CVE-2022-32743 s4:rpc_server/netlogon: Reconnect to samdb as workstation account

This ensures that the database update can be attributed to the
workstation account, rather than to the anonymous SID, in the audit
logs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jul 28 23:41:27 UTC 2022 on sn-devel-184

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 15cd27b16f04ae895552c957d75eb9c5825c6073..12ad78036d00f6802896966374ef56d71292796e 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2422,6 +2422,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
        struct ldb_dn *workstation_dn;
        struct netr_DomainInformation *domain_info;
        struct netr_LsaPolicyInformation *lsa_policy_info;
+       struct auth_session_info *workstation_session_info = NULL;
        uint32_t default_supported_enc_types = 0xFFFFFFFF;
        bool update_dns_hostname = true;
        int ret, i;
@@ -2468,6 +2469,33 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
                                                dom_sid_string(mem_ctx, creds->sid));
                NT_STATUS_HAVE_NO_MEMORY(workstation_dn);
 
+               /* Get the workstation's session info from the database. */
+               status = authsam_get_session_info_principal(mem_ctx,
+                                                           dce_call->conn->dce_ctx->lp_ctx,
+                                                           sam_ctx,
+                                                           NULL, /* principal */
+                                                           workstation_dn,
+                                                           0, /* session_info_flags */
+                                                           &workstation_session_info);
+               if (!NT_STATUS_IS_OK(status)) {
+                       return status;
+               }
+
+               /*
+                * Reconnect to samdb as the workstation, now that we have its
+                * session info. We do this so the database update can be
+                * attributed to the workstation account in the audit logs --
+                * otherwise it might be incorrectly attributed to
+                * SID_NT_ANONYMOUS.
+                */
+               sam_ctx = dcesrv_samdb_connect_session_info(mem_ctx,
+                                                           dce_call,
+                                                           workstation_session_info,
+                                                           workstation_session_info);
+               if (sam_ctx == NULL) {
+                       return NT_STATUS_INVALID_SYSTEM_SERVICE;
+               }
+
                /* Lookup for attributes in workstation object */
                ret = gendb_search_dn(sam_ctx, mem_ctx, workstation_dn, &res1,
                                      attrs2);