From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 14 Jul 2015 07:13:00 +0000 (+0200)
Subject: CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
X-Git-Tag: samba-4.2.10~116
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=08ca648a237ffce5e18935c2360302d8dcb22a98;p=thirdparty%2Fsamba.git

CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY

This is required for the whole interface (which has just one opnum for now).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 9dea3d6357e..4037d18edf0 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -54,6 +54,14 @@ static const AlgorithmIdentifier _hx509_signature_rsa_with_var_num = {
 	{ 7, discard_const_p(unsigned, rsa_with_var_num) }, NULL
 };
 
+#define DCESRV_INTERFACE_BACKUPKEY_BIND(call, iface) \
+	dcesrv_interface_backupkey_bind(call, iface)
+static NTSTATUS dcesrv_interface_backupkey_bind(struct dcesrv_call_state *dce_call,
+						const struct dcesrv_interface *iface)
+{
+	return dcesrv_interface_bind_require_privacy(dce_call, iface);
+}
+
 static NTSTATUS set_lsa_secret(TALLOC_CTX *mem_ctx,
 			       struct ldb_context *ldb,
 			       const char *name,
@@ -1791,11 +1799,6 @@ static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call,
 		return WERR_NOT_SUPPORTED;
 	}
 
-	if (!dce_call->conn->auth_state.auth_info ||
-		dce_call->conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
-		DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
-	}
-
 	ldb_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
 				dce_call->conn->dce_ctx->lp_ctx,
 				system_session(dce_call->conn->dce_ctx->lp_ctx), 0);