The Samba-Bugzilla – Attachment 16228 Details for
Bug 14497
[CVE-2020-1472] [SECURITY] Samba impact of "ZeroLogon"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Work in progress patches for master
tmp.diff.txt (text/plain), 23.85 KB, created by
Stefan Metzmacher
on 2020-09-16 19:10:01 UTC
(
hide
)
Description:
Work in progress patches for master
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2020-09-16 19:10:01 UTC
Size:
23.85 KB
patch
obsolete
>From d4c57c8b6ef8071c5a201d2419428338be7a8d4b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:04:57 +0200 >Subject: [PATCH 01/10] CVE-2020-1472(ZeroLogon): libcli/auth: add > netlogon_creds_random_challenge() > >It's good to have just a single isolated function that will generate >random challenges, in future we can add some logic in order to >avoid weak values, which are likely to be rejected by a server. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > libcli/auth/credentials.c | 6 ++++++ > libcli/auth/proto.h | 2 ++ > 2 files changed, 8 insertions(+) > >diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c >index c541eeff4703..46259f39306c 100644 >--- a/libcli/auth/credentials.c >+++ b/libcli/auth/credentials.c >@@ -33,6 +33,12 @@ > #include <gnutls/gnutls.h> > #include <gnutls/crypto.h> > >+void netlogon_creds_random_challenge(struct netr_Credential *challenge) >+{ >+ ZERO_STRUCTP(challenge); >+ generate_random_buffer(challenge->data, sizeof(challenge->data)); >+} >+ > static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds, > const struct netr_Credential *in, > struct netr_Credential *out) >diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h >index 88f4a7c6c505..396484a54370 100644 >--- a/libcli/auth/proto.h >+++ b/libcli/auth/proto.h >@@ -13,6 +13,8 @@ > > /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */ > >+void netlogon_creds_random_challenge(struct netr_Credential *challenge); >+ > NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, > struct netr_LMSessionKey *key); > NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, >-- >2.17.1 > > >From 82c378d131efdd415710ee799b6c9808a54f2026 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:07:30 +0200 >Subject: [PATCH 02/10] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of > netlogon_creds_random_challenge() > >This will avoid getting flakey tests once our server starts to >reject weak challenges. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/torture/rpc/lsa.c | 2 +- > source4/torture/rpc/netlogon.c | 34 ++++++++++++---------------------- > 2 files changed, 13 insertions(+), 23 deletions(-) > >diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c >index c342b4e67e66..908ea08019c5 100644 >--- a/source4/torture/rpc/lsa.c >+++ b/source4/torture/rpc/lsa.c >@@ -2872,7 +2872,7 @@ static bool check_pw_with_ServerAuthenticate3(struct dcerpc_pipe *p, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge failed"); >diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c >index c508ecacd50f..138e214a7628 100644 >--- a/source4/torture/rpc/netlogon.c >+++ b/source4/torture/rpc/netlogon.c >@@ -162,7 +162,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge failed"); >@@ -231,7 +231,7 @@ bool test_SetupCredentials2ex(struct dcerpc_pipe *p, struct torture_context *tct > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge failed"); >@@ -326,7 +326,7 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge failed"); >@@ -398,7 +398,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge failed"); >@@ -1285,7 +1285,7 @@ static bool test_ServerReqChallengeGlobal(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1374,7 +1374,7 @@ static bool test_ServerReqChallengeReuseGlobal(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1463,7 +1463,7 @@ static bool test_ServerReqChallengeReuseGlobal2(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1553,7 +1553,7 @@ static bool test_ServerReqChallengeReuseGlobal3(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1645,8 +1645,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx, > r.in.credentials = &credentials1_random; > r.out.return_credentials = &credentials_discard; > >- generate_random_buffer(credentials1_random.data, >- sizeof(credentials1_random.data)); >+ netlogon_creds_random_challenge(&credentials1_random); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1658,7 +1657,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1669,16 +1668,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx, > r.in.credentials = &credentials1_random; > r.out.return_credentials = &credentials_discard; > >- generate_random_buffer(credentials1_random.data, >- sizeof(credentials1_random.data)); >- >- r.in.server_name = NULL; >- r.in.computer_name = "CHALTEST3"; >- r.in.credentials = &credentials1_random; >- r.out.return_credentials = &credentials_discard; >- >- generate_random_buffer(credentials1_random.data, >- sizeof(credentials1_random.data)); >+ netlogon_creds_random_challenge(&credentials1_random); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1754,7 +1744,7 @@ static bool test_ServerReqChallengeReuse(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge"); >-- >2.17.1 > > >From db14aa23f0ae8e8b2f162cf1242c5f92a89edd2e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:08:38 +0200 >Subject: [PATCH 03/10] CVE-2020-1472(ZeroLogon): libcli/auth: make use of > netlogon_creds_random_challenge() in netlogon_creds_cli.c > >This will avoid getting rejected by the server if we generate >a weak challenge. