From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 28 Feb 2016 21:48:11 +0000 (+0100)
Subject: CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
X-Git-Tag: samba-4.2.10~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3410c21cfe1dbbbabde4939c8cc1e02b2d99d49f;p=thirdparty%2Fsamba.git

CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...

This requires transport encryption.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 3f763781948..a992120bc04 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -4321,11 +4321,20 @@ static NTSTATUS dcesrv_samr_ValidatePassword(struct dcesrv_call_state *dce_call,
 	NTSTATUS status;
 	enum dcerpc_transport_t transport =
 		dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
+	enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
 
 	if (transport != NCACN_IP_TCP && transport != NCALRPC) {
 		DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
 	}
 
+	if (dce_call->conn->auth_state.auth_info != NULL) {
+		auth_level = dce_call->conn->auth_state.auth_info->auth_level;
+	}
+
+	if (auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
+		DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
+	}
+
 	(*r->out.rep) = talloc_zero(mem_ctx, union samr_ValidatePasswordRep);
 
 	r2.in.domain_name = NULL;