The Samba-Bugzilla – Attachment 14028 Details for
Bug 13272
[SECURITY] CVE-2018-1057: Unprivileged user can change any user (and admin) password
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
script to disable password changes by others
samba_CVE-2018-1057_helper (text/plain), 4.04 KB, created by
Andrew Bartlett
on 2018-03-09 07:04:40 UTC
(
hide
)
Description:
script to disable password changes by others
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-03-09 07:04:40 UTC
Size:
4.04 KB
patch
obsolete
>#!/usr/bin/env python >import optparse >import sys > ># Find right directory when running from source tree >sys.path.insert(0, "bin/python") > > >import samba >import ldb >import urllib >import os >from samba import getopt as options >from samba import sd_utils >from samba.samdb import SamDB >from samba.dcerpc import security, misc >from samba.ndr import ndr_pack, ndr_unpack >from samba.credentials import Credentials >from samba.auth import system_session >from samba.dcerpc.security import (SEC_ACE_TYPE_ACCESS_DENIED_OBJECT, > SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT, > SEC_ACE_OBJECT_TYPE_PRESENT) >parser = optparse.OptionParser("samba_CVE-2018-1057_helper") >sambaopts = options.SambaOptions(parser) >parser.add_option_group(options.VersionOptions(parser)) >credopts = options.CredentialsOptions(parser) >parser.add_option_group(credopts) >parser.add_option("-H", "--URL", help="LDB URL for database", > type=str, metavar="URL", dest="url") >parser.add_option("--lock-pwchange", > help="Lock this database against password changes, " > "mitigate CVE-2018-1057 (by users other than themselves)", > action="store_true") >parser.add_option("--unlock-pwchange", > help="UnLock this database against password changes, " > "after CVE-2018-1057 patched (allow changes by other users)", > action="store_true") >parser.add_option("--base", dest="base", default="", > help="Pass search base that will build DN list for the first DC.") >parser.add_option("--scope", dest="scope", default="SUB", > help="Pass search scope that builds DN list. Options: SUB, ONE, BASE") >parser.add_option("--filter", dest="filter", default="(objectClass=user)", > help="LDAP filter of objects to lock against password changes") > >opts, args = parser.parse_args() > >if len(args) != 0: > parser.print_usage() > sys.exit(1) > >if opts.scope.upper() == "SUB": > search_scope = ldb.SCOPE_SUBTREE >elif opts.scope.upper() == "BASE": > self.search_scope = ldb.SCOPE_BASE >elif self.search_scope() == "ONE": > self.search_scope = ldb.SCOPE_ONELEVEL >else: > raise StandardError("Wrong 'scope' given. Choose from: SUB, ONE, BASE") > >if not opts.lock_pwchange and not opts.unlock_pwchange: > raise StandardError("Neither --lock-pwchange nor --unlock-pwchange specified") > >lp_ctx = sambaopts.get_loadparm() > >creds = credopts.get_credentials(lp_ctx) >sam_ldb = SamDB(opts.url, session_info=system_session(), > credentials=creds, lp=lp_ctx) > >sd_helper = samba.sd_utils.SDUtils(sam_ldb) > >sam_ldb.transaction_start() > >if opts.base is "": > base_dn = None >else: > base_dn = opts.base > >res = sam_ldb.search(base=base_dn, expression=opts.filter, > scope=search_scope, > attrs=["ntSecurityDescriptor"]) > ># This is the right to change the password >pwchange_guid = misc.GUID("ab721a53-1e2f-11d0-9819-00aa0040529b"); > ># We are only worried about when 'world' has this right >sid_world = security.dom_sid(security.SID_WORLD) > >for msg in res: > desc = ndr_unpack(security.descriptor, msg["ntSecurityDescriptor"][0]) > changed = False > for ace in desc.dacl.aces: > if (ace.type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT or \ > ace.type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) \ > and ace.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT: > if ace.object.type == pwchange_guid and ace.trustee == sid_world: > if ace.type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT and \ > opts.unlock_pwchange: > ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT > changed = True > if ace.type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and \ > opts.lock_pwchange: > ace.type = SEC_ACE_TYPE_ACCESS_DENIED_OBJECT > changed = True > > if changed: > sd_helper.modify_sd_on_dn(msg.dn, desc) > print("Modified change-password ACL right for world on: %s" % msg.dn) > >sam_ldb.transaction_commit() >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13272
:
13977
|
13978
|
14008
|
14009
|
14010
|
14011
|
14016
|
14028
|
14029
|
14030
|
14031
|
14032
|
14033
|
14034
|
14035
|
14036
|
14038
|
14039
|
14040
|
14041
|
14042
|
14043
|
14044
|
14045
|
14047
|
14048