The Samba-Bugzilla – Attachment 16234 Details for
Bug 14497
[CVE-2020-1472] [SECURITY] Samba impact of "ZeroLogon"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Possible patches for master (v2)
tmp.diff.txt (text/plain), 47.92 KB, created by
Stefan Metzmacher
on 2020-09-17 17:32:08 UTC
(
hide
)
Description:
Possible patches for master (v2)
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2020-09-17 17:32:08 UTC
Size:
47.92 KB
patch
obsolete
>From 9d87b614798b4d0c583be44ebf7fd647e82fb82c Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:04:57 +0200 >Subject: [PATCH 01/17] CVE-2020-1472(ZeroLogon): libcli/auth: add > netlogon_creds_random_challenge() > >It's good to have just a single isolated function that will generate >random challenges, in future we can add some logic in order to >avoid weak values, which are likely to be rejected by a server. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > libcli/auth/credentials.c | 6 ++++++ > libcli/auth/proto.h | 2 ++ > 2 files changed, 8 insertions(+) > >diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c >index c541eeff4703..46259f39306c 100644 >--- a/libcli/auth/credentials.c >+++ b/libcli/auth/credentials.c >@@ -33,6 +33,12 @@ > #include <gnutls/gnutls.h> > #include <gnutls/crypto.h> > >+void netlogon_creds_random_challenge(struct netr_Credential *challenge) >+{ >+ ZERO_STRUCTP(challenge); >+ generate_random_buffer(challenge->data, sizeof(challenge->data)); >+} >+ > static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds, > const struct netr_Credential *in, > struct netr_Credential *out) >diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h >index 88f4a7c6c505..396484a54370 100644 >--- a/libcli/auth/proto.h >+++ b/libcli/auth/proto.h >@@ -13,6 +13,8 @@ > > /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */ > >+void netlogon_creds_random_challenge(struct netr_Credential *challenge); >+ > NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, > struct netr_LMSessionKey *key); > NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, >-- >2.17.1 > > >From fb06e38b1390d5029f25762650c5b7f70b882561 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:07:30 +0200 >Subject: [PATCH 02/17] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of > netlogon_creds_random_challenge() > >This will avoid getting flakey tests once our server starts to >reject weak challenges. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/torture/rpc/lsa.c | 2 +- > source4/torture/rpc/netlogon.c | 34 ++++++++++++---------------------- > 2 files changed, 13 insertions(+), 23 deletions(-) > >diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c >index c342b4e67e66..908ea08019c5 100644 >--- a/source4/torture/rpc/lsa.c >+++ b/source4/torture/rpc/lsa.c >@@ -2872,7 +2872,7 @@ static bool check_pw_with_ServerAuthenticate3(struct dcerpc_pipe *p, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge failed"); >diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c >index c508ecacd50f..138e214a7628 100644 >--- a/source4/torture/rpc/netlogon.c >+++ b/source4/torture/rpc/netlogon.c >@@ -162,7 +162,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge failed"); >@@ -231,7 +231,7 @@ bool test_SetupCredentials2ex(struct dcerpc_pipe *p, struct torture_context *tct > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge failed"); >@@ -326,7 +326,7 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge failed"); >@@ -398,7 +398,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge failed"); >@@ -1285,7 +1285,7 @@ static bool test_ServerReqChallengeGlobal(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1374,7 +1374,7 @@ static bool test_ServerReqChallengeReuseGlobal(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1463,7 +1463,7 @@ static bool test_ServerReqChallengeReuseGlobal2(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1553,7 +1553,7 @@ static bool test_ServerReqChallengeReuseGlobal3(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1645,8 +1645,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx, > r.in.credentials = &credentials1_random; > r.out.return_credentials = &credentials_discard; > >- generate_random_buffer(credentials1_random.data, >- sizeof(credentials1_random.data)); >+ netlogon_creds_random_challenge(&credentials1_random); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1658,7 +1657,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1669,16 +1668,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx, > r.in.credentials = &credentials1_random; > r.out.return_credentials = &credentials_discard; > >- generate_random_buffer(credentials1_random.data, >- sizeof(credentials1_random.data)); >- >- r.in.server_name = NULL; >- r.in.computer_name = "CHALTEST3"; >- r.in.credentials = &credentials1_random; >- r.out.return_credentials = &credentials_discard; >- >- generate_random_buffer(credentials1_random.data, >- sizeof(credentials1_random.data)); >+ netlogon_creds_random_challenge(&credentials1_random); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), > "ServerReqChallenge failed on b1"); >@@ -1754,7 +1744,7 @@ static bool test_ServerReqChallengeReuse(struct torture_context *tctx, > r.in.credentials = &credentials1; > r.out.return_credentials = &credentials2; > >- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); >+ netlogon_creds_random_challenge(&credentials1); > > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge"); >-- >2.17.1 > > >From b18289160dc4570de4e389edd4a6d95cacb86ffb Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:08:38 +0200 >Subject: [PATCH 03/17] CVE-2020-1472(ZeroLogon): libcli/auth: make use of > netlogon_creds_random_challenge() in netlogon_creds_cli.c > >This will avoid getting rejected by the server if we generate >a weak challenge. