From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 18 May 2022 04:52:41 +0000 (+1200)
Subject: CVE-2022-2031 s4:kpasswd: Require an initial ticket
X-Git-Tag: samba-4.17.0rc1~289
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ce3b7b27a370e1f1299e8a60bf776082e2057a87;p=thirdparty%2Fsamba.git

CVE-2022-2031 s4:kpasswd: Require an initial ticket

Ensure that for password changes the client uses an AS-REQ to get the
ticket to kpasswd, and not a TGS-REQ.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 3a45c91320a..ee22fcf688e 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -60,7 +60,6 @@
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index a1059a54b81..4059f2210f4 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -438,7 +438,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc
diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20
index c4f2ea2def7..ea9de50ff52 100644
--- a/selftest/knownfail_mit_kdc_1_20
+++ b/selftest/knownfail_mit_kdc_1_20
@@ -18,6 +18,7 @@
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc
+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_expired_password.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_access.ad_dc
diff --git a/source4/kdc/kpasswd-service-heimdal.c b/source4/kdc/kpasswd-service-heimdal.c
index 21596d8d8a4..7ddf1af148e 100644
--- a/source4/kdc/kpasswd-service-heimdal.c
+++ b/source4/kdc/kpasswd-service-heimdal.c
@@ -24,6 +24,7 @@
 #include "param/param.h"
 #include "auth/auth.h"
 #include "auth/gensec/gensec.h"
+#include "gensec_krb5_helpers.h"
 #include "kdc/kdc-server.h"
 #include "kdc/kpasswd_glue.h"
 #include "kdc/kpasswd-service.h"
@@ -31,6 +32,7 @@
 
 static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
 					       TALLOC_CTX *mem_ctx,
+					       const struct gensec_security *gensec_security,
 					       struct auth_session_info *session_info,
 					       DATA_BLOB *password,
 					       DATA_BLOB *kpasswd_reply,
@@ -42,6 +44,17 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
 	const char *reject_string = NULL;
 	struct samr_DomInfo1 *dominfo;
 	bool ok;
+	int ret;
+
+	/*
+	 * We're doing a password change (rather than a password set), so check
+	 * that we were given an initial ticket.
+	 */
+	ret = gensec_krb5_initial_ticket(gensec_security);
+	if (ret != 1) {
+		*error_string = "Expected an initial ticket";
+		return KRB5_KPASSWD_INITIAL_FLAG_NEEDED;
+	}
 
 	status = samdb_kpasswd_change_password(mem_ctx,
 					       kdc->task->lp_ctx,
@@ -80,6 +93,7 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
 
 static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
 					    TALLOC_CTX *mem_ctx,
+					    const struct gensec_security *gensec_security,
 					    struct auth_session_info *session_info,
 					    DATA_BLOB *decoded_data,
 					    DATA_BLOB *kpasswd_reply,
@@ -172,6 +186,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
 		free_ChangePasswdDataMS(&chpw);
 		return kpasswd_change_password(kdc,
 					       mem_ctx,
+					       gensec_security,
 					       session_info,
 					       &password,
 					       kpasswd_reply,
@@ -271,6 +286,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
 
 		return kpasswd_change_password(kdc,
 					       mem_ctx,
+					       gensec_security,
 					       session_info,
 					       &password,
 					       kpasswd_reply,
@@ -279,6 +295,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
 	case KRB5_KPASSWD_VERS_SETPW: {
 		return kpasswd_set_password(kdc,
 					    mem_ctx,
+					    gensec_security,
 					    session_info,
 					    decoded_data,
 					    kpasswd_reply,
diff --git a/source4/kdc/kpasswd-service-mit.c b/source4/kdc/kpasswd-service-mit.c
index 26b62162e68..fe24693139c 100644
--- a/source4/kdc/kpasswd-service-mit.c
+++ b/source4/kdc/kpasswd-service-mit.c
@@ -24,6 +24,7 @@
 #include "param/param.h"
 #include "auth/auth.h"
 #include "auth/gensec/gensec.h"
+#include "gensec_krb5_helpers.h"
 #include "kdc/kdc-server.h"
 #include "kdc/kpasswd_glue.h"
 #include "kdc/kpasswd-service.h"
@@ -84,6 +85,7 @@ out:
 
 static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
 					       TALLOC_CTX *mem_ctx,
+					       const struct gensec_security *gensec_security,
 					       struct auth_session_info *session_info,
 					       DATA_BLOB *password,
 					       DATA_BLOB *kpasswd_reply,
@@ -95,6 +97,17 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
 	const char *reject_string = NULL;
 	struct samr_DomInfo1 *dominfo;
 	bool ok;
+	int ret;
+
+	/*
+	 * We're doing a password change (rather than a password set), so check
+	 * that we were given an initial ticket.
+	 */
+	ret = gensec_krb5_initial_ticket(gensec_security);
+	if (ret != 1) {
+		*error_string = "Expected an initial ticket";
+		return KRB5_KPASSWD_INITIAL_FLAG_NEEDED;
+	}
 
 	status = samdb_kpasswd_change_password(mem_ctx,
 					       kdc->task->lp_ctx,
@@ -133,6 +146,7 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
 
 static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
 					    TALLOC_CTX *mem_ctx,
+					    const struct gensec_security *gensec_security,
 					    struct auth_session_info *session_info,
 					    DATA_BLOB *decoded_data,
 					    DATA_BLOB *kpasswd_reply,
@@ -249,6 +263,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
 
 		return kpasswd_change_password(kdc,
 					       mem_ctx,
+					       gensec_security,
 					       session_info,
 					       &password,
 					       kpasswd_reply,
@@ -349,6 +364,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
 
 		return kpasswd_change_password(kdc,
 					       mem_ctx,
+					       gensec_security,
 					       session_info,
 					       &password,
 					       kpasswd_reply,
@@ -357,6 +373,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
 	case RFC3244_VERSION: {
 		return kpasswd_set_password(kdc,
 					    mem_ctx,
+					    gensec_security,
 					    session_info,
 					    decoded_data,
 					    kpasswd_reply,
diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 5c16e68ee0a..0c902f50534 100644
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -85,6 +85,7 @@ bld.SAMBA_SUBSYSTEM('KPASSWD-SERVICE',
                          krb5samba
                          samba_server_gensec
                          KPASSWD_GLUE
+                         gensec_krb5_helpers
                          ''')
 
 bld.SAMBA_SUBSYSTEM('KDC-GLUE',