The Samba-Bugzilla – Attachment 15477 Details for
Bug 12438
CVE-2019-14833 [SECURITY] Accent with "check password script"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master (v1)
CVE-2019-14833-check-password-master-01.patch (text/plain), 5.55 KB, created by
Andrew Bartlett
on 2019-09-18 23:57:13 UTC
(
hide
)
Description:
patch for master (v1)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2019-09-18 23:57:13 UTC
Size:
5.55 KB
patch
obsolete
>From d1ca09b949f04caac74da1b76253ac7766d9c209 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 19 Sep 2019 11:50:01 +1200 >Subject: [PATCH 1/2] CVE-2019-14833: Use utf8 characters in the unacceptable > password > >This shows that the "check password script" handling has a bug. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438 >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > selftest/knownfail.d/unacceptable-passwords | 1 + > selftest/target/Samba4.pm | 2 +- > 2 files changed, 2 insertions(+), 1 deletion(-) > create mode 100644 selftest/knownfail.d/unacceptable-passwords > >diff --git a/selftest/knownfail.d/unacceptable-passwords b/selftest/knownfail.d/unacceptable-passwords >new file mode 100644 >index 00000000000..75fa2fc32b8 >--- /dev/null >+++ b/selftest/knownfail.d/unacceptable-passwords >@@ -0,0 +1 @@ >+^samba.tests.samba_tool.user_check_password_script.samba.tests.samba_tool.user_check_password_script.UserCheckPwdTestCase.test_checkpassword_unacceptable\(chgdcpass:local\) >\ No newline at end of file >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index 9df9e84ff63..1310e2ff09f 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1882,7 +1882,7 @@ sub provision_chgdcpass($$) > print "PROVISIONING CHGDCPASS...\n"; > # This environment disallows the use of this password > # (and also removes the default AD complexity checks) >- my $unacceptable_password = "widk3Dsle32jxdBdskldsk55klASKQ"; >+ my $unacceptable_password = "PaÃÃword-widk3Dsle32jxdBdskldsk55klASKQ"; > my $extra_smb_conf = " > check password script = $self->{srcdir}/selftest/checkpassword_arg1.sh ${unacceptable_password} > allow dcerpc auth level connect:lsarpc = yes >-- >2.11.0 > > >From d315635cd12c4417f6056560141fcb88a158d515 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de> >Date: Tue, 6 Aug 2019 16:32:32 +0200 >Subject: [PATCH 2/2] CVE-2019-14833 dsdb: send full password to check password > script >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >utf8_len represents the number of characters (not bytes) of the >password. If the password includes multi-byte characters it is required >to write the total number of bytes to the check password script. >Otherwise the last bytes of the password string would be ignored. > >Therefore we rename utf8_len to be clear what it does and does >not represent. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438 > >Signed-off-by: Björn Baumbach <bb@sernet.de> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > selftest/knownfail.d/unacceptable-passwords | 1 - > source4/dsdb/common/util.c | 30 +++++++++++++++++++++++------ > 2 files changed, 24 insertions(+), 7 deletions(-) > delete mode 100644 selftest/knownfail.d/unacceptable-passwords > >diff --git a/selftest/knownfail.d/unacceptable-passwords b/selftest/knownfail.d/unacceptable-passwords >deleted file mode 100644 >index 75fa2fc32b8..00000000000 >--- a/selftest/knownfail.d/unacceptable-passwords >+++ /dev/null >@@ -1 +0,0 @@ >-^samba.tests.samba_tool.user_check_password_script.samba.tests.samba_tool.user_check_password_script.UserCheckPwdTestCase.test_checkpassword_unacceptable\(chgdcpass:local\) >\ No newline at end of file >diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c >index 817fce6e17f..bad2ee7a494 100644 >--- a/source4/dsdb/common/util.c >+++ b/source4/dsdb/common/util.c >@@ -2041,21 +2041,36 @@ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx, > const uint32_t pwdProperties, > const uint32_t minPwdLength) > { >- const char *utf8_pw = (const char *)utf8_blob->data; >- size_t utf8_len = strlen_m(utf8_pw); > char *password_script = NULL; >+ const char *utf8_pw = (const char *)utf8_blob->data; >+ >+ /* >+ * This looks strange because it is. >+ * >+ * The check for the number of characters in the password >+ * should clearly not be against the byte length, or else a >+ * single UTF8 character would count for more than one. >+ * >+ * We have chosen to use the number of 16-bit units that the >+ * password encodes to as the measure of length. This is not >+ * the same as the number of codepoints, if a password >+ * contains a character beyond the Basic Multilingual Plane >+ * (above 65535) it will count for more than one "character". >+ */ >+ >+ size_t password_characters_roughly = strlen_m(utf8_pw); > > /* checks if the "minPwdLength" property is satisfied */ >- if (minPwdLength > utf8_len) { >+ if (minPwdLength > password_characters_roughly) { > return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT; > } > >- /* checks the password complexity */ >+ /* We might not be asked to check the password complexity */ > if (!(pwdProperties & DOMAIN_PASSWORD_COMPLEX)) { > return SAMR_VALIDATION_STATUS_SUCCESS; > } > >- if (utf8_len == 0) { >+ if (password_characters_roughly == 0) { > return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH; > } > >@@ -2063,6 +2078,7 @@ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx, > if (password_script != NULL && *password_script != '\0') { > int check_ret = 0; > int error = 0; >+ ssize_t nwritten = 0; > struct tevent_context *event_ctx = NULL; > struct tevent_req *req = NULL; > int cps_stdin = -1; >@@ -2125,7 +2141,9 @@ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx, > > cps_stdin = samba_runcmd_export_stdin(req); > >- if (write(cps_stdin, utf8_pw, utf8_len) != utf8_len) { >+ nwritten = write(cps_stdin, utf8_blob->data, >+ utf8_blob->length); >+ if (nwritten != utf8_blob->length) { > close(cps_stdin); > TALLOC_FREE(password_script); > TALLOC_FREE(event_ctx); >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
bbaumbach
:
review+
metze
:
review+
Actions:
View
Attachments on
bug 12438
: 15477 |
15502
|
15503
|
15506
|
15531