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > libcli/auth/netlogon_creds_cli.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > >diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c >index 407cb471cbcc..12cb3149ff60 100644 >--- a/libcli/auth/netlogon_creds_cli.c >+++ b/libcli/auth/netlogon_creds_cli.c >@@ -1177,8 +1177,7 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req) > > TALLOC_FREE(state->creds); > >- generate_random_buffer(state->client_challenge.data, >- sizeof(state->client_challenge.data)); >+ netlogon_creds_random_challenge(&state->client_challenge); > > subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev, > state->binding_handle, >-- >2.17.1 > > >From a5fbd805dfd4eb8171a3b7cb388a43174de7edab Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:10:53 +0200 >Subject: [PATCH 04/17] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make > use of netlogon_creds_random_challenge() > >This is not strictly needed, but makes things more clear. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 2a2e2d0ac6eb..548efb44ad28 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -841,8 +841,7 @@ NTSTATUS _netr_ServerReqChallenge(struct pipes_struct *p, > > pipe_state->client_challenge = *r->in.credentials; > >- generate_random_buffer(pipe_state->server_challenge.data, >- sizeof(pipe_state->server_challenge.data)); >+ netlogon_creds_random_challenge(&pipe_state->server_challenge); > > *r->out.return_credentials = pipe_state->server_challenge; > >-- >2.17.1 > > >From e8bf1635e9aa2eab30fe1744cd47c5c821a2b59a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:10:53 +0200 >Subject: [PATCH 05/17] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make > use of netlogon_creds_random_challenge() > >This is not strictly needed, but makes things more clear. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 0351e2d286ce..2d2f7d37c195 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -92,8 +92,7 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal > > pipe_state->client_challenge = *r->in.credentials; > >- generate_random_buffer(pipe_state->server_challenge.data, >- sizeof(pipe_state->server_challenge.data)); >+ netlogon_creds_random_challenge(&pipe_state->server_challenge); > > *r->out.return_credentials = pipe_state->server_challenge; > >-- >2.17.1 > > >From 4b9091d812268d98d986433178f31e5f612dc3f5 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:15:26 +0200 >Subject: [PATCH 06/17] CVE-2020-1472(ZeroLogon): libcli/auth: add > netlogon_creds_is_random_challenge() to avoid weak values > >This is the check Windows is using, so we won't generate challenges, >which are rejected by Windows DCs (and future Samba DCs). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > libcli/auth/credentials.c | 23 ++++++++++++++++++++++- > libcli/auth/proto.h | 1 + > 2 files changed, 23 insertions(+), 1 deletion(-) > >diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c >index 46259f39306c..54a20100b511 100644 >--- a/libcli/auth/credentials.c >+++ b/libcli/auth/credentials.c >@@ -33,10 +33,31 @@ > #include <gnutls/gnutls.h> > #include <gnutls/crypto.h> > >+bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge) >+{ >+ /* >+ * If none of the first 5 bytes of the client challenge is unique, the >+ * server MUST fail session-key negotiation without further processing >+ * of the following steps. >+ */ >+ >+ if (challenge->data[1] == challenge->data[0] && >+ challenge->data[2] == challenge->data[0] && >+ challenge->data[3] == challenge->data[0] && >+ challenge->data[4] == challenge->data[0]) >+ { >+ return false; >+ } >+ >+ return true; >+} >+ > void netlogon_creds_random_challenge(struct netr_Credential *challenge) > { > ZERO_STRUCTP(challenge); >- generate_random_buffer(challenge->data, sizeof(challenge->data)); >+ while (!netlogon_creds_is_random_challenge(challenge)) { >+ generate_random_buffer(challenge->data, sizeof(challenge->data)); >+ } > } > > static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds, >diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h >index 396484a54370..a62668f088fd 100644 >--- a/libcli/auth/proto.h >+++ b/libcli/auth/proto.h >@@ -13,6 +13,7 @@ > > /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */ > >+bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge); > void netlogon_creds_random_challenge(struct netr_Credential *challenge); > > NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, >-- >2.17.1 > > >From aade2063356f4bfb98980165d27820b94c15f08e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 16:17:29 +0200 >Subject: [PATCH 07/17] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak > client challenges in netlogon_creds_server_init() > >This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: > > 7. If none of the first 5 bytes of the client challenge is unique, the > server MUST fail session-key negotiation without further processing of > the following steps. > >It lets ./zerologon_tester.py from >https://github.com/SecuraBV/CVE-2020-1472.git >report: "Attack failed. Target is probably patched." > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > libcli/auth/credentials.c | 17 ++++++++++++++++- > libcli/auth/wscript_build | 2 +- > 2 files changed, 17 insertions(+), 2 deletions(-) > >diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c >index 54a20100b511..23339d98bfab 100644 >--- a/libcli/auth/credentials.c >+++ b/libcli/auth/credentials.c >@@ -24,6 +24,7 @@ > #include "system/time.h" > #include "libcli/auth/libcli_auth.h" > #include "../libcli/security/dom_sid.h" >+#include "lib/util/util_str_escape.h" > > #ifndef HAVE_GNUTLS_AES_CFB8 > #include "lib/crypto/aes.h" >@@ -704,7 +705,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me > > struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); > NTSTATUS status; >- >+ bool ok; > > if (!creds) { > return NULL; >@@ -717,6 +718,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me > dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data)); > dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash)); > >+ ok = netlogon_creds_is_random_challenge(client_challenge); >+ if (!ok) { >+ DBG_WARNING("CVE-2020-1472(ZeroLogon): " >+ "non-random client challenge rejected for " >+ "client_account[%s] client_computer_name[%s]\n", >+ log_escape(mem_ctx, client_account), >+ log_escape(mem_ctx, client_computer_name)); >+ dump_data(DBGLVL_WARNING, >+ client_challenge->data, >+ sizeof(client_challenge->data)); >+ talloc_free(creds); >+ return NULL; >+ } >+ > creds->computer_name = talloc_strdup(creds, client_computer_name); > if (!creds->computer_name) { > talloc_free(creds); >diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build >index 41937623630f..2a6a7468e457 100644 >--- a/libcli/auth/wscript_build >+++ b/libcli/auth/wscript_build >@@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('NTLM_CHECK', > > bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH', > source='credentials.c session.c smbencrypt.c smbdes.c', >- public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS', >+ public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS util_str_escape', > public_headers='credentials.h:domain_credentials.h' > ) > >-- >2.17.1 > > >From e949a6c82076f226ae428ab2c60577362ce14886 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 19:20:25 +0200 >Subject: [PATCH 08/17] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: > protect netr_ServerPasswordSet2 against unencrypted passwords > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 60 ++++++++++++++++++- > 1 file changed, 59 insertions(+), 1 deletion(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 2d2f7d37c195..f5b6ae265cf0 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -726,7 +726,10 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal > struct NL_PASSWORD_VERSION version = {}; > const uint32_t *new_version = NULL; > NTSTATUS nt_status; >- DATA_BLOB new_password; >+ DATA_BLOB new_password = data_blob_null; >+ size_t confounder_len; >+ DATA_BLOB dec_blob = data_blob_null; >+ DATA_BLOB enc_blob = data_blob_null; > int ret; > struct samr_CryptPassword password_buf; > >@@ -792,6 +795,61 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal > return NT_STATUS_WRONG_PASSWORD; > } > >+ /* >+ * Make sure the length field was encrypted, >+ * otherwise we are under attack. >+ */ >+ if (new_password.length == r->in.new_password->length) { >+ DBG_WARNING("Length[%zu] field not encrypted\n", >+ new_password.length); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * We don't allow empty passwords for machine accounts. >+ */ >+ if (new_password.length < 2) { >+ DBG_WARNING("Empty password Length[%zu]\n", >+ new_password.length); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * Make sure the confounder part of CryptPassword >+ * buffer was encrypted, otherwise we are under attack. >+ */ >+ confounder_len = 512 - new_password.length; >+ enc_blob = data_blob_const(r->in.new_password->data, confounder_len); >+ dec_blob = data_blob_const(password_buf.data, confounder_len); >+ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) { >+ DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n", >+ confounder_len); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * Check that the password part was actually encrypted, >+ * otherwise we are under attack. >+ */ >+ enc_blob = data_blob_const(r->in.new_password->data + confounder_len, >+ new_password.length); >+ dec_blob = data_blob_const(password_buf.data + confounder_len, >+ new_password.length); >+ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) { >+ DBG_WARNING("Password buffer not encrypted Length[%zu]\n", >+ new_password.length); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * don't allow zero buffers >+ */ >+ if (all_zero(new_password.data, new_password.length)) { >+ DBG_WARNING("Password zero buffer Length[%zu]\n", >+ new_password.length); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ > /* fetch the old password hashes (at least one of both has to exist) */ > > ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs, >-- >2.17.1 > > >From 3cf503796d55759f2c54cfd63aa336f33bbb522c Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 16 Sep 2020 12:48:21 -0700 >Subject: [PATCH 09/17] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Fix > mem leak onto p->mem_ctx in error path of _netr_ServerPasswordSet2(). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 548efb44ad28..2b68a2db15ab 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -1386,6 +1386,7 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, > 516); > } > if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(creds); > return status; > } > >-- >2.17.1 > > >From aed4644ecf53c1ae1bb126adc4d9b4662d88ad7c Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 16 Sep 2020 12:53:50 -0700 >Subject: [PATCH 10/17] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: > protect netr_ServerPasswordSet2 against unencrypted passwords > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Jeremy Allison <jra@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 98 +++++++++++++++++++-- > 1 file changed, 92 insertions(+), 6 deletions(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 2b68a2db15ab..6f52b4a10cca 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -1344,9 +1344,14 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, > { > NTSTATUS status; > struct netlogon_creds_CredentialState *creds = NULL; >- DATA_BLOB plaintext; >+ DATA_BLOB plaintext = data_blob_null; >+ DATA_BLOB new_password = data_blob_null; >+ size_t confounder_len; >+ DATA_BLOB dec_blob = data_blob_null; >+ DATA_BLOB enc_blob = data_blob_null; > struct samr_CryptPassword password_buf; > struct _samr_Credentials_t cr = { CRED_TYPE_PLAIN_TEXT, {0}}; >+ bool ok; > > become_root(); > status = netr_creds_server_step_check(p, p->mem_ctx, >@@ -1390,18 +1395,99 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, > return status; > } > >- if (!decode_pw_buffer(p->mem_ctx, >- password_buf.data, >- (char**) &plaintext.data, >- &plaintext.length, >- CH_UTF16)) { >+ if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &new_password)) { > DEBUG(2,("_netr_ServerPasswordSet2: unable to extract password " > "from a buffer. Rejecting auth request as a wrong password\n")); > TALLOC_FREE(creds); > return NT_STATUS_WRONG_PASSWORD; > } > >+ /* >+ * Make sure the length field was encrypted, >+ * otherwise we are under attack. >+ */ >+ if (new_password.length == r->in.new_password->length) { >+ DBG_WARNING("Length[%zu] field not encrypted\n", >+ new_password.length); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * We don't allow empty passwords for machine accounts. >+ */ >+ if (new_password.length < 2) { >+ DBG_WARNING("Empty password Length[%zu]\n", >+ new_password.length); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * Make sure the confounder part of CryptPassword >+ * buffer was encrypted, otherwise we are under attack. >+ */ >+ confounder_len = 512 - new_password.length; >+ enc_blob = data_blob_const(r->in.new_password->data, confounder_len); >+ dec_blob = data_blob_const(password_buf.data, confounder_len); >+ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) { >+ DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n", >+ confounder_len); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * Check that the password part was actually encrypted, >+ * otherwise we are under attack. >+ */ >+ enc_blob = data_blob_const(r->in.new_password->data + confounder_len, >+ new_password.length); >+ dec_blob = data_blob_const(password_buf.data + confounder_len, >+ new_password.length); >+ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) { >+ DBG_WARNING("Password buffer not encrypted Length[%zu]\n", >+ new_password.length); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * don't allow zero buffers >+ */ >+ if (all_zero(new_password.data, new_password.length)) { >+ DBG_WARNING("Password zero buffer Length[%zu]\n", >+ new_password.length); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* Convert from UTF16 -> plaintext. */ >+ ok = convert_string_talloc(p->mem_ctx, >+ CH_UTF16, >+ CH_UNIX, >+ new_password.data, >+ new_password.length, >+ (void *)&plaintext.data, >+ &plaintext.length); >+ if (!ok) { >+ DBG_WARNING("unable to extract password from a buffer. " >+ "Rejecting auth request as a wrong password\n"); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ /* >+ * We don't allow empty passwords for machine accounts. >+ */ >+ > cr.creds.password = (const char*) plaintext.data; >+ if (strlen(cr.creds.password) == 0) { >+ DBG_WARNING("Empty plaintext password\n"); >+ TALLOC_FREE(creds); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ > status = netr_set_machine_account_password(p->mem_ctx, > p->session_info, > p->msg_ctx, >-- >2.17.1 > > >From 7685f826e209db5236345b241f3ca8d9ee6092a7 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 10:18:45 +0200 >Subject: [PATCH 11/17] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: > refactor dcesrv_netr_creds_server_step_check() > >We should debug more details about the failing request. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 45 ++++++++++++++----- > 1 file changed, 33 insertions(+), 12 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index f5b6ae265cf0..66f68ea7f95a 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -626,26 +626,47 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > NTSTATUS nt_status; > int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); > bool schannel_global_required = (schannel == true); >+ struct netlogon_creds_CredentialState *creds = NULL; >+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; >+ uint16_t opnum = dce_call->pkt.u.request.opnum; >+ const char *opname = "<unknown>"; > >- if (schannel_global_required) { >- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; >- >- dcesrv_call_auth_info(dce_call, &auth_type, NULL); >- >- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { >- DBG_ERR("[%s] is not using schannel\n", >- computer_name); >- return NT_STATUS_ACCESS_DENIED; >- } >+ if (opnum < ndr_table_netlogon.num_calls) { >+ opname = ndr_table_netlogon.calls[opnum].name; > } > >+ dcesrv_call_auth_info(dce_call, &auth_type, NULL); >+ > nt_status = schannel_check_creds_state(mem_ctx, > dce_call->conn->dce_ctx->lp_ctx, > computer_name, > received_authenticator, > return_authenticator, >- creds_out); >- return nt_status; >+ &creds); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ ZERO_STRUCTP(return_authenticator); >+ return nt_status; >+ } >+ >+ if (schannel_global_required) { >+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >+ *creds_out = creds; >+ return NT_STATUS_OK; >+ } >+ >+ DBG_ERR("CVE-2020-1472(ZeroLogon): " >+ "%s request (opnum[%u]) without schannel from " >+ "client_account[%s] client_computer_name[%s]\n", >+ opname, opnum, >+ log_escape(mem_ctx, creds->account_name), >+ log_escape(mem_ctx, creds->computer_name)); >+ TALLOC_FREE(creds); >+ ZERO_STRUCTP(return_authenticator); >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ >+ *creds_out = creds; >+ return NT_STATUS_OK; > } > > /* >-- >2.17.1 > > >From 8534d6c07c414c1ccbd20466ad22c3d02bf3a0a1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 16 Sep 2020 10:56:53 +0200 >Subject: [PATCH 12/17] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: > support "server require schannel:WORKSTATION$ = no" > >This allows to add expections for individual workstations, when using "server schannel = yes". >"server schannel = auto" is very insecure and will be removed soon. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 66f68ea7f95a..87ef13ba8074 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -626,6 +626,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > NTSTATUS nt_status; > int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); > bool schannel_global_required = (schannel == true); >+ bool schannel_required = schannel_global_required; > struct netlogon_creds_CredentialState *creds = NULL; > enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; > uint16_t opnum = dce_call->pkt.u.request.opnum; >@@ -648,7 +649,13 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > return nt_status; > } > >- if (schannel_global_required) { >+ schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, >+ NULL, >+ "server require schannel", >+ creds->account_name, >+ schannel_global_required); >+ >+ if (schannel_required) { > if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { > *creds_out = creds; > return NT_STATUS_OK; >-- >2.17.1 > > >From 25e5eeb3a0c8fef61428d5e026e128ee4efd7e03 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 17 Sep 2020 13:37:26 +0200 >Subject: [PATCH 13/17] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log > warnings about unsecure configurations >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >This should give admins wawrnings until they have a secure >configuration. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Günther Deschner <gd@samba.org> >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 66 ++++++++++++++++++- > 1 file changed, 63 insertions(+), 3 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 87ef13ba8074..0c5ed1f06650 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -627,10 +627,12 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); > bool schannel_global_required = (schannel == true); > bool schannel_required = schannel_global_required; >+ const char *explicit_opt = NULL; > struct netlogon_creds_CredentialState *creds = NULL; > enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; > uint16_t opnum = dce_call->pkt.u.request.opnum; > const char *opname = "<unknown>"; >+ static bool warned_global_once = false; > > if (opnum < ndr_table_netlogon.num_calls) { > opname = ndr_table_netlogon.calls[opnum].name; >@@ -649,11 +651,18 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > return nt_status; > } > >- schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, >+ /* >+ * We don't use lpcfg_parm_bool(), as we >+ * need the explicit_opt pointer in order to >+ * adjust the debug messages. >+ */ >+ explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx, > NULL, > "server require schannel", >- creds->account_name, >- schannel_global_required); >+ creds->account_name); >+ if (explicit_opt != NULL) { >+ schannel_required = lp_bool(explicit_opt); >+ } > > if (schannel_required) { > if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >@@ -667,11 +676,62 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > opname, opnum, > log_escape(mem_ctx, creds->account_name), > log_escape(mem_ctx, creds->computer_name)); >+ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " >+ "'server require schannel:%s = no' is needed! \n", >+ log_escape(mem_ctx, creds->account_name)); > TALLOC_FREE(creds); > ZERO_STRUCTP(return_authenticator); > return NT_STATUS_ACCESS_DENIED; > } > >+ if (!schannel_global_required && !warned_global_once) { >+ /* >+ * We want admins to notice their misconfiguration! >+ */ >+ DBG_ERR("CVE-2020-1472(ZeroLogon): " >+ "Please configure 'server schannel = yes', " >+ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); >+ warned_global_once = true; >+ } >+ >+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >+ DBG_ERR("CVE-2020-1472(ZeroLogon): " >+ "%s request (opnum[%u]) WITH schannel from " >+ "client_account[%s] client_computer_name[%s]\n", >+ opname, opnum, >+ log_escape(mem_ctx, creds->account_name), >+ log_escape(mem_ctx, creds->computer_name)); >+ DBG_ERR("CVE-2020-1472(ZeroLogon): " >+ "Option 'server require schannel:%s = no' not needed!?\n", >+ log_escape(mem_ctx, creds->account_name)); >+ >+ *creds_out = creds; >+ return NT_STATUS_OK; >+ } >+ >+ >+ if (explicit_opt != NULL) { >+ DBG_INFO("CVE-2020-1472(ZeroLogon): " >+ "%s request (opnum[%u]) without schannel from " >+ "client_account[%s] client_computer_name[%s]\n", >+ opname, opnum, >+ log_escape(mem_ctx, creds->account_name), >+ log_escape(mem_ctx, creds->computer_name)); >+ DBG_INFO("CVE-2020-1472(ZeroLogon): " >+ "Option 'server require schannel:%s = no' still needed!\n", >+ log_escape(mem_ctx, creds->account_name)); >+ } else { >+ DBG_ERR("CVE-2020-1472(ZeroLogon): " >+ "%s request (opnum[%u]) without schannel from " >+ "client_account[%s] client_computer_name[%s]\n", >+ opname, opnum, >+ log_escape(mem_ctx, creds->account_name), >+ log_escape(mem_ctx, creds->computer_name)); >+ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " >+ "'server require schannel:%s = no' might be needed!\n", >+ log_escape(mem_ctx, creds->account_name)); >+ } >+ > *creds_out = creds; > return NT_STATUS_OK; > } >-- >2.17.1 > > >From 3f9c2da5bb85d7cdef27717edba1fd03720ee7ee Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 17 Sep 2020 14:57:22 +0200 >Subject: [PATCH 14/17] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: > refactor dcesrv_netr_creds_server_step_check() >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >We should debug more details about the failing request. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Günther Deschner <gd@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 43 +++++++++++++++++---- > 1 file changed, 35 insertions(+), 8 deletions(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 6f52b4a10cca..edd397bc8338 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -48,6 +48,7 @@ > #include "../lib/tsocket/tsocket.h" > #include "lib/param/param.h" > #include "libsmb/dsgetdcname.h" >+#include "lib/util/util_str_escape.h" > > extern userdom_struct current_user_info; > >@@ -1074,19 +1075,21 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, > NTSTATUS status; > bool schannel_global_required = (lp_server_schannel() == true) ? true:false; > struct loadparm_context *lp_ctx; >+ struct netlogon_creds_CredentialState *creds = NULL; >+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; >+ uint16_t opnum = p->opnum; >+ const char *opname = "<unknown>"; > > if (creds_out != NULL) { > *creds_out = NULL; > } > >- if (schannel_global_required) { >- if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { >- DBG_ERR("[%s] is not using schannel\n", >- computer_name); >- return NT_STATUS_ACCESS_DENIED; >- } >+ if (opnum < ndr_table_netlogon.num_calls) { >+ opname = ndr_table_netlogon.calls[opnum].name; > } > >+ auth_type = p->auth.auth_type; >+ > lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers()); > if (lp_ctx == NULL) { > DEBUG(0, ("loadparm_init_s3 failed\n")); >@@ -1095,9 +1098,33 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, > > status = schannel_check_creds_state(mem_ctx, lp_ctx, > computer_name, received_authenticator, >- return_authenticator, creds_out); >+ return_authenticator, &creds); > talloc_unlink(mem_ctx, lp_ctx); >- return