From 96b169b99384e5914177a65ccef1695cd9fa9b44 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 18 Aug 2018 15:32:43 +0300 Subject: [PATCH 1/5] CVE-2018-16853: Fix kinit test on system lacking ldbsearch By fixing bindir variable name. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- testprogs/blackbox/test_kinit_mit.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh index 3e07281b8c7..35c08b0c866 100755 --- a/testprogs/blackbox/test_kinit_mit.sh +++ b/testprogs/blackbox/test_kinit_mit.sh @@ -32,13 +32,13 @@ samba_enableaccount="$samba_tool user enable" machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache" ldbmodify="ldbmodify" -if [ -x "$samba4bindir/ldbmodify" ]; then - ldbmodify="$samba4bindir/ldbmodify" +if [ -x "$samba_bindir/ldbmodify" ]; then + ldbmodify="$samba_bindir/ldbmodify" fi ldbsearch="ldbsearch" -if [ -x "$samba4bindir/ldbsearch" ]; then - ldbsearch="$samba4bindir/ldbsearch" +if [ -x "$samba_bindir/ldbsearch" ]; then + ldbsearch="$samba_bindir/ldbsearch" fi . `dirname $0`/subunit.sh -- 2.19.1 From 7026e907d7cb459b815c9ab9cee443893bf3c795 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 18 Aug 2018 00:40:30 +0300 Subject: [PATCH 2/5] CVE-2018-16853: The ticket in check_policy_as can actually be a TGS This happens when we are called from S4U2Self flow, and in that case kdcreq->client is NULL. Use the name from client entry instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- source4/kdc/mit-kdb/kdb_samba_policies.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index de5813bde2f..81ac73582e0 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -81,6 +81,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, char *netbios_name = NULL; char *realm = NULL; bool password_change = false; + krb5_const_principal client_princ; DATA_BLOB int_data = { NULL, 0 }; krb5_data d; krb5_pa_data **e_data; @@ -90,7 +91,10 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, return KRB5_KDB_DBNOTINITED; } - if (ks_is_kadmin(context, kdcreq->client)) { + /* Prefer canonicalised name from client entry */ + client_princ = client ? client->princ : kdcreq->client; + + if (client_princ == NULL || ks_is_kadmin(context, client_princ)) { return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; } @@ -111,7 +115,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, goto done; } - code = krb5_unparse_name(context, kdcreq->client, &client_name); + code = krb5_unparse_name(context, client_princ, &client_name); if (code) { goto done; } -- 2.19.1 From 83537a5bb709f51e81110b48edd704d0968d7ba2 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 18 Aug 2018 16:01:59 +0300 Subject: [PATCH 3/5] CVE-2018-16853: Add a test to verify s4u2self doesn't crash BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- testprogs/blackbox/test_kinit_mit.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh index 35c08b0c866..f1567caa3a1 100755 --- a/testprogs/blackbox/test_kinit_mit.sh +++ b/testprogs/blackbox/test_kinit_mit.sh @@ -24,6 +24,7 @@ samba_srcdir="$SRCDIR/source4" samba_kinit=kinit samba_kdestroy=kdestroy samba_kpasswd=kpasswd +samba_kvno=kvno samba_tool="$samba_bindir/samba-tool" samba_texpect="$samba_bindir/texpect" @@ -299,6 +300,17 @@ test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes || testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $ADMIN_LDBMODIFY_CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1` +########################################################### +### Test basic s4u2self request +########################################################### + +# Use previous acquired machine creds to request a ticket for self. +# We expect it to fail for now. +MACHINE_ACCOUNT="$(hostname -s | tr [a-z] [A-Z])\$@$REALM" +$samba_kvno -U$MACHINE_ACCOUNT $MACHINE_ACCOUNT +# But we expect the KDC to be up and running still +testit "kinit with machineaccountccache after s4u2self" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1` + ### Cleanup $samba_kdestroy -- 2.19.1 From 95660f08dccfb1b7b6aae499e6b8473fe8e66b5d Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 28 Sep 2016 07:22:32 +0200 Subject: [PATCH 4/5] CVE-2018-16853: Do not segfault if client is not set This can be triggered with FAST but we don't support this yet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- source4/kdc/mit-kdb/kdb_samba_policies.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index 81ac73582e0..fc80329f221 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -461,6 +461,14 @@ void kdb_samba_db_audit_as_req(krb5_context context, krb5_timestamp authtime, krb5_error_code error_code) { + /* + * FIXME: This segfaulted with a FAST test + * FIND_FAST: for , Unknown FAST armor type 0 + */ + if (client == NULL) { + return; + } + samba_bad_password_count(client, error_code); /* TODO: perform proper audit logging for addresses */ @@ -473,6 +481,14 @@ void kdb_samba_db_audit_as_req(krb5_context context, krb5_timestamp authtime, krb5_error_code error_code) { + /* + * FIXME: This segfaulted with a FAST test + * FIND_FAST: for , Unknown FAST armor type 0 + */ + if (client == NULL) { + return; + } + samba_bad_password_count(client, error_code); } #endif -- 2.19.1 From 66c53e4cf039f7608e6e3f523dd8f14098690b35 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 7 Nov 2018 22:53:35 +0200 Subject: [PATCH 5/5] CVE-2018-16853: fix crash in expired passowrd case When calling encode_krb5_padata_sequence() make sure to pass a null terminated array as required. Fixes expired passowrd case in samba4.blackbox.kinit test. Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- source4/kdc/mit_samba.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 1cd6750f5ab..8283c726487 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -855,7 +855,7 @@ krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data) { krb5_error_code ret = 0; - krb5_pa_data pa, *ppa = NULL; + krb5_pa_data pa, *ppa[2]; krb5_data *d = NULL; if (!e_data) @@ -876,9 +876,10 @@ static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data) SIVAL(pa.contents, 4, 0); SIVAL(pa.contents, 8, 1); - ppa = &pa; + ppa[0] = &pa; + ppa[1] = NULL; - ret = encode_krb5_padata_sequence(&ppa, &d); + ret = encode_krb5_padata_sequence(ppa, &d); free(pa.contents); if (ret) { return; -- 2.19.1