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > libcli/auth/netlogon_creds_cli.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > >diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c >index 407cb471cbcc..12cb3149ff60 100644 >--- a/libcli/auth/netlogon_creds_cli.c >+++ b/libcli/auth/netlogon_creds_cli.c >@@ -1177,8 +1177,7 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req) > > TALLOC_FREE(state->creds); > >- generate_random_buffer(state->client_challenge.data, >- sizeof(state->client_challenge.data)); >+ netlogon_creds_random_challenge(&state->client_challenge); > > subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev, > state->binding_handle, >-- >2.17.1 > > >From b5a91f6f49a0ff08489fa6de40a0800554403198 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:10:53 +0200 >Subject: [PATCH 04/10] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make > use of netlogon_creds_random_challenge() > >This is not strictly needed, but makes things more clear. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 2a2e2d0ac6eb..548efb44ad28 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -841,8 +841,7 @@ NTSTATUS _netr_ServerReqChallenge(struct pipes_struct *p, > > pipe_state->client_challenge = *r->in.credentials; > >- generate_random_buffer(pipe_state->server_challenge.data, >- sizeof(pipe_state->server_challenge.data)); >+ netlogon_creds_random_challenge(&pipe_state->server_challenge); > > *r->out.return_credentials = pipe_state->server_challenge; > >-- >2.17.1 > > >From e40b8daecd3fad42c224f8202405e0df075d4d50 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:10:53 +0200 >Subject: [PATCH 05/10] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make > use of netlogon_creds_random_challenge() > >This is not strictly needed, but makes things more clear. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 0351e2d286ce..2d2f7d37c195 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -92,8 +92,7 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal > > pipe_state->client_challenge = *r->in.credentials; > >- generate_random_buffer(pipe_state->server_challenge.data, >- sizeof(pipe_state->server_challenge.data)); >+ netlogon_creds_random_challenge(&pipe_state->server_challenge); > > *r->out.return_credentials = pipe_state->server_challenge; > >-- >2.17.1 > > >From 33e96322403ea022d6144782b7dab937b4b0ce27 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:15:26 +0200 >Subject: [PATCH 06/10] TODO CVE-2020-1472(ZeroLogon): libcli/auth: add > netlogon_creds_is_random_challenge() to avoid weak values > >TODO: we should try to match the Microsoft implementation as much as >possible in order to avoid generating values, which will be rejected by >them. > >I've already asked that via dochelp, waiting for an answer >--- > libcli/auth/credentials.c | 25 ++++++++++++++++++++++++- > libcli/auth/proto.h | 1 + > 2 files changed, 25 insertions(+), 1 deletion(-) > >diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c >index 46259f39306c..61c9e5b2c714 100644 >--- a/libcli/auth/credentials.c >+++ b/libcli/auth/credentials.c >@@ -33,10 +33,33 @@ > #include <gnutls/gnutls.h> > #include <gnutls/crypto.h> > >+bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge) >+{ >+ /* >+ * If none of the first 5 bytes of the client challenge is unique, the >+ * server MUST fail session-key negotiation without further processing >+ * of the following steps. >+ * >+ * TODO: what is meant here exactly? >+ */ >+ >+ if (challenge->data[1] == challenge->data[0] && >+ challenge->data[2] == challenge->data[0] && >+ challenge->data[3] == challenge->data[0] && >+ challenge->data[4] == challenge->data[0]) >+ { >+ return false; >+ } >+ >+ return true; >+} >+ > void netlogon_creds_random_challenge(struct netr_Credential *challenge) > { > ZERO_STRUCTP(challenge); >- generate_random_buffer(challenge->data, sizeof(challenge->data)); >+ while (!netlogon_creds_is_random_challenge(challenge)) { >+ generate_random_buffer(challenge->data, sizeof(challenge->data)); >+ } > } > > static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds, >diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h >index 396484a54370..a62668f088fd 100644 >--- a/libcli/auth/proto.h >+++ b/libcli/auth/proto.h >@@ -13,6 +13,7 @@ > > /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */ > >+bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge); > void netlogon_creds_random_challenge(struct netr_Credential *challenge); > > NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, >-- >2.17.1 > > >From 0c510278758e35d56976029d9090717babaeef4c Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:17:29 +0200 >Subject: [PATCH 07/10] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak > client challenges in netlogon_creds_server_init() > >This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: > > 7. If none of the first 5 bytes of the client challenge is unique, the > server MUST fail session-key negotiation without further processing of > the following steps. > >It lets ./zerologon_tester.py from >https://github.com/SecuraBV/CVE-2020-1472.git >report: "Attack failed. Target is probably patched." > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > libcli/auth/credentials.c | 17 ++++++++++++++++- > libcli/auth/wscript_build | 2 +- > 2 files changed, 17 insertions(+), 2 deletions(-) > >diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c >index 61c9e5b2c714..d19ece462e15 100644 >--- a/libcli/auth/credentials.c >+++ b/libcli/auth/credentials.c >@@ -24,6 +24,7 @@ > #include "system/time.h" > #include "libcli/auth/libcli_auth.h" > #include "../libcli/security/dom_sid.h" >+#include "lib/util/util_str_escape.h" > > #ifndef HAVE_GNUTLS_AES_CFB8 > #include "lib/crypto/aes.h" >@@ -706,7 +707,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me > > struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); > NTSTATUS status; >- >+ bool ok; > > if (!creds) { > return NULL; >@@ -719,6 +720,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me > dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data)); > dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash)); > >+ ok = netlogon_creds_is_random_challenge(client_challenge); >+ if (!ok) { >+ DBG_WARNING("CVE-2020-1472(ZeroLogin): " >+ "non-random client challenge rejected for " >+ "client_account[%s] client_computer_name[%s]\n", >+ log_escape(mem_ctx, client_account), >+ log_escape(mem_ctx, client_computer_name)); >+ dump_data(DBGLVL_WARNING, >+ client_challenge->data, >+ sizeof(client_challenge->data)); >+ talloc_free(creds); >+ return NULL; >+ } >+ > creds->computer_name = talloc_strdup(creds, client_computer_name); > if (!creds->computer_name) { > talloc_free(creds); >diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build >index 41937623630f..2a6a7468e457 100644 >--- a/libcli/auth/wscript_build >+++ b/libcli/auth/wscript_build >@@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('NTLM_CHECK', > > bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH', > source='credentials.c session.c smbencrypt.c smbdes.c', >- public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS', >+ public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS util_str_escape', > public_headers='credentials.h:domain_credentials.h' > ) > >-- >2.17.1 > > >From 10c795ee2b2e13d554beb8f8db6cadfc21189607 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 19:20:25 +0200 >Subject: [PATCH 08/10] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: > protect netr_ServerPasswordSet2 against unencrypted passwords > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 55 ++++++++++++++++++- > 1 file changed, 54 insertions(+), 1 deletion(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 2d2f7d37c195..dfc54edf0f15 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -726,7 +726,9 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal > struct NL_PASSWORD_VERSION version = {}; > const uint32_t *new_version = NULL; > NTSTATUS nt_status; >- DATA_BLOB new_password; >+ DATA_BLOB new_password = data_blob_null; >+ DATA_BLOB dec_blob = data_blob_null; >+ DATA_BLOB enc_blob = data_blob_null; > int ret; > struct samr_CryptPassword password_buf; > >@@ -792,6 +794,57 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal > return NT_STATUS_WRONG_PASSWORD; > } > >+ /* >+ * Make sure the length field was encrypted, >+ * otherwise we are under attack. >+ */ >+ if (new_password.length == r->in.new_password->length) { >+ DBG_WARNING("Length[%zu] field not encrypted\n", >+ new_password.length); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * Make sure the CryptPassword buffer was encrypted, >+ * otherwise we are under attack. >+ */ >+ enc_blob = data_blob_const(r->in.new_password->data, 512); >+ dec_blob = data_blob_const(password_buf.data, 512); >+ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) { >+ DBG_WARNING("CryptPassword buffer not encrypted Length[%zu]\n", >+ new_password.length); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * We don't allow empty passwords for machine accounts. >+ */ >+ if (new_password.length < 2) { >+ DBG_WARNING("Empty password Length[%zu]\n", >+ new_password.length); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * Check that the password part was actually encrypted, >+ * otherwise we are under attack. >+ */ >+ >+ memcpy(password_buf.data, r->in.new_password->data, 512); >+ SIVAL(password_buf.data, 512, new_password.length); >+ >+ if (!extract_pw_from_buffer(mem_ctx, password_buf.data, &enc_blob)) { >+ DBG_WARNING("Failed extract encrypted password Length[%zu]\n", >+ new_password.length); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ if (data_blob_cmp(&new_password, &enc_blob) == 0) { >+ DBG_WARNING("Password buffer not encrypted Length[%zu]\n", >+ new_password.length); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ > /* fetch the old password hashes (at least one of both has to exist) */ > > ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs, >-- >2.17.1 > > >From 0e45b6bfd4433ddb397a88e58072f08dd2ee1af5 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 10:18:45 +0200 >Subject: [PATCH 09/10] CVE-2020-1472(ZeroLogon): s4:rpc_server: refactor > dcesrv_netr_creds_server_step_check() > >We should debug more details about the failing request. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 44 +++++++++++++------ > 1 file changed, 31 insertions(+), 13 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index dfc54edf0f15..61c4a4b91eda 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -625,27 +625,45 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > { > NTSTATUS nt_status; > int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); >- bool schannel_global_required = (schannel == true); >- >- if (schannel_global_required) { >- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; >- >- dcesrv_call_auth_info(dce_call, &auth_type, NULL); >+ bool schannel_required = (schannel == true); >+ struct netlogon_creds_CredentialState *creds = NULL; >+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; >+ uint16_t opnum = dce_call->pkt.u.request.opnum; >+ const char *opname = "<unknown>"; > >- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { >- DBG_ERR("[%s] is not using schannel\n", >- computer_name); >- return NT_STATUS_ACCESS_DENIED; >- } >+ if (opnum < ndr_table_netlogon.num_calls) { >+ opname = ndr_table_netlogon.calls[opnum].name; > } > >+ dcesrv_call_auth_info(dce_call, &auth_type, NULL); >+ > nt_status = schannel_check_creds_state(mem_ctx, > dce_call->conn->dce_ctx->lp_ctx, > computer_name, > received_authenticator, > return_authenticator, >- creds_out); >- return nt_status; >+ &creds); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ ZERO_STRUCTP(return_authenticator); >+ return nt_status; >+ } >+ >+ if (schannel_required) { >+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { >+ DBG_ERR("CVE-2020-1472(ZeroLogin): " >+ "%s request (opnum[%u]) without schannel from " >+ "client_account[%s] client_computer_name[%s]\n", >+ opname, opnum, >+ log_escape(mem_ctx, creds->account_name), >+ log_escape(mem_ctx, creds->computer_name)); >+ TALLOC_FREE(creds); >+ ZERO_STRUCTP(return_authenticator); >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ } >+ >+ *creds_out = creds; >+ return NT_STATUS_OK; > } > > /* >-- >2.17.1 > > >From 556ee527590243a9f7a362b3bfddfda284e8931c Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 10:56:53 +0200 >Subject: [PATCH 10/10] CVE-2020-1472(ZeroLogon): s4:rpc_server: support > "server require schannel:WORKSTATION$ = no" > >This allows to add expections for individual workstations, when using "server schannel = yes". >"server schannel = auto" is very insecure and will be removed soon. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 61c4a4b91eda..becf10952403 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -648,6 +648,21 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > return nt_status; > } > >+ schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, >+ NULL, >+ "server require schannel", >+ creds->account_name, >+ schannel_required); >+ if (schannel_required && schannel != true) { >+ /* >+ * We want admins to notice there misconfiguration! >+ */ >+ DBG_ERR("CVE-2020-1472(ZeroLogin): " >+ "Please configure 'server schannel = yes' when " >+ "using 'server require schannel:%s = yes'\n", >+ log_escape(mem_ctx, creds->account_name)); >+ } >+ > if (schannel_required) { > if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { > DBG_ERR("CVE-2020-1472(ZeroLogin): " >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14497
:
16228
|
16229
|
16230
|
16231
|
16232
|
16233
|
16234
|
16235
|
16236
|
16237
|
16238
|
16239
|
16240
|
16241
|
16242
|
16243
|
16244
|
16245
|
16246
|
16247
|
16248
|
16249
|
16250
|
16251
|
16268
|
16269