From: Gary Lockyer Date: Sun, 27 Sep 2020 21:02:16 +0000 (+1300) Subject: CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 zero password X-Git-Tag: talloc-2.3.2~246 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6bf1b9885b7ca8f6164e5d9065aceb15a363ea90;p=thirdparty%2Fsamba.git CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 zero password Ensure that a password of all zeros shorter than the maximum length is rejected. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Oct 16 06:09:06 UTC 2020 on sn-devel-184 --- diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 10eba7e430f..7899b987724 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -1508,6 +1508,7 @@ static bool test_SetPassword2_confounder( return true; } + /* * try a change password for our machine account, using an all zero * request. This should fail on the zero length check. @@ -1666,6 +1667,86 @@ static bool test_SetPassword2_maximum_length_password( return true; } +/* + try a change password for our machine account, using a password of + all zeros, and a non zero password length. + + This test relies on the buffer being encrypted with ARC4, to + trigger the appropriate check in the rpc server code +*/ +static bool test_SetPassword2_all_zero_password( + struct torture_context *tctx, + struct dcerpc_pipe *p1, + struct cli_credentials *machine_credentials) +{ + struct netr_ServerPasswordSet2 r; + struct netlogon_creds_CredentialState *creds; + struct samr_CryptPassword password_buf; + struct netr_Authenticator credential, return_authenticator; + struct netr_CryptPassword new_password; + struct dcerpc_pipe *p = NULL; + struct dcerpc_binding_handle *b = NULL; + uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + + if (!test_SetupCredentials2( + p1, + tctx, + flags, + machine_credentials, + cli_credentials_get_secure_channel_type(machine_credentials), + &creds)) + { + return false; + } + if (!test_SetupCredentialsPipe( + p1, + tctx, + machine_credentials, + creds, + DCERPC_SIGN | DCERPC_SEAL, + &p)) + { + return false; + } + b = p->binding_handle; + + r.in.server_name = talloc_asprintf( + tctx, + "\\\\%s", dcerpc_server_name(p)); + r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME); + r.in.secure_channel_type = + cli_credentials_get_secure_channel_type(machine_credentials); + r.in.computer_name = TEST_MACHINE_NAME; + r.in.credential = &credential; + r.in.new_password = &new_password; + r.out.return_authenticator = &return_authenticator; + + ZERO_STRUCT(password_buf.data); + SIVAL(password_buf.data, 512, 128); + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES set"); + } + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + + memcpy(new_password.data, password_buf.data, 512); + new_password.length = IVAL(password_buf.data, 512); + + torture_comment( + tctx, + "Testing ServerPasswordSet2 on machine account\n"); + + netlogon_creds_client_authenticator(creds, &credential); + + torture_assert_ntstatus_ok( + tctx, + dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r), + "ServerPasswordSet2 all zero password check failed"); + torture_assert_ntstatus_equal( + tctx, r.out.result, NT_STATUS_WRONG_PASSWORD, ""); + + return true; +} + static bool test_SetPassword2(struct torture_context *tctx, struct dcerpc_pipe *p, @@ -5841,6 +5922,10 @@ struct torture_suite *torture_rpc_netlogon_zerologon(TALLOC_CTX *mem_ctx) tcase, "test_SetPassword2_all_zeros", test_SetPassword2_all_zeros); + torture_rpc_tcase_add_test_creds( + tcase, + "test_SetPassword2_all_zero_password", + test_SetPassword2_all_zero_password); torture_rpc_tcase_add_test_creds( tcase, "test_SetPassword2_maximum_length_password",