From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 30 May 2022 07:18:17 +0000 (+1200)
Subject: CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
X-Git-Tag: samba-4.17.0rc1~280
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ffb599050ae2c1b9d0746addfdac1e41866aa819;p=thirdparty%2Fsamba.git

CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life

For Heimdal, this now matches the behaviour of Windows. The object of
this requirement is to ensure we don't allow kpasswd tickets, not having
a lifetime of more than two minutes, to be passed off as TGTs.

An existing requirement for TGTs to contain a REQUESTER_SID PAC buffer
suffices to prevent kpasswd ticket misuse, so this is just an additional
precaution on top.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index ec0dd106f0f..5321b109fc6 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -58,7 +58,6 @@
 # Kpasswd tests
 #
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index d1825c2902c..a3f33f5d64f 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -415,6 +415,32 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
 				krbtgt = &signing_krbtgt_hdb;
 			}
 		}
+	} else if (!krbtgt_skdc_entry->is_trust) {
+		/*
+		 * We expect to have received a TGT, so check that we haven't
+		 * been given a kpasswd ticket instead. We don't need to do this
+		 * check for an incoming trust, as they use a different secret
+		 * and can't be confused with a normal TGT.
+		 */
+		krb5_ticket *tgt = kdc_request_get_ticket(r);
+
+		struct timeval now = krb5_kdc_get_time();
+
+		/*
+		 * Check if the ticket is in the last two minutes of its
+		 * life.
+		 */
+		KerberosTime lifetime = rk_time_sub(tgt->ticket.endtime, now.tv_sec);
+		if (lifetime <= CHANGEPW_LIFETIME) {
+			/*
+			 * This ticket has at most two minutes left to live. It
+			 * may be a kpasswd ticket rather than a TGT, so don't
+			 * accept it.
+			 */
+			kdc_audit_addreason((kdc_request_t)r,
+					    "Ticket is not a ticket-granting ticket");
+			return KRB5KRB_AP_ERR_TKT_EXPIRED;
+		}
 	}
 
 	ret = samba_wdc_reget_pac2(r,