The Samba-Bugzilla – Attachment 14362 Details for
Bug 13552
[SECURITY] [CVE-2018-10918] - DsCrackNames on a user without an SPN can trigger NULL-pointer de-reference
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master
0001-cracknames-Fix-DoS-NULL-pointer-de-ref-when-not-serv.patch (text/plain), 3.31 KB, created by
Andrew Bartlett
on 2018-07-30 03:07:50 UTC
(
hide
)
Description:
patch for master
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-07-30 03:07:50 UTC
Size:
3.31 KB
patch
obsolete
>From 9253c4a40f6a15442e91b69338d134fdfba31e27 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 30 Jul 2018 14:00:18 +1200 >Subject: [PATCH] cracknames: Fix DoS (NULL pointer de-ref) when not > servicePrincipalName is set on a user > >This regression was introduced in Samba 4.7 by bug 12842 and in >master git commit eb2e77970e41c1cb62c041877565e939c78ff52d. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13552 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >--- > source4/dsdb/samdb/cracknames.c | 8 ++++++- > source4/torture/drs/python/cracknames.py | 38 ++++++++++++++++++++++++++++++++ > 2 files changed, 45 insertions(+), 1 deletion(-) > >diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c >index d8fe0975d15..1f8cad75579 100644 >--- a/source4/dsdb/samdb/cracknames.c >+++ b/source4/dsdb/samdb/cracknames.c >@@ -1253,7 +1253,13 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ > return WERR_OK; > } > case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: { >- if (result->elements[0].num_values > 1) { >+ struct ldb_message_element *el >+ = ldb_msg_find_element(result, >+ "servicePrincipalName"); >+ if (el == NULL) { >+ info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND; >+ return WERR_OK; >+ } else if (el->num_values > 1) { > info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE; > return WERR_OK; > } >diff --git a/source4/torture/drs/python/cracknames.py b/source4/torture/drs/python/cracknames.py >index d8c8ae53d60..9bf90f9c997 100644 >--- a/source4/torture/drs/python/cracknames.py >+++ b/source4/torture/drs/python/cracknames.py >@@ -149,6 +149,44 @@ class DrsCracknamesTestCase(drs_base.DrsBaseTestCase): > > self.ldb_dc1.delete(user) > >+ def test_NoSPNAttribute(self): >+ """ >+ Verifies that, if we try and cracknames with the desired output >+ being an SPN, it returns >+ DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE. >+ """ >+ username = "Cracknames_no_SPN" >+ user = "cn=%s,%s" % (username, self.ou) >+ >+ user_record = { >+ "dn": user, >+ "objectclass": "user", >+ "sAMAccountName" : username, >+ "userPrincipalName" : "test4@test.com", >+ "displayName" : "test4"} >+ >+ self.ldb_dc1.add(user_record) >+ >+ (result, ctr) = self._do_cracknames(user, >+ drsuapi.DRSUAPI_DS_NAME_FORMAT_FQDN_1779, >+ drsuapi.DRSUAPI_DS_NAME_FORMAT_GUID) >+ >+ self.assertEquals(ctr.count, 1) >+ self.assertEquals(ctr.array[0].status, >+ drsuapi.DRSUAPI_DS_NAME_STATUS_OK) >+ >+ user_guid = ctr.array[0].result_name >+ >+ (result, ctr) = self._do_cracknames(user_guid, >+ drsuapi.DRSUAPI_DS_NAME_FORMAT_GUID, >+ drsuapi.DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL) >+ >+ self.assertEquals(ctr.count, 1) >+ self.assertEquals(ctr.array[0].status, >+ drsuapi.DRSUAPI_DS_NAME_STATUS_NOT_FOUND) >+ >+ self.ldb_dc1.delete(user) >+ > def _do_cracknames(self, name, format_offered, format_desired): > req = drsuapi.DsNameRequest1() > names = drsuapi.DsNameString() >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
gary
:
review+
Actions:
View
Attachments on
bug 13552
:
14359
|
14360
|
14361
| 14362 |
14401