status; >+ >+ if (!NT_STATUS_IS_OK(status)) { >+ ZERO_STRUCTP(return_authenticator); >+ return status; >+ } >+ >+ if (schannel_global_required) { >+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >+ *creds_out = creds; >+ return NT_STATUS_OK; >+ } >+ >+ DBG_ERR("CVE-2020-1472(ZeroLogon): " >+ "%s request (opnum[%u]) without schannel from " >+ "client_account[%s] client_computer_name[%s]\n", >+ opname, opnum, >+ log_escape(mem_ctx, creds->account_name), >+ log_escape(mem_ctx, creds->computer_name)); >+ TALLOC_FREE(creds); >+ ZERO_STRUCTP(return_authenticator); >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ >+ *creds_out = creds; >+ return NT_STATUS_OK; > } > > >-- >2.17.1 > > >From 1c0cc62fd067832b4f560a44d0552b781e7ff0d3 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 17 Sep 2020 14:23:16 +0200 >Subject: [PATCH 15/17] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: > support "server require schannel:WORKSTATION$ = no" >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >This allows to add expections for individual workstations, when using "server schannel = yes". >"server schannel = auto" is very insecure and will be removed soon. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Günther Deschner <gd@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index edd397bc8338..dc1bfa0c4da8 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -1074,6 +1074,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, > { > NTSTATUS status; > bool schannel_global_required = (lp_server_schannel() == true) ? true:false; >+ bool schannel_required = schannel_global_required; > struct loadparm_context *lp_ctx; > struct netlogon_creds_CredentialState *creds = NULL; > enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; >@@ -1106,7 +1107,11 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, > return status; > } > >- if (schannel_global_required) { >+ schannel_required = lp_parm_bool(GLOBAL_SECTION_SNUM, >+ "server require schannel", >+ creds->account_name, >+ schannel_global_required); >+ if (schannel_required) { > if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { > *creds_out = creds; > return NT_STATUS_OK; >-- >2.17.1 > > >From ca91af8e1dd8f21194d017d521f11fd84c2d1e8b Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 17 Sep 2020 14:42:52 +0200 >Subject: [PATCH 16/17] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log > warnings about unsecure configurations >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Günther Deschner <gd@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 70 +++++++++++++++++++-- > 1 file changed, 66 insertions(+), 4 deletions(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index dc1bfa0c4da8..c217fee9c43c 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -1075,11 +1075,13 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, > NTSTATUS status; > bool schannel_global_required = (lp_server_schannel() == true) ? true:false; > bool schannel_required = schannel_global_required; >+ const char *explicit_opt = NULL; > struct loadparm_context *lp_ctx; > struct netlogon_creds_CredentialState *creds = NULL; > enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; > uint16_t opnum = p->opnum; > const char *opname = "<unknown>"; >+ static bool warned_global_once = false; > > if (creds_out != NULL) { > *creds_out = NULL; >@@ -1107,10 +1109,20 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, > return status; > } > >- schannel_required = lp_parm_bool(GLOBAL_SECTION_SNUM, >- "server require schannel", >- creds->account_name, >- schannel_global_required); >+ /* >+ * We don't use lp_parm_bool(), as we >+ * need the explicit_opt pointer in order to >+ * adjust the debug messages. >+ */ >+ >+ explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM, >+ "server require schannel", >+ creds->account_name, >+ NULL); >+ if (explicit_opt != NULL) { >+ schannel_required = lp_bool(explicit_opt); >+ } >+ > if (schannel_required) { > if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { > *creds_out = creds; >@@ -1123,11 +1135,61 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, > opname, opnum, > log_escape(mem_ctx, creds->account_name), > log_escape(mem_ctx, creds->computer_name)); >+ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " >+ "'server require schannel:%s = no' is needed! \n", >+ log_escape(mem_ctx, creds->account_name)); > TALLOC_FREE(creds); > ZERO_STRUCTP(return_authenticator); > return NT_STATUS_ACCESS_DENIED; > } > >+ if (!schannel_global_required && !warned_global_once) { >+ /* >+ * We want admins to notice their misconfiguration! >+ */ >+ DBG_ERR("CVE-2020-1472(ZeroLogon): " >+ "Please configure 'server schannel = yes', " >+ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); >+ warned_global_once = true; >+ } >+ >+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >+ DBG_ERR("CVE-2020-1472(ZeroLogon): " >+ "%s request (opnum[%u]) WITH schannel from " >+ "client_account[%s] client_computer_name[%s]\n", >+ opname, opnum, >+ log_escape(mem_ctx, creds->account_name), >+ log_escape(mem_ctx, creds->computer_name)); >+ DBG_ERR("CVE-2020-1472(ZeroLogon): " >+ "Option 'server require schannel:%s = no' not needed!?