From: Gary Lockyer Date: Sun, 27 Sep 2020 21:00:54 +0000 (+1300) Subject: CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 all zero password X-Git-Tag: talloc-2.3.2~248 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=56297c70890287d800e30cf057e4702314261d0b;p=thirdparty%2Fsamba.git CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 all zero password Check that an all zero password is rejected, Note this test user ARC4 encryption so that it passes the self encryption test. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett --- diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 6ac550c7012..b0b0f5317ab 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -1431,6 +1431,7 @@ static bool test_SetPassword2_password_encrypts_to_zero( return true; } + /* * Check that an all zero confounder, that encrypts to all zeros is * rejected. @@ -1507,6 +1508,83 @@ static bool test_SetPassword2_confounder( return true; } +/* + * try a change password for our machine account, using an all zero + * request. This should fail on the zero length check. + * + * Note: This test uses ARC4 encryption to exercise the desired check. + */ +static bool test_SetPassword2_all_zeros( + struct torture_context *tctx, + struct dcerpc_pipe *p1, + struct cli_credentials *machine_credentials) +{ + struct netr_ServerPasswordSet2 r; + struct netlogon_creds_CredentialState *creds; + struct samr_CryptPassword password_buf; + struct netr_Authenticator credential, return_authenticator; + struct netr_CryptPassword new_password; + struct dcerpc_pipe *p = NULL; + struct dcerpc_binding_handle *b = NULL; + uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + + if (!test_SetupCredentials2( + p1, + tctx, + flags, + machine_credentials, + cli_credentials_get_secure_channel_type(machine_credentials), + &creds)) + { + return false; + } + if (!test_SetupCredentialsPipe( + p1, + tctx, + machine_credentials, + creds, + DCERPC_SIGN | DCERPC_SEAL, + &p)) + { + return false; + } + b = p->binding_handle; + + r.in.server_name = talloc_asprintf( + tctx, + "\\\\%s", dcerpc_server_name(p)); + r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME); + r.in.secure_channel_type = + cli_credentials_get_secure_channel_type(machine_credentials); + r.in.computer_name = TEST_MACHINE_NAME; + r.in.credential = &credential; + r.in.new_password = &new_password; + r.out.return_authenticator = &return_authenticator; + + ZERO_STRUCT(password_buf.data); + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES enabled\n"); + } + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + + memcpy(new_password.data, password_buf.data, 512); + new_password.length = IVAL(password_buf.data, 512); + + torture_comment( + tctx, + "Testing ServerPasswordSet2 on machine account\n"); + + netlogon_creds_client_authenticator(creds, &credential); + + torture_assert_ntstatus_ok( + tctx, + dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r), + "ServerPasswordSet2 zero length check failed"); + torture_assert_ntstatus_equal( + tctx, r.out.result, NT_STATUS_WRONG_PASSWORD, ""); + + return true; +} static bool test_SetPassword2(struct torture_context *tctx, @@ -5679,6 +5757,10 @@ struct torture_suite *torture_rpc_netlogon_zerologon(TALLOC_CTX *mem_ctx) tcase, "test_SetPassword2_confounder", test_SetPassword2_confounder); + torture_rpc_tcase_add_test_creds( + tcase, + "test_SetPassword2_all_zeros", + test_SetPassword2_all_zeros); return suite; }