)) { | |
| 231 | + if ((flags & NTLMSSP_REQUEST_TARGET)) { | |
| 232 | ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET; | |
| 233 | } | |
| 234 | + | |
| 235 | + return NT_STATUS_OK; | |
| 236 | } | |
| 237 | ||
| 238 | /** | |
| 239 | @@ -584,8 +586,11 @@ noccache: | |
| 240 | DEBUG(3, ("Got challenge flags:\n")); | |
| 241 | debug_ntlmssp_flags(chal_flags); | |
| 242 | ||
| 243 | - ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags, | |
| 244 | - ntlmssp_state->allow_lm_key); | |
| 245 | + nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags); | |
| 246 | + if (!NT_STATUS_IS_OK(nt_status)) { | |
| 247 | + return nt_status; | |
| 248 | + } | |
| 249 | + | |
| 250 | ||
| 251 | if (ntlmssp_state->unicode) { | |
| 252 | if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { | |
| 253 | -- | |
| 254 | 2.8.1 | |
| 255 | ||
| 256 | ||
| 257 | From a239a337e3c0081af1a41aaac8957bb1aa0771f8 Mon Sep 17 00:00:00 2001 | |
| 258 | From: Stefan Metzmacher <metze@samba.org> | |
| 259 | Date: Tue, 1 Dec 2015 15:01:09 +0100 | |
| 260 | Subject: [PATCH 04/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from | |
| 261 | NTLMv2 to LM_AUTH | |
| 262 | MIME-Version: 1.0 | |
| 263 | Content-Type: text/plain; charset=UTF-8 | |
| 264 | Content-Transfer-Encoding: 8bit | |
| 265 | ||
| 266 | man smb.conf says "client ntlmv2 auth = yes" the default disables, | |
| 267 | "client lanman auth = yes": | |
| 268 | ||
| 269 | ... | |
| 270 | Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2 | |
| 271 | logins will be attempted. | |
| 272 | ... | |
| 273 | ||
| 274 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 | |
| 275 | ||
| 276 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
| 277 | Reviewed-by: Günther Deschner <gd@samba.org> | |
| 278 | --- | |
| 279 | source3/libsmb/ntlmssp.c | 4 ++++ | |
| 280 | 1 file changed, 4 insertions(+) | |
| 281 | ||
| 282 | diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c | |
| 283 | index 81a85ce..23a5e5d 100644 | |
| 284 | --- a/source3/libsmb/ntlmssp.c | |
| 285 | +++ b/source3/libsmb/ntlmssp.c | |
| 286 | @@ -841,6 +841,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, | |
| 287 | NTLMSSP_NEGOTIATE_KEY_EXCH | | |
| 288 | NTLMSSP_REQUEST_TARGET; | |
| 289 | ||
| 290 | + if (ntlmssp_state->use_ntlmv2) { | |
| 291 | + ntlmssp_state->allow_lm_key = false; | |
| 292 | + } | |
| 293 | + | |
| 294 | ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name); | |
| 295 | if (!ntlmssp_state->client.netbios_name) { | |
| 296 | talloc_free(ntlmssp_state); | |
| 297 | -- | |
| 298 | 2.8.1 | |
| 299 | ||
| 300 | ||
| 301 | From e11dc9aa90420947f9fc82365b55ecb08353451c Mon Sep 17 00:00:00 2001 | |
| 302 | From: Stefan Metzmacher <metze@samba.org> | |
| 303 | Date: Thu, 31 Mar 2016 12:59:05 +0200 | |
| 304 | Subject: [PATCH 05/10] CVE-2016-2110: s3:ntlmssp: maintain a required_flags | |
| 305 | variable | |
| 306 | MIME-Version: 1.0 | |
| 307 | Content-Type: text/plain; charset=UTF-8 | |
| 308 | Content-Transfer-Encoding: 8bit | |
| 309 | ||
| 310 | We now give an error when required flags are missing. | |
| 311 | ||
| 312 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 | |
| 313 | ||
| 314 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
| 315 | Reviewed-by: Günther Deschner <gd@samba.org> | |
| 316 | --- | |
| 317 | libcli/auth/ntlmssp.h | 1 + | |
| 318 | source3/libsmb/ntlmssp.c | 20 ++++++++++++++++++++ | |
| 319 | 2 files changed, 21 insertions(+) | |
| 320 | ||
| 321 | diff --git a/libcli/auth/ntlmssp.h b/libcli/auth/ntlmssp.h | |
| 322 | index 495d94f..88a049b 100644 | |
| 323 | --- a/libcli/auth/ntlmssp.h | |
| 324 | +++ b/libcli/auth/ntlmssp.h | |
| 325 | @@ -83,6 +83,7 @@ struct ntlmssp_state | |
| 326 | DATA_BLOB nt_resp; | |
| 327 | DATA_BLOB session_key; | |
| 328 | ||
| 329 | + uint32_t required_flags; | |
| 330 | uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */ | |
| 331 | ||
| 332 | /** | |
| 333 | diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c | |
| 334 | index 23a5e5d..48d7d45 100644 | |
| 335 | --- a/source3/libsmb/ntlmssp.c | |
| 336 | +++ b/source3/libsmb/ntlmssp.c | |
| 337 | @@ -425,6 +425,8 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, | |
| 338 | static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, | |
| 339 | uint32_t flags) | |
| 340 | { | |
| 341 | + uint32_t missing_flags = ntlmssp_state->required_flags; | |
| 342 | + | |
| 343 | if (flags & NTLMSSP_NEGOTIATE_UNICODE) { | |
| 344 | ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; | |
| 345 | ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM; | |
| 346 | @@ -475,6 +477,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, | |
| 347 | ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET; | |
| 348 | } | |
| 349 | ||
| 350 | + missing_flags &= ~ntlmssp_state->neg_flags; | |
| 351 | + if (missing_flags != 0) { | |
| 352 | + NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR; | |
| 353 | + DEBUG(1, ("%s: Got challenge flags[0x%08x] " | |
| 354 | + "- possible downgrade detected! " | |
| 355 | + "missing_flags[0x%08x] - %s\n", | |
| 356 | + __func__, | |
| 357 | + (unsigned)flags, | |
| 358 | + (unsigned)missing_flags, | |
| 359 | + nt_errstr(status))); | |
| 360 | + debug_ntlmssp_flags(missing_flags); | |
| 361 | + DEBUGADD(4, ("neg_flags[0x%08x]\n", | |
| 362 | + (unsigned)ntlmssp_state->neg_flags)); | |
| 363 | + debug_ntlmssp_flags(ntlmssp_state->neg_flags); | |
| 364 | + | |
| 365 | + return status; | |
| 366 | + } | |
| 367 | + | |
| 368 | return NT_STATUS_OK; | |
| 369 | } | |
| 370 | ||
| 371 | -- | |
| 372 | 2.8.1 | |
| 373 | ||
| 374 | ||
| 375 | From 06ca5b7655e577ff6e2d5817cf221c05f9bb5c86 Mon Sep 17 00:00:00 2001 | |
| 376 | From: Stefan Metzmacher <metze@samba.org> | |
| 377 | Date: Thu, 31 Mar 2016 13:03:24 +0200 | |
| 378 | Subject: [PATCH 06/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from | |
| 379 | NTLMv2 to LM_AUTH | |
| 380 | MIME-Version: 1.0 | |
| 381 | Content-Type: text/plain; charset=UTF-8 | |
| 382 | Content-Transfer-Encoding: 8bit | |
| 383 | ||
| 384 | man smb.conf says "client ntlmv2 auth = yes" the default disables, | |
| 385 | "client lanman auth = yes": | |
| 386 | ||
| 387 | ... | |
| 388 | Likewise, if the client ntlmv2 auth parameter is enabled, then only | |
| 389 | NTLMv2 logins will be attempted. | |
| 390 | ... | |
| 391 | ||
| 392 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 | |
| 393 | ||
| 394 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
| 395 | Reviewed-by: Günther Deschner <gd@samba.org> | |
| 396 | --- | |
| 397 | source3/libsmb/ntlmssp.c | 1 + | |
| 398 | 1 file changed, 1 insertion(+) | |
| 399 | ||
| 400 | diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c | |
| 401 | index 48d7d45..bf40404 100644 | |
| 402 | --- a/source3/libsmb/ntlmssp.c | |
| 403 | +++ b/source3/libsmb/ntlmssp.c | |
| 404 | @@ -388,6 +388,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, | |
| 405 | ||
| 406 | if (ntlmssp_state->use_ntlmv2) { | |
| 407 | ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; | |
| 408 | + ntlmssp_state->allow_lm_key = false; | |
| 409 | } | |
| 410 | ||
| 411 | /* generate the ntlmssp negotiate packet */ | |
| 412 | -- | |
| 413 | 2.8.1 | |
| 414 | ||
| 415 | ||
| 416 | From f99d4469a8b09dd93eb7124f2814e15869915671 Mon Sep 17 00:00:00 2001 | |
| 417 | From: Andreas Schneider <asn@samba.org> | |
| 418 | Date: Mon, 11 Apr 2016 16:18:44 +0200 | |
| 419 | Subject: [PATCH 07/10] CVE-2016-2110: auth/ntlmssp: don't let | |
| 420 | ntlmssp3_handle_neg_flags() change ntlmssp_state->use_ntlmv2 | |
| 421 | ||
| 422 | ntlmssp_handle_neg_flags() can only disable flags, but not | |
| 423 | set them. All supported flags are set at start time. | |
| 424 | ||
| 425 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 | |
| 426 | ||
| 427 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
| 428 | Reviewed-by: Guenther Deschner <gd@samba.org> | |
| 429 | --- | |
| 430 | source3/libsmb/ntlmssp.c | 26 +++++++++++++++++--------- | |
| 431 | 1 file changed, 17 insertions(+), 9 deletions(-) | |
| 432 | ||
| 433 | diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c | |
| 434 | index bf40404..7b17a43 100644 | |
| 435 | --- a/source3/libsmb/ntlmssp.c | |
| 436 | +++ b/source3/libsmb/ntlmssp.c | |
| 437 | @@ -391,6 +391,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, | |
| 438 | ntlmssp_state->allow_lm_key = false; | |
| 439 | } | |
| 440 | ||
| 441 | + if (ntlmssp_state->allow_lm_key) { | |
| 442 | + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; | |
| 443 | + } | |
| 444 | + | |
| 445 | /* generate the ntlmssp negotiate packet */ | |
| 446 | status = msrpc_gen(ntlmssp_state, next_request, "CddAA", | |
| 447 | "NTLMSSP", | |
| 448 | @@ -438,20 +442,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, | |
| 449 | ntlmssp_state->unicode = false; | |
| 450 | } | |
| 451 | ||
| 452 | - if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) { | |
| 453 | - /* other end forcing us to use LM */ | |
| 454 | - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; | |
| 455 | - ntlmssp_state->use_ntlmv2 = false; | |
| 456 | - } else { | |
| 457 | + /* | |
| 458 | + * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) | |
| 459 | + * has priority over NTLMSSP_NEGOTIATE_LM_KEY | |
| 460 | + */ | |
| 461 | + if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) { | |
| 462 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; | |
| 463 | + } | |
| 464 | + | |
| 465 | + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { | |
| 466 | ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; | |
| 467 | } | |
| 468 | ||
| 469 | - if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) { | |
| 470 | - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN; | |
| 471 | + if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) { | |
| 472 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; | |
| 473 | } | |
| 474 | ||
| 475 | - if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) { | |
| 476 | - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; | |
| 477 | + if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) { | |
| 478 | + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN; | |
| 479 | } | |
| 480 | ||
| 481 | if (!(flags & NTLMSSP_NEGOTIATE_128)) { | |
| 482 | -- | |
| 483 | 2.8.1 | |
| 484 | ||
| 485 | ||
| 486 | From 71dda1c57c36a9816af7873f169306a766e0284a Mon Sep 17 00:00:00 2001 | |
| 487 | From: Stefan Metzmacher <metze@samba.org> | |
| 488 | Date: Thu, 31 Mar 2016 14:21:12 +0200 | |
| 489 | Subject: [PATCH 08/10] CVE-2016-2110: s3:ntlmssp: let ntlmssp3_client_initial | |
| 490 | require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2 | |
| 491 | MIME-Version: 1.0 | |
| 492 | Content-Type: text/plain; charset=UTF-8 | |
| 493 | Content-Transfer-Encoding: 8bit | |
| 494 | ||
| 495 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 | |
| 496 | ||
| 497 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
| 498 | Reviewed-by: Günther Deschner <gd@samba.org> | |
| 499 | --- | |
| 500 | source3/libsmb/ntlmssp.c | 2 +- | |
| 501 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
| 502 | ||
| 503 | diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c | |
| 504 | index 7b17a43..d5c83fd 100644 | |
| 505 | --- a/source3/libsmb/ntlmssp.c | |
| 506 | +++ b/source3/libsmb/ntlmssp.c | |
| 507 | @@ -387,7 +387,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, | |
| 508 | } | |
| 509 | ||
| 510 | if (ntlmssp_state->use_ntlmv2) { | |
| 511 | - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; | |
| 512 | + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2; | |
| 513 | ntlmssp_state->allow_lm_key = false; | |
| 514 | } | |
| 515 | ||
| 516 | -- | |
| 517 | 2.8.1 | |
| 518 | ||
| 519 | ||
| 520 | From 911e171bd6fc66e2960cbcdf8c48f2f97d19313b Mon Sep 17 00:00:00 2001 | |
| 521 | From: Andreas Schneider <asn@cryptomilk.org> | |
| 522 | Date: Thu, 31 Mar 2016 14:30:05 +0200 | |
| 523 | Subject: [PATCH 09/10] CVE-2016-2110: s3:ntlmssp: Change want_fetures to | |
| 524 | require flags | |
| 525 | ||
| 526 | Pair-Programmed-With: Ralph Boehme <slow@samba.org> | |
| 527 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
| 528 | Signed-off-by: Ralph Boehme <slow@samba.org> | |
| 529 | --- | |
| 530 | source3/libsmb/ntlmssp.c | 17 +++++++++++------ | |
| 531 | 1 file changed, 11 insertions(+), 6 deletions(-) | |
| 532 | ||
| 533 | diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c | |
| 534 | index d5c83fd..309175b 100644 | |
| 535 | --- a/source3/libsmb/ntlmssp.c | |
| 536 | +++ b/source3/libsmb/ntlmssp.c | |
| 537 | @@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *featur | |
| 538 | * also add NTLMSSP_NEGOTIATE_SEAL here. JRA. | |
| 539 | */ | |
| 540 | if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) { | |
| 541 | - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; | |
| 542 | + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; | |
| 543 | } | |
| 544 | if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) { | |
| 545 | - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; | |
| 546 | + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; | |
| 547 | } | |
| 548 | if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) { | |
| 549 | - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; | |
| 550 | + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; | |
| 551 | } | |
| 552 | if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) { | |
| 553 | ntlmssp_state->use_ccache = true; | |
| 554 | } | |
| 555 | + | |
| 556 | + ntlmssp_state->neg_flags |= ntlmssp_state->required_flags; | |
| 557 | } | |
| 558 | ||
| 559 | /** | |
| 560 | @@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature) | |
| 561 | { | |
| 562 | /* As per JRA's comment above */ | |
| 563 | if (feature & NTLMSSP_FEATURE_SESSION_KEY) { | |
| 564 | - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; | |
| 565 | + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; | |
| 566 | } | |
| 567 | if (feature & NTLMSSP_FEATURE_SIGN) { | |
| 568 | - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; | |
| 569 | + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; | |
| 570 | } | |
| 571 | if (feature & NTLMSSP_FEATURE_SEAL) { | |
| 572 | - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; | |
| 573 | + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; | |
| 574 | + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; | |
| 575 | } | |
| 576 | if (feature & NTLMSSP_FEATURE_CCACHE) { | |
| 577 | ntlmssp_state->use_ccache = true; | |
| 578 | } | |
| 579 | + | |
| 580 | + ntlmssp_state->neg_flags |= ntlmssp_state->required_flags; | |
| 581 | } | |
| 582 | ||
| 583 | /** | |
| 584 | -- | |
| 585 | 2.8.1 | |
| 586 | ||
| 587 | ||
| 588 | From a95a44eff90cdbd42d683567e0d511e9d52026ad Mon Sep 17 00:00:00 2001 | |
| 589 | From: Andreas Schneider <asn@samba.org> | |
| 590 | Date: Thu, 31 Mar 2016 15:02:11 +0200 | |
| 591 | Subject: [PATCH 10/10] CVE-2016-2110: s3:ntlmssp: Fix downgrade also for the | |
| 592 | ntlmssp creds cache case | |
| 593 | ||
| 594 | Pair-Programmed-With: Ralph Boehme <slow@samba.org> | |
| 595 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
| 596 | Signed-off-by: Ralph Boehme <slow@samba.org> | |
| 597 | --- | |
| 598 | source3/libsmb/ntlmssp.c | 42 ++++++++++++++++++++---------------------- | |
| 599 | 1 file changed, 20 insertions(+), 22 deletions(-) | |
| 600 | ||
| 601 | diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c | |
| 602 | index 309175b..045dc87 100644 | |
| 603 | --- a/source3/libsmb/ntlmssp.c | |
| 604 | +++ b/source3/libsmb/ntlmssp.c | |
| 605 | @@ -538,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, | |
| 606 | DATA_BLOB encrypted_session_key = data_blob_null; | |
| 607 | NTSTATUS nt_status = NT_STATUS_OK; | |
| 608 | ||
| 609 | + if (!msrpc_parse(ntlmssp_state, &reply, "CdBd", | |
| 610 | + "NTLMSSP", | |
| 611 | + &ntlmssp_command, | |
| 612 | + &server_domain_blob, | |
| 613 | + &chal_flags)) { | |
| 614 | + DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n")); | |
| 615 | + dump_data(2, reply.data, reply.length); | |
| 616 | + | |
| 617 | + return NT_STATUS_INVALID_PARAMETER; | |
| 618 | + } | |
| 619 | + data_blob_free(&server_domain_blob); | |
| 620 | + | |
| 621 | + DEBUG(3, ("Got challenge flags:\n")); | |
| 622 | + debug_ntlmssp_flags(chal_flags); | |
| 623 | + | |
| 624 | + nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags); | |
| 625 | + if (!NT_STATUS_IS_OK(nt_status)) { | |
| 626 | + return nt_status; | |
| 627 | + } | |
| 628 | + | |
| 629 | if (ntlmssp_state->use_ccache) { | |
| 630 | struct wbcCredentialCacheParams params; | |
| 631 | struct wbcCredentialCacheInfo *info = NULL; | |
| 632 | @@ -588,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, | |
| 633 | ||
| 634 | noccache: | |
| 635 | ||
| 636 | - if (!msrpc_parse(ntlmssp_state, &reply, "CdBd", | |
| 637 | - "NTLMSSP", | |
| 638 | - &ntlmssp_command, | |
| 639 | - &server_domain_blob, | |
| 640 | - &chal_flags)) { | |
| 641 | - DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n")); | |
| 642 | - dump_data(2, reply.data, reply.length); | |
| 643 | - | |
| 644 | - return NT_STATUS_INVALID_PARAMETER; | |
| 645 | - } | |
| 646 | - | |
| 647 | if (DEBUGLEVEL >= 10) { | |
| 648 | struct CHALLENGE_MESSAGE *challenge = talloc( | |
| 649 | talloc_tos(), struct CHALLENGE_MESSAGE); | |
| 650 | @@ -615,17 +624,6 @@ noccache: | |
| 651 | } | |
| 652 | } | |
| 653 | ||
| 654 | - data_blob_free(&server_domain_blob); | |
| 655 | - | |
| 656 | - DEBUG(3, ("Got challenge flags:\n")); | |
| 657 | - debug_ntlmssp_flags(chal_flags); | |
| 658 | - | |
| 659 | - nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags); | |
| 660 | - if (!NT_STATUS_IS_OK(nt_status)) { | |
| 661 | - return nt_status; | |
| 662 | - } | |
| 663 | - | |
| 664 | - | |
| 665 | if (ntlmssp_state->unicode) { | |
| 666 | if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { | |
| 667 | chal_parse_string = "CdUdbddB"; | |
| 668 | -- | |
| 669 | 2.8.1 | |
| 670 |