The Samba-Bugzilla – Attachment 15630 Details for
Bug 14187
CVE-2019-14870 | DelegationNotAllowed not being enforced
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
v2.1 patches for master (mit updated)
nd-v2.1.patch (text/plain), 13.46 KB, created by
Isaac Boukris
on 2019-11-21 21:58:37 UTC
(
hide
)
Description:
v2.1 patches for master (mit updated)
Filename:
MIME Type:
Creator:
Isaac Boukris
Created:
2019-11-21 21:58:37 UTC
Size:
13.46 KB
patch
obsolete
>From a8d2ee2e83269a07d7cba0b3990ebf135e7914d5 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Sun, 27 Oct 2019 14:02:00 +0200 >Subject: [PATCH 1/4] samba-tool: add user-sensitive command to set > not-delegated flag > >Signed-off-by: Isaac Boukris <iboukris@gmail.com> >--- > python/samba/netcmd/user.py | 58 +++++++++++++++++++++++++++++++++++++ > 1 file changed, 58 insertions(+) > >diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py >index cadd80fd991..ee11a6ad682 100644 >--- a/python/samba/netcmd/user.py >+++ b/python/samba/netcmd/user.py >@@ -2827,6 +2827,63 @@ unixHomeDirectory: {6} > .format(username)) > > >+class cmd_user_sensitive(Command): >+ """Set/unset or show UF_NOT_DELEGATED for an account.""" >+ >+ synopsis = "%prog <accountname> [(show|on|off)] [options]" >+ >+ takes_optiongroups = { >+ "sambaopts": options.SambaOptions, >+ "credopts": options.CredentialsOptions, >+ "versionopts": options.VersionOptions, >+ } >+ >+ takes_options = [ >+ Option("-H", "--URL", help="LDB URL for database or target server", type=str, >+ metavar="URL", dest="H"), >+ ] >+ >+ takes_args = ["accountname", "cmd"] >+ >+ def run(self, accountname, cmd, H=None, credopts=None, sambaopts=None, >+ versionopts=None): >+ >+ if cmd not in ("show", "on", "off"): >+ raise CommandError("invalid argument: '%s' (choose from 'show', 'on', 'off')" % cmd) >+ >+ lp = sambaopts.get_loadparm() >+ creds = credopts.get_credentials(lp, fallback_machine=True) >+ sam = SamDB(url=H, session_info=system_session(), >+ credentials=creds, lp=lp) >+ >+ search_filter = "sAMAccountName=%s" % ldb.binary_encode(accountname) >+ flag = dsdb.UF_NOT_DELEGATED; >+ >+ if cmd == "show": >+ res = sam.search(scope=ldb.SCOPE_SUBTREE, expression=search_filter, >+ attrs=["userAccountControl"]) >+ if len(res) == 0: >+ raise Exception("Unable to find account where '%s'" % search_filter) >+ >+ uac = int(res[0].get("userAccountControl")[0]) >+ >+ self.outf.write("Account-DN: %s\n" % str(res[0].dn)) >+ self.outf.write("UF_NOT_DELEGATED: %s\n" % bool(uac & flag)) >+ >+ return >+ >+ if cmd == "on": >+ on = True >+ elif cmd == "off": >+ on = False >+ >+ try: >+ sam.toggle_userAccountFlags(search_filter, flag, flags_str="Not-Delegated", >+ on=on, strict=True) >+ except Exception as err: >+ raise CommandError(err) >+ >+ > class cmd_user(SuperCommand): > """User management.""" > >@@ -2846,3 +2903,4 @@ class cmd_user(SuperCommand): > subcommands["show"] = cmd_user_show() > subcommands["move"] = cmd_user_move() > subcommands["addunixattrs"] = cmd_user_add_unix_attrs() >+ subcommands["sensitive"] = cmd_user_sensitive() >-- >2.21.0 > > >From 69e94f145970d76d25deb3a4917a36a5f094dd59 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Wed, 30 Oct 2019 15:59:16 +0100 >Subject: [PATCH 2/4] CVE-2019-14870: heimdal: add S4U test for > delegation_not_allowed > >Signed-off-by: Isaac Boukris <iboukris@gmail.com> >--- > selftest/knownfail.d/heimdal_not_delegated | 1 + > source4/selftest/tests.py | 1 + > testprogs/blackbox/test_s4u_heimdal.sh | 73 ++++++++++++++++++++++ > 3 files changed, 75 insertions(+) > create mode 100644 selftest/knownfail.d/heimdal_not_delegated > create mode 100755 testprogs/blackbox/test_s4u_heimdal.sh > >diff --git a/selftest/knownfail.d/heimdal_not_delegated b/selftest/knownfail.d/heimdal_not_delegated >new file mode 100644 >index 00000000000..bfc382a3fc2 >--- /dev/null >+++ b/selftest/knownfail.d/heimdal_not_delegated >@@ -0,0 +1 @@ >+^samba4.blackbox.krb5.s4u >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 642dc680fa4..2caf0725b68 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -458,6 +458,7 @@ if have_heimdal_support: > plantestsuite("samba4.blackbox.kinit_trust", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"]) > plantestsuite("samba4.blackbox.export.keytab", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4]) > plantestsuite("samba4.blackbox.kpasswd", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"]) >+ plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', configuration]) > else: > plantestsuite("samba4.blackbox.kinit", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration]) > plantestsuite("samba4.blackbox.kinit", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration]) >diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh >new file mode 100755 >index 00000000000..0e12c7ec096 >--- /dev/null >+++ b/testprogs/blackbox/test_s4u_heimdal.sh >@@ -0,0 +1,73 @@ >+#!/bin/sh >+ >+if [ $# -lt 5 ]; then >+cat <<EOF >+Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX >+EOF >+exit 1; >+fi >+ >+SERVER=$1 >+USERNAME=$2 >+PASSWORD=$3 >+REALM=$4 >+DOMAIN=$5 >+PREFIX=$6 >+shift 6 >+failed=0 >+ >+ >+samba_tool="$VALGRIND $PYTHON $BINDIR/samba-tool" >+ >+samba4kinit=kinit >+if test -x $BINDIR/samba4kinit; then >+ samba4kinit=$BINDIR/samba4kinit >+fi >+ >+samba4kgetcred=kgetcred >+if test -x $BINDIR/samba4kgetcred; then >+ samba4kgetcred=$BINDIR/samba4kgetcred >+fi >+ >+. `dirname $0`/subunit.sh >+. `dirname $0`/common_test_fns.inc >+ >+ocache="$PREFIX/tmpoutcache" >+KRB5CCNAME_PATH="$PREFIX/tmpccache" >+KRB5CCNAME="FILE:$KRB5CCNAME_PATH" >+export KRB5CCNAME >+rm -rf $KRB5CCNAME_PATH >+ >+princ=test_impersonate_princ >+impersonator=test_impersonator >+target="CIFS/$SERVER.$REALM" >+ >+ >+testit "add impersonator principal" $samba_tool user add $impersonator $PASSWORD || failed=`expr $failed + 1` >+testit "become a service" $samba_tool spn add "HOST/$impersonator" $impersonator || failed=`expr $failed + 1` >+ >+testit "set TrustedToAuthForDelegation" $samba_tool delegation for-any-protocol $impersonator on || failed=`expr $failed + 1` >+testit "add msDS-AllowedToDelegateTo" $samba_tool delegation add-service $impersonator $target || failed=`expr $failed + 1` >+ >+testit "add a new principal" $samba_tool user add $princ --random-password || failed=`expr $failed + 1` >+testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=`expr $failed + 1` >+ >+ >+echo $PASSWORD > $PREFIX/tmppassfile >+testit "kinit with password" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` >+ >+testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1` >+testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` >+ >+testit "test S4U2Self with sensitive user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` >+testit_expect_failure "test S4U2Proxy with sensitive user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` >+ >+rm -f $ocache >+testit "unset not-delegated flag" $samba_tool user sensitive $princ off || failed=`expr $failed + 1` >+ >+testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` >+testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` >+ >+ >+rm -f $ocache $PREFIX/tmpccache tmppassfile >+exit $failed >-- >2.21.0 > > >From 8651c76bf5f8027fbfc48fbc053c094e11b3ae41 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Mon, 28 Oct 2019 02:54:09 +0200 >Subject: [PATCH 3/4] CVE-2019-14870: heimdal: enforce delegation_not_allowed > in S4U2Self > >Signed-off-by: Isaac Boukris <iboukris@gmail.com> >--- > selftest/knownfail.d/heimdal_not_delegated | 1 - > source4/heimdal/kdc/krb5tgs.c | 58 ++++++++++++++-------- > 2 files changed, 36 insertions(+), 23 deletions(-) > delete mode 100644 selftest/knownfail.d/heimdal_not_delegated > >diff --git a/selftest/knownfail.d/heimdal_not_delegated b/selftest/knownfail.d/heimdal_not_delegated >deleted file mode 100644 >index bfc382a3fc2..00000000000 >--- a/selftest/knownfail.d/heimdal_not_delegated >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.blackbox.krb5.s4u >diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c >index ff7d93138c0..ee3ac3d8f53 100644 >--- a/source4/heimdal/kdc/krb5tgs.c >+++ b/source4/heimdal/kdc/krb5tgs.c >@@ -1975,30 +1975,42 @@ server_lookup: > if (ret) > goto out; > >+ ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags, >+ NULL, &s4u2self_impersonated_clientdb, >+ &s4u2self_impersonated_client); >+ if (ret) { >+ const char *msg; >+ >+ /* >+ * If the client belongs to the same realm as our krbtgt, it >+ * should exist in the local database. >+ * >+ */ >+ >+ if (ret == HDB_ERR_NOENTRY) >+ ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; >+ msg = krb5_get_error_message(context, ret); >+ kdc_log(context, config, 1, >+ "S2U4Self principal to impersonate %s not found in database: %s", >+ tpn, msg); >+ krb5_free_error_message(context, msg); >+ goto out; >+ } >+ >+ /* Ignore pw_end attributes (as Windows does), >+ * since S4U2Self is not password authentication. */ >+ free(s4u2self_impersonated_client->entry.pw_end); >+ s4u2self_impersonated_client->entry.pw_end = NULL; >+ >+ ret = kdc_check_flags(context, config, s4u2self_impersonated_client, tpn, >+ NULL, NULL, FALSE); >+ if (ret) >+ goto out; >+ > /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */ > if(rspac.data) { > krb5_pac p = NULL; > krb5_data_free(&rspac); >- ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags, >- NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client); >- if (ret) { >- const char *msg; >- >- /* >- * If the client belongs to the same realm as our krbtgt, it >- * should exist in the local database. >- * >- */ >- >- if (ret == HDB_ERR_NOENTRY) >- ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; >- msg = krb5_get_error_message(context, ret); >- kdc_log(context, config, 1, >- "S2U4Self principal to impersonate %s not found in database: %s", >- tpn, msg); >- krb5_free_error_message(context, msg); >- goto out; >- } > ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, &p); > if (ret) { > kdc_log(context, config, 0, "PAC generation failed for -- %s", >@@ -2034,10 +2046,12 @@ server_lookup: > > /* > * If the service isn't trusted for authentication to >- * delegation, remove the forward flag. >+ * delegation or if the impersonate client is disallowed >+ * forwardable, remove the forwardable flag. > */ > >- if (client->entry.flags.trusted_for_delegation) { >+ if (client->entry.flags.trusted_for_delegation && >+ s4u2self_impersonated_client->entry.flags.forwardable) { > str = "[forwardable]"; > } else { > b->kdc_options.forwardable = 0; >-- >2.21.0 > > >From 8c29c303ed576fd033d74ecb5c928955c605ed51 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Thu, 21 Nov 2019 11:12:48 +0100 >Subject: [PATCH 4/4] CVE-2019-14870: mit-kdc: enforce delegation_not_allowed > flag > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >--- > source4/kdc/mit_samba.c | 5 +++++ > source4/kdc/sdb_to_kdb.c | 17 ++++++----------- > 2 files changed, 11 insertions(+), 11 deletions(-) > >diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c >index 54dcd545ea1..5a4f6e73e97 100644 >--- a/source4/kdc/mit_samba.c >+++ b/source4/kdc/mit_samba.c >@@ -304,6 +304,11 @@ fetch_referral_principal: > > sdb_free_entry(&sentry); > >+ if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) { >+ kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE; >+ kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE; >+ } >+ > done: > krb5_free_principal(ctx->context, referral_principal); > referral_principal = NULL; >diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c >index 1411b0f5f66..2981f180333 100644 >--- a/source4/kdc/sdb_to_kdb.c >+++ b/source4/kdc/sdb_to_kdb.c >@@ -36,18 +36,13 @@ static int SDBFlags_to_kflags(const struct SDBFlags *s, > if (s->initial) { > *k |= KRB5_KDB_DISALLOW_TGT_BASED; > } >- /* >- * Do not set any disallow rules for forwardable, proxiable, >- * renewable, postdate and server. >- * >- * The KDC will take care setting the flags based on the incoming >- * ticket. >- */ >- if (s->forwardable) { >- ; >+ /* The forwardable and proxiable flags are set according to client and >+ * server attributes. */ >+ if (!s->forwardable) { >+ *k |= KRB5_KDB_DISALLOW_FORWARDABLE; > } >- if (s->proxiable) { >- ; >+ if (!s->proxiable) { >+ *k |= KRB5_KDB_DISALLOW_PROXIABLE; > } > if (s->renewable) { > ; >-- >2.21.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15630">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review+
iboukris
:
review+
iboukris
:
ci-passed+
Actions:
View
Attachments on
bug 14187
:
15606
|
15611
| 15630 |
15631
|
15632
|
15635
|
15636
|
15637
|
15638
|
15639
|
15648
|
15662