CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validati...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 7348f80620ee201fa642101081065787d9f56c2f..a6af1d2202051e9d43d8201cfd0d357fc680c3c7 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1707,6 +1707,14 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
                                                r->out.validation->sam3);
                break;
        case 6:
+               /* Only allow this if the pipe is protected. */
+               if (p->auth.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
+                       DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
+                               get_remote_machine_name()));
+                       status = NT_STATUS_INVALID_PARAMETER;
+                       break;
+               }
+
                status = serverinfo_to_SamInfo6(server_info,
                                                r->out.validation->sam6);
                break;