The Samba-Bugzilla – Attachment 16237 Details for
Bug 14497
[CVE-2020-1472] [SECURITY] Samba impact of "ZeroLogon"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
WIP initial tests
tests.patch (text/plain), 15.18 KB, created by
Gary Lockyer
on 2020-09-18 04:15:44 UTC
(
hide
)
Description:
WIP initial tests
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2020-09-18 04:15:44 UTC
Size:
15.18 KB
patch
obsolete
>From 937b1ee9f46e77b32c2a571309adb4b582cd3c91 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Fri, 18 Sep 2020 12:39:54 +1200 >Subject: [PATCH 1/2] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty > machine acct pwd > >Ensure that an empty machine account password can't be set by >netr_ServerPasswordSet2 > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > source4/torture/rpc/netlogon.c | 64 +++++++++++++++------------------- > 1 file changed, 29 insertions(+), 35 deletions(-) > >diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c >index 138e214a762..08b1b1db176 100644 >--- a/source4/torture/rpc/netlogon.c >+++ b/source4/torture/rpc/netlogon.c >@@ -727,45 +727,39 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx, > > cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED); > >- if (!torture_setting_bool(tctx, "dangerous", false)) { >- torture_comment(tctx, >- "Not testing ability to set password to '', enable dangerous tests to perform this test\n"); >+ /* >+ * As a consequence of CVE-2020-1472(ZeroLogon) >+ * Samba explicitly disallows the setting of an empty machine account >+ * password. >+ * >+ * Note that this may fail against Windows, and leave a machine account >+ * with an empty password. >+ */ >+ password = ""; >+ encode_pw_buffer(password_buf.data, password, STR_UNICODE); >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, password_buf.data, 516); > } else { >- /* by changing the machine password to "" >- * we check if the server uses password restrictions >- * for ServerPasswordSet2 >- * (win2k3 accepts "") >- */ >- password = ""; >- encode_pw_buffer(password_buf.data, password, STR_UNICODE); >- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >- netlogon_creds_aes_encrypt(creds, password_buf.data, 516); >- } else { >- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >- } >- memcpy(new_password.data, password_buf.data, 512); >- new_password.length = IVAL(password_buf.data, 512); >- >- torture_comment(tctx, >- "Testing ServerPasswordSet2 on machine account\n"); >- torture_comment(tctx, >- "Changing machine account password to '%s'\n", password); >- >- netlogon_creds_client_authenticator(creds, &credential); >- >- torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r), >- "ServerPasswordSet2 failed"); >- torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed"); >+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ } >+ memcpy(new_password.data, password_buf.data, 512); >+ new_password.length = IVAL(password_buf.data, 512); > >- if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { >- torture_comment(tctx, "Credential chaining failed\n"); >- } >+ torture_comment(tctx, >+ "Testing ServerPasswordSet2 on machine account\n"); >+ torture_comment(tctx, >+ "Changing machine account password to '%s'\n", password); > >- cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED); >- } >+ netlogon_creds_client_authenticator(creds, &credential); > >- torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds), >- "ServerPasswordSet failed to actually change the password"); >+ torture_assert_ntstatus_ok( >+ tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r), >+ "ServerPasswordSet2 failed"); >+ torture_assert_ntstatus_equal( >+ tctx, >+ r.out.result, >+ NT_STATUS_WRONG_PASSWORD, >+ "ServerPasswordSet2 did not return NT_STATUS_WRONG_PASSWORD"); > > /* now try a random password */ > password = generate_random_password(tctx, 8, 255); >-- >2.25.1 > > >From 52ebc054aa808ca4f24e2767e5493df7b4e47751 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Fri, 18 Sep 2020 15:57:34 +1200 >Subject: [PATCH 2/2] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes > in client challenge > >Ensure that client challenges with the first 5 bytes identical are >rejected. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > source4/torture/rpc/netlogon.c | 334 ++++++++++++++++++++++++++++++++- > 1 file changed, 333 insertions(+), 1 deletion(-) > >diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c >index 08b1b1db176..911babfb4be 100644 >--- a/source4/torture/rpc/netlogon.c >+++ b/source4/torture/rpc/netlogon.c >@@ -488,6 +488,323 @@ bool test_SetupCredentialsPipe(const struct dcerpc_pipe *p1, > return true; > } > >+static bool test_ServerReqChallenge( >+ struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *credentials) >+{ >+ struct netr_ServerReqChallenge r; >+ struct netr_Credential credentials1, credentials2, credentials3; >+ const char *machine_name; >+ struct dcerpc_binding_handle *b = p->binding_handle; >+ struct netr_ServerAuthenticate2 a; >+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ uint32_t out_negotiate_flags = 0; >+ const struct samr_Password *mach_password = NULL; >+ enum netr_SchannelType sec_chan_type = 0; >+ struct netlogon_creds_CredentialState *creds = NULL; >+ const char *account_name = NULL; >+ >+ machine_name = cli_credentials_get_workstation(credentials); >+ mach_password = cli_credentials_get_nt_hash(credentials, tctx); >+ account_name = cli_credentials_get_username(credentials); >+ sec_chan_type = cli_credentials_get_secure_channel_type(credentials); >+ >+ torture_comment(tctx, "Testing ServerReqChallenge\n"); >+ >+ r.in.server_name = NULL; >+ r.in.computer_name = machine_name; >+ r.in.credentials = &credentials1; >+ r.out.return_credentials = &credentials2; >+ >+ netlogon_creds_random_challenge(&credentials1); >+ >+ torture_assert_ntstatus_ok( >+ tctx, >+ dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), >+ "ServerReqChallenge failed"); >+ torture_assert_ntstatus_ok( >+ tctx, >+ r.out.result, >+ "ServerReqChallenge failed"); >+ a.in.server_name = NULL; >+ a.in.account_name = account_name; >+ a.in.secure_channel_type = sec_chan_type; >+ a.in.computer_name = machine_name; >+ a.in.negotiate_flags = &in_negotiate_flags; >+ a.out.negotiate_flags = &out_negotiate_flags; >+ a.in.credentials = &credentials3; >+ a.out.return_credentials = &credentials3; >+ >+ creds = netlogon_creds_client_init(tctx, a.in.account_name, >+ a.in.computer_name, >+ a.in.secure_channel_type, >+ &credentials1, &credentials2, >+ mach_password, &credentials3, >+ in_negotiate_flags); >+ >+ torture_assert(tctx, creds != NULL, "memory allocation"); >+ >+ torture_comment(tctx, "Testing ServerAuthenticate2\n"); >+ >+ torture_assert_ntstatus_ok( >+ tctx, >+ dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a), >+ "ServerAuthenticate2 failed"); >+ torture_assert_ntstatus_equal( >+ tctx, >+ a.out.result, >+ NT_STATUS_OK, >+ "ServerAuthenticate2 unexpