The Samba-Bugzilla – Attachment 16230 Details for
Bug 14497
[CVE-2020-1472] [SECURITY] Samba impact of "ZeroLogon"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Back-port of Metze's _netr_ServerPasswordSet2 protections to s3 - v2
s3-netr_ServerPasswordSet2.patch (text/plain), 4.76 KB, created by
Jeremy Allison
on 2020-09-16 20:23:41 UTC
(
hide
)
Description:
Back-port of Metze's _netr_ServerPasswordSet2 protections to s3 - v2
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2020-09-16 20:23:41 UTC
Size:
4.76 KB
patch
obsolete
>From 0d1f4ebfc59eebab959a83117ed59f8d4e115067 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 16 Sep 2020 12:48:21 -0700 >Subject: [PATCH 1/2] s3: rpc_server: Fix mem leak onto p->mem_ctx in error > path of _netr_ServerPasswordSet2(). > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 2a2e2d0ac6e..0c068c6ef17 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -1387,6 +1387,7 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, > 516); > } > if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(creds); > return status; > } > >-- >2.25.1 > > >From 876f42075f7ff20910b06736b3a7d29168e4b240 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 16 Sep 2020 12:53:50 -0700 >Subject: [PATCH 2/2] s3: rpc: Netlogon. Back-port of Metze's > netr_ServerPasswordSet2() protection. > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 89 +++++++++++++++++++-- > 1 file changed, 83 insertions(+), 6 deletions(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 0c068c6ef17..e1d93dab5cc 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -1345,7 +1345,10 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, > { > NTSTATUS status; > struct netlogon_creds_CredentialState *creds = NULL; >- DATA_BLOB plaintext; >+ DATA_BLOB plaintext = data_blob_null; >+ DATA_BLOB new_password = data_blob_null; >+ DATA_BLOB dec_blob = data_blob_null; >+ DATA_BLOB enc_blob = data_blob_null; > struct samr_CryptPassword password_buf; > struct _samr_Credentials_t cr = { CRED_TYPE_PLAIN_TEXT, {0}}; > >@@ -1391,17 +1394,91 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, > return status; > } > >- if (!decode_pw_buffer(p->mem_ctx, >- password_buf.data, >- (char**) &plaintext.data, >- &plaintext.length, >- CH_UTF16)) { >+ if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &new_password)) { > DEBUG(2,("_netr_ServerPasswordSet2: unable to extract password " > "from a buffer. Rejecting auth request as a wrong password\n")); > TALLOC_FREE(creds); > return NT_STATUS_WRONG_PASSWORD; > } > >+ /* >+ * Make sure the length field was encrypted, >+ * otherwise we are under attack. >+ */ >+ if (new_password.length == r->in.new_password->length) { >+ DBG_WARNING("Length[%zu] field not encrypted\n", >+ new_password.length); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * Make sure the CryptPassword buffer was encrypted, >+ * otherwise we are under attack. >+ */ >+ enc_blob = data_blob_const(r->in.new_password->data, 512); >+ dec_blob = data_blob_const(password_buf.data, 512); >+ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) { >+ DBG_WARNING("CryptPassword buffer not encrypted Length[%zu]\n", >+ new_password.length); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * We don't allow empty passwords for machine accounts. >+ */ >+ if (new_password.length < 2) { >+ DBG_WARNING("Empty password Length[%zu]\n", >+ new_password.length); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * Check that the password part was actually encrypted, >+ * otherwise we are under attack. >+ */ >+ >+ memcpy(password_buf.data, r->in.new_password->data, 512); >+ SIVAL(password_buf.data, 512, new_password.length); >+ >+ if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &enc_blob)) { >+ DBG_WARNING("Failed extract encrypted password Length[%zu]\n", >+ new_password.length); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ if (data_blob_cmp(&new_password, &enc_blob) == 0) { >+ DBG_WARNING("Password buffer not encrypted Length[%zu]\n", >+ new_password.length); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* Convert from UTF16 -> plaintext. */ >+ if (!decode_pw_buffer(p->mem_ctx, >+ password_buf.data, >+ (char**) &plaintext.data, >+ &plaintext.length, >+ CH_UTF16)) { >+ DBG_WARNING("unable to extract password from a buffer. " >+ "Rejecting auth request as a wrong password\n"); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * We don't allow empty passwords for machine accounts. >+ */ >+ if (plaintext.length < 2) { >+ DBG_WARNING("Empty password Length[%zu]\n", >+ new_password.length); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ > cr.creds.password = (const char*) plaintext.data; > status = netr_set_machine_account_password(p->mem_ctx, > p->session_info, >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review-
Actions:
View
Attachments on
bug 14497
:
16228
|
16229
|
16230
|
16231
|
16232
|
16233
|
16234
|
16235
|
16236
|
16237
|
16238
|
16239
|
16240
|
16241
|
16242
|
16243
|
16244
|
16245
|
16246
|
16247
|
16248
|
16249
|
16250
|
16251
|
16268
|
16269