From f545142380151a626848dbae9ee746167f3299fa Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 7 Jun 2022 17:29:02 +1200 Subject: [PATCH] CVE-2022-32743 s4:rpc_server/netlogon: Connect to samdb as a user, rather than as system This allows us to perform validation on a client-specified dNSHostName value, to ensure that it matches the sAMAccountName. We might not have any rights to modify the account, so pass the control FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE which allows us to perform a validated write to dNSHostName and servicePrincipalName (and unvalidated writes to other attributes, such as operatingSystem). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833 Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall --- selftest/knownfail.d/netlogon-dns-host-name | 17 ++--------------- source4/rpc_server/netlogon/dcerpc_netlogon.c | 5 +++-- 2 files changed, 5 insertions(+), 17 deletions(-) diff --git a/selftest/knownfail.d/netlogon-dns-host-name b/selftest/knownfail.d/netlogon-dns-host-name index 30c157fb8d3..3eca0cd3f75 100644 --- a/selftest/knownfail.d/netlogon-dns-host-name +++ b/selftest/knownfail.d/netlogon-dns-host-name @@ -1,15 +1,2 @@ -^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_suffix\( -^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_validated_write\( -^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_write_property\( -^samba4.rpc.netlogon on ncacn_ip_tcp with bigendian.netlogon.GetDomainInfo\( -^samba4.rpc.netlogon on ncacn_ip_tcp with seal,padcheck.netlogon.GetDomainInfo\( -^samba4.rpc.netlogon on ncacn_ip_tcp with validate.netlogon.GetDomainInfo\( -^samba4.rpc.netlogon on ncacn_np with bigendian.netlogon.GetDomainInfo\( -^samba4.rpc.netlogon on ncacn_np with seal,padcheck.netlogon.GetDomainInfo\( -^samba4.rpc.netlogon on ncacn_np with validate.netlogon.GetDomainInfo\( -^samba4.rpc.netlogon on ncalrpc with bigendian.netlogon.GetDomainInfo\( -^samba4.rpc.netlogon on ncalrpc with seal,padcheck.netlogon.GetDomainInfo\( -^samba4.rpc.netlogon on ncalrpc with validate.netlogon.GetDomainInfo\( -^samba4.rpc.netlogon with bigendian.netlogon.GetDomainInfo\( -^samba4.rpc.netlogon with seal,padcheck.netlogon.GetDomainInfo\( -^samba4.rpc.netlogon with validate.netlogon.GetDomainInfo\( +^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_valid\( +^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_valid_denied\( diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index efba0138838..15cd27b16f0 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -2450,7 +2450,8 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal } NT_STATUS_NOT_OK_RETURN(status); - sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call); + /* We want to avoid connecting as system. */ + sam_ctx = dcesrv_samdb_connect_as_user(mem_ctx, dce_call); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -2607,7 +2608,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal } } - if (dsdb_replace(sam_ctx, new_msg, 0) != LDB_SUCCESS) { + if (dsdb_replace(sam_ctx, new_msg, DSDB_FLAG_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE) != LDB_SUCCESS) { DEBUG(3,("Impossible to update samdb: %s\n", ldb_errstring(sam_ctx))); } -- 2.47.3