From: Günther Deschner <gd@samba.org>
Date: Tue, 13 Mar 2018 15:56:20 +0000 (+0100)
Subject: CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via... 
X-Git-Tag: samba-4.7.9~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ff1d906d0945c644b964f2e577547927387ac6e;p=thirdparty%2Fsamba.git

CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".

This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.

Found by Vivek Das <vdas@redhat.com> (Red Hat QE).

In order to demonstrate simply run:

smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no

against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 1c6499bd210..b68e9c87888 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 	   - I think this is related to Win9X pass-though authentication
 	*/
 	DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
-	if (ntlm_auth) {
+	if (ntlm_auth == NTLM_AUTH_ON) {
 		if (smb_pwd_check_ntlmv1(mem_ctx, 
 					 lm_response, 
 					 stored_nt->hash, challenge,
diff --git a/selftest/knownfail b/selftest/knownfail
index 267c928955e..4aa224492ec 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -294,8 +294,9 @@
 ^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\)
 # fl2000dc doesn't support AES
 ^samba4.krb5.kdc.*as-req-aes.*fl2000dc
-# nt4_member and ad_member don't support ntlmv1
+# nt4_member and ad_member don't support ntlmv1 (not even over SMB1)
 ^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user
+^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user
 #nt-vfs server blocks read with execute access
 ^samba4.smb2.read.access
 #ntvfs server blocks copychunk with execute access on read handle
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
deleted file mode 100644
index c6e6a3739ba..00000000000
--- a/selftest/knownfail.d/ntlm
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
-^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(