The Samba-Bugzilla – Attachment 13590 Details for
Bug 12994
Missing LDAP query escapes in DNS rpc server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch for master
ldap-injection-dns.patch.txt (text/plain), 4.81 KB, created by
Andrew Bartlett
on 2017-09-13 08:48:01 UTC
(
hide
)
Description:
proposed patch for master
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2017-09-13 08:48:01 UTC
Size:
4.81 KB
patch
obsolete
>From 854c92c5885655cd967dd5895dc6c07952cfc686 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 29 Aug 2017 11:48:46 +1200 >Subject: [PATCH 1/2] s4-dnsserver: Always encode user-supplied names when > looking up DNS records > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12994 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 15 ++++++++++++--- > source4/rpc_server/dnsserver/dnsdb.c | 7 +++++-- > 2 files changed, 17 insertions(+), 5 deletions(-) > >diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >index 286da18..120d4b9 100644 >--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >@@ -1674,10 +1674,13 @@ static WERROR dnsserver_enumerate_root_records(struct dnsserver_state *dsstate, > /* Add any additional records */ > if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) { > for (i=0; i<add_count; i++) { >+ char *encoded_name >+ = ldb_binary_encode_string(tmp_ctx, >+ add_names[i]); > ret = ldb_search(dsstate->samdb, tmp_ctx, &res, z->zone_dn, > LDB_SCOPE_ONELEVEL, attrs, > "(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))", >- add_names[i]); >+ encoded_name); > if (ret != LDB_SUCCESS || res->count == 0) { > talloc_free(res); > continue; >@@ -1744,10 +1747,12 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, > LDB_SCOPE_ONELEVEL, attrs, > "(&(objectClass=dnsNode)(!(dNSTombstoned=TRUE)))"); > } else { >+ char *encoded_name >+ = ldb_binary_encode_string(tmp_ctx, name); > ret = ldb_search(dsstate->samdb, tmp_ctx, &res, z->zone_dn, > LDB_SCOPE_ONELEVEL, attrs, > "(&(objectClass=dnsNode)(|(name=%s)(name=*.%s))(!(dNSTombstoned=TRUE)))", >- name, name); >+ encoded_name, encoded_name); > } > if (ret != LDB_SUCCESS) { > talloc_free(tmp_ctx); >@@ -1818,11 +1823,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, > > /* Search all the available zones for additional name */ > for (z2 = dsstate->zones; z2; z2 = z2->next) { >+ char *encoded_name; > name = dns_split_node_name(tmp_ctx, add_names[i], z2->name); >+ encoded_name >+ = ldb_binary_encode_string(tmp_ctx, >+ name); > ret = ldb_search(dsstate->samdb, tmp_ctx, &res, z2->zone_dn, > LDB_SCOPE_ONELEVEL, attrs, > "(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))", >- name); >+ encoded_name); > talloc_free(name); > if (ret != LDB_SUCCESS) { > continue; >diff --git a/source4/rpc_server/dnsserver/dnsdb.c b/source4/rpc_server/dnsserver/dnsdb.c >index da37878..f937de9 100644 >--- a/source4/rpc_server/dnsserver/dnsdb.c >+++ b/source4/rpc_server/dnsserver/dnsdb.c >@@ -364,10 +364,12 @@ WERROR dnsserver_db_add_empty_node(TALLOC_CTX *mem_ctx, > const char * const attrs[] = { "name", NULL }; > struct ldb_result *res; > struct ldb_dn *dn; >+ char *encoded_name = ldb_binary_encode_string(mem_ctx, name); > int ret; > > ret = ldb_search(samdb, mem_ctx, &res, z->zone_dn, LDB_SCOPE_BASE, attrs, >- "(&(objectClass=dnsNode)(name=%s))", name); >+ "(&(objectClass=dnsNode)(name=%s))", >+ encoded_name); > if (ret != LDB_SUCCESS) { > return WERR_INTERNAL_DB_ERROR; > } >@@ -642,7 +644,8 @@ WERROR dnsserver_db_delete_record(TALLOC_CTX *mem_ctx, > } > > ret = ldb_search(samdb, mem_ctx, &res, z->zone_dn, LDB_SCOPE_ONELEVEL, attrs, >- "(&(objectClass=dnsNode)(name=%s))", name); >+ "(&(objectClass=dnsNode)(name=%s))", >+ ldb_binary_encode_string(mem_ctx, name)); > if (ret != LDB_SUCCESS) { > return WERR_INTERNAL_DB_ERROR; > } >-- >2.9.5 > > >From 9963afcb0fa0b33f92bff84d6fb01d8a832a8a0e Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 29 Aug 2017 14:19:22 +1200 >Subject: [PATCH 2/2] s4-dnsserver: Check for too many DNS results > >If we had this check in when the wildcard DNS tests were written, we would have >noticed that the name needed to be escaped (see previous commit). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12994 >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > source4/rpc_server/dnsserver/dnsdb.c | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/source4/rpc_server/dnsserver/dnsdb.c b/source4/rpc_server/dnsserver/dnsdb.c >index f937de9..3ba4759 100644 >--- a/source4/rpc_server/dnsserver/dnsdb.c >+++ b/source4/rpc_server/dnsserver/dnsdb.c >@@ -653,6 +653,9 @@ WERROR dnsserver_db_delete_record(TALLOC_CTX *mem_ctx, > if (res->count == 0) { > return WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST; > } >+ if (res->count > 1) { >+ return WERR_DNS_ERROR_RCODE_SERVER_FAILURE; >+ } > > el = ldb_msg_find_element(res->msgs[0], "dnsRecord"); > if (el == NULL || el->num_values == 0) { >-- >2.9.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13590">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 12994
: 13590