From d2eee68c8a578275be069637eae7acdaebad41fd Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 21 Oct 2021 16:46:56 +1300 Subject: [PATCH] CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Mon Oct 25 09:23:35 UTC 2021 on sn-devel-184 (cherry picked from commit c174e9ebe715aad6910d53c1f427a0512c09d651) --- python/samba/tests/krb5/kdc_base_test.py | 4 ++++ python/samba/tests/krb5/raw_testcase.py | 26 ++++++++++++++++++++++++ python/samba/tests/krb5/s4u_tests.py | 12 +++++++++++ 3 files changed, 42 insertions(+) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index b24c6376ab0..8ae9c24b0fc 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -1337,6 +1337,8 @@ class KDCBaseTest(RawKerberosTest): def get_tgt(self, creds, to_rodc=False, kdc_options=None, expected_flags=None, unexpected_flags=None, + expected_account_name=None, + expected_sid=None, pac_request=True, expect_pac=True, fresh=False): user_name = creds.get_username() cache_key = (user_name, to_rodc, kdc_options, pac_request) @@ -1386,6 +1388,8 @@ class KDCBaseTest(RawKerberosTest): expected_cname=cname, expected_srealm=realm, expected_sname=sname, + expected_account_name=expected_account_name, + expected_sid=expected_sid, expected_salt=salt, expected_flags=expected_flags, unexpected_flags=unexpected_flags, diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index f352615db1f..fdf078ea788 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1984,6 +1984,8 @@ class RawKerberosTest(TestCaseInTempDir): expected_anon=False, expected_srealm=None, expected_sname=None, + expected_account_name=None, + expected_sid=None, expected_supported_etypes=None, expected_flags=None, unexpected_flags=None, @@ -2033,6 +2035,8 @@ class RawKerberosTest(TestCaseInTempDir): 'expected_anon': expected_anon, 'expected_srealm': expected_srealm, 'expected_sname': expected_sname, + 'expected_account_name': expected_account_name, + 'expected_sid': expected_sid, 'expected_supported_etypes': expected_supported_etypes, 'expected_flags': expected_flags, 'unexpected_flags': unexpected_flags, @@ -2078,6 +2082,8 @@ class RawKerberosTest(TestCaseInTempDir): expected_anon=False, expected_srealm=None, expected_sname=None, + expected_account_name=None, + expected_sid=None, expected_supported_etypes=None, expected_flags=None, unexpected_flags=None, @@ -2128,6 +2134,8 @@ class RawKerberosTest(TestCaseInTempDir): 'expected_anon': expected_anon, 'expected_srealm': expected_srealm, 'expected_sname': expected_sname, + 'expected_account_name': expected_account_name, + 'expected_sid': expected_sid, 'expected_supported_etypes': expected_supported_etypes, 'expected_flags': expected_flags, 'unexpected_flags': unexpected_flags, @@ -2561,6 +2569,9 @@ class RawKerberosTest(TestCaseInTempDir): f'expected: {expected_types} ' f'got: {buffer_types}') + expected_account_name = kdc_exchange_dict['expected_account_name'] + expected_sid = kdc_exchange_dict['expected_sid'] + for pac_buffer in pac.buffers: if pac_buffer.type == krb5pac.PAC_TYPE_CONSTRAINED_DELEGATION: expected_proxy_target = kdc_exchange_dict[ @@ -2584,6 +2595,17 @@ class RawKerberosTest(TestCaseInTempDir): self.assertEqual(account_name, pac_buffer.info.account_name) + elif pac_buffer.type == krb5pac.PAC_TYPE_LOGON_INFO: + logon_info = pac_buffer.info.info.info3.base + + if expected_account_name is not None: + self.assertEqual(expected_account_name, + str(logon_info.account_name)) + + if expected_sid is not None: + expected_rid = int(expected_sid.rsplit('-', 1)[1]) + self.assertEqual(expected_rid, logon_info.rid) + def generic_check_kdc_error(self, kdc_exchange_dict, callback_dict, @@ -3548,6 +3570,8 @@ class RawKerberosTest(TestCaseInTempDir): etypes, padata, kdc_options, + expected_account_name=None, + expected_sid=None, expected_flags=None, unexpected_flags=None, expected_supported_etypes=None, @@ -3580,6 +3604,8 @@ class RawKerberosTest(TestCaseInTempDir): expected_cname=expected_cname, expected_srealm=expected_srealm, expected_sname=expected_sname, + expected_account_name=expected_account_name, + expected_sid=expected_sid, expected_supported_etypes=expected_supported_etypes, ticket_decryption_key=ticket_decryption_key, generate_padata_fn=generate_padata_fn, diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index ea629d29706..593ef94c910 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -238,6 +238,10 @@ class S4UKerberosTests(KDCBaseTest): client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, names=[client_name]) + samdb = self.get_samdb() + client_dn = client_creds.get_dn() + sid = self.get_objectSid(samdb, client_dn) + service_name = service_creds.get_username()[:-1] service_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, names=['host', service_name]) @@ -279,6 +283,8 @@ class S4UKerberosTests(KDCBaseTest): expected_cname=client_cname, expected_srealm=realm, expected_sname=service_sname, + expected_account_name=client_name, + expected_sid=sid, expected_flags=expected_flags, unexpected_flags=unexpected_flags, ticket_decryption_key=service_decryption_key, @@ -438,6 +444,10 @@ class S4UKerberosTests(KDCBaseTest): account_type=self.AccountType.USER, opts=client_opts) + samdb = self.get_samdb() + client_dn = client_creds.get_dn() + sid = self.get_objectSid(samdb, client_dn) + service1_opts = kdc_dict.pop('service1_opts', {}) service2_opts = kdc_dict.pop('service2_opts', {}) @@ -552,6 +562,8 @@ class S4UKerberosTests(KDCBaseTest): expected_cname=client_cname, expected_srealm=service2_realm, expected_sname=service2_sname, + expected_account_name=client_username, + expected_sid=sid, expected_supported_etypes=service2_etypes, ticket_decryption_key=service2_decryption_key, check_error_fn=check_error_fn, -- 2.47.2