CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA

This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 0523dd4f0bb1a5a033d51fef908fb4c96ec61eac..14811b51d23f90bcbc80fc53a0aa328eb1855f9a 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -739,6 +739,8 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_check(const struct netr_LogonSamLogonE
 static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                                        struct netr_LogonSamLogonEx *r, struct netlogon_creds_CredentialState *creds)
 {
+       struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+       const char *workgroup = lpcfg_workgroup(lp_ctx);
        struct auth4_context *auth_context;
        struct auth_usersupplied_info *user_info;
        struct auth_user_info_dc *user_info_dc;
@@ -809,6 +811,13 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
                user_info->password.response.lanman = data_blob_talloc(mem_ctx, r->in.logon->network->lm.data, r->in.logon->network->lm.length);
                user_info->password.response.nt = data_blob_talloc(mem_ctx, r->in.logon->network->nt.data, r->in.logon->network->nt.length);
 
+               nt_status = NTLMv2_RESPONSE_verify_netlogon_creds(
+                                       user_info->client.account_name,
+                                       user_info->client.domain_name,
+                                       user_info->password.response.nt,
+                                       creds, workgroup);
+               NT_STATUS_NOT_OK_RETURN(nt_status);
+
                break;