\n", >+ log_escape(mem_ctx, creds->account_name)); >+ >+ *creds_out = creds; >+ return NT_STATUS_OK; >+ } >+ >+ if (explicit_opt != NULL) { >+ DBG_INFO("CVE-2020-1472(ZeroLogon): " >+ "%s request (opnum[%u]) without schannel from " >+ "client_account[%s] client_computer_name[%s]\n", >+ opname, opnum, >+ log_escape(mem_ctx, creds->account_name), >+ log_escape(mem_ctx, creds->computer_name)); >+ DBG_INFO("CVE-2020-1472(ZeroLogon): " >+ "Option 'server require schannel:%s = no' still needed!\n", >+ log_escape(mem_ctx, creds->account_name)); >+ } else { >+ DBG_ERR("CVE-2020-1472(ZeroLogon): " >+ "%s request (opnum[%u]) without schannel from " >+ "client_account[%s] client_computer_name[%s]\n", >+ opname, opnum, >+ log_escape(mem_ctx, creds->account_name), >+ log_escape(mem_ctx, creds->computer_name)); >+ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " >+ "'server require schannel:%s = no' might be needed!\n", >+ log_escape(mem_ctx, creds->account_name)); >+ } >+ > *creds_out = creds; > return NT_STATUS_OK; > } >-- >2.17.1 > > >From 16bfe6c22a5bb07b6bfbe791950143f6650bf229 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 17 Sep 2020 17:27:54 +0200 >Subject: [PATCH 17/17] CVE-2020-1472(ZeroLogon): docs-xml: document 'server > require schannel:COMPUTERACCOUNT' > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > .../smbdotconf/security/serverschannel.xml | 69 +++++++++++++++---- > 1 file changed, 54 insertions(+), 15 deletions(-) > >diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml >index 489492d79b1d..b682d086f76b 100644 >--- a/docs-xml/smbdotconf/security/serverschannel.xml >+++ b/docs-xml/smbdotconf/security/serverschannel.xml >@@ -7,26 +7,65 @@ > <description> > > <para> >- This option is deprecated with Samba 4.8 and will be removed in future. >- At the same time the default changed to yes, which will be the >- hardcoded behavior in future. If you have the need for the behavior of "auto" >- to be kept, please file a bug at https://bugzilla.samba.org. >+ This option is deprecated and will be removed in future, >+ as it is a security problem if not set to "yes" (which will be >+ the hardcoded behavior in future). > </para> > > <para> >- This controls whether the server offers or even demands the use of the netlogon schannel. >- <smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption >- name="server schannel">auto</smbconfoption> offers the schannel but does not enforce it, and <smbconfoption >- name="server schannel">yes</smbconfoption> denies access if the client is not able to speak netlogon schannel. >- This is only the case for Windows NT4 before SP4. >- </para> >- >+ Samba will complain in the log files at log level 0, >+ about the security problem if the option is not set to "yes". >+ </para> > <para> >- Please note that with this set to <literal>no</literal>, you will have to apply the WindowsXP >- <filename>WinXP_SignOrSeal.reg</filename> registry patch found in the docs/registry subdirectory of the Samba distribution tarball. >- </para> >+ See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 >+ </para> >+ >+ <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option. >+ </para> >+ >+ <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para> >+ > </description> > > <value type="default">yes</value> >-<value type="example">auto</value> >+</samba:parameter> >+ >+<samba:parameter name="server require schannel:COMPUTERACCOUNT" >+ context="G" >+ type="string" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ >+ <para>If you still have legacy domain members, which required "server schannel = auto" before, >+ it is possible to specify explicit expection per computer account >+ by using 'server require schannel:COMPUTERACCOUNT = no' as option. >+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of >+ the computer account (including the trailing '$' sign). >+ </para> >+ >+ <para> >+ Samba will complain in the log files at log level 0, >+ about the security problem if the option is not set to "no", >+ but the related computer is actually using the netlogon >+ secure channel (schannel) feature. >+ </para> >+ >+ <para> >+ Samba will warn in the log files at log level 5, >+ if a setting is still needed for the specified computer account. >+ </para> >+ >+ <para> >+ See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 >+ </para> >+ >+ <para>This option takes precedence to the <smbconfoption name="server schannel"/> option.</para> >+ >+ <programlisting> >+ server require schannel:LEGACYCOMPUTER1$ = no >+ server require schannel:NASBOX$ = no >+ server require schannel:LEGACYCOMPUTER2$ = no >+ </programlisting> >+</description> >+ > </samba:parameter> >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
gary
:
review+
Actions:
View
Attachments on
bug 14497
:
16228
|
16229
|
16230
|
16231
|
16232
|
16233
|
16234
|
16235
|
16236
|
16237
|
16238
|
16239
|
16240
|
16241
|
16242
|
16243
|
16244
|
16245
|
16246
|
16247
|
16248
|
16249
|
16250
|
16251
|
16268
|
16269