The Samba-Bugzilla – Attachment 14030 Details for
Bug 13272
[SECURITY] CVE-2018-1057: Unprivileged user can change any user (and admin) password
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
CVE-2018-1057-wiki.metze01.txt
CVE-2018-1057-wiki.metze01.txt (text/plain), 2.85 KB, created by
Stefan Metzmacher
on 2018-03-11 22:26:29 UTC
(
hide
)
Description:
CVE-2018-1057-wiki.metze01.txt
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2018-03-11 22:26:29 UTC
Size:
2.85 KB
patch
obsolete
>== Workarounds == > >=== Rewoking change passwords rights === > >Rewoke the change passwords right for everyone from all user objects (including >computers) in the directory. Note that this will prevent users from being able >to change their own expired passwords, so the maximum password age should be set >to a value that prevents user passwords from expiring while the workaround is in >place. > >The change password right in AD is an extended object access right with the GUID >ab721a53-1e2f-11d0-9819-00aa0040529b. By default every user and computer object >in the directory grants the change password right to self and everyone. > >The corresponding ACEs are ><pre> >self: (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS) >world: (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD) ></pre> >in SDDL. The components of these ACEs are > >OA: object access allowed >CR: extended rights >PS,WD: trustee: self, everyone > >Of these, the ACE granting the right to everyone (world, WD) must be removed. > >The ACL of any object in the Samba directory can be shown as SDDL with > ><pre> ># ldbsearch -H /var/lib/samba/private/sam.ldb cn=USER ntSecurityDescriptor ></pre> > >Note that the path to '''sam.ldb''' depends on the Samba build configuration. > >Alternatively, the ACL can be shown in NDR dump format by appending '''--show-binary''': > ><pre> ># ldbsearch -H /var/lib/samba/private/sam.ldb \ > cn=USER ntSecurityDescriptor --show-binary >... >aces: struct security_ace > type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5) > flags : 0x00 (0) > 0: SEC_ACE_FLAG_OBJECT_INHERIT > 0: SEC_ACE_FLAG_CONTAINER_INHERIT > 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT > 0: SEC_ACE_FLAG_INHERIT_ONLY > 0: SEC_ACE_FLAG_INHERITED_ACE > 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) > 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS > 0: SEC_ACE_FLAG_FAILED_ACCESS > size : 0x0028 (40) > access_mask : 0x00000100 (256) > object : union security_ace_object_ctr(case 5) > object: struct security_ace_object > flags : 0x00000001 (1) > 1: SEC_ACE_OBJECT_TYPE_PRESENT > 0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT > type : union security_ace_object_type(case 1) > type : ab721a53-1e2f-11d0-9819-00aa0040529b > inherited_type : union security_ace_object_inherited_type(case 0) > trustee : S-1-1-0 >... ></pre> > >To temporarily remove this ACE you can use ldbedit: > ><pre> ># ldbedit -H /var/lib/samba/private/sam.ldb cn=USER ntSecurityDescriptor ></pre> > >This invokes the configured editor. In the editor search for the string > ><pre> >(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD) ></pre> > >and remove it (be careful about line wraps). Saving and exiting the editor will >apply the change to the directory.
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13272
:
13977
|
13978
|
14008
|
14009
|
14010
|
14011
|
14016
|
14028
|
14029
|
14030
|
14031
|
14032
|
14033
|
14034
|
14035
|
14036
|
14038
|
14039
|
14040
|
14041
|
14042
|
14043
|
14044
|
14045
|
14047
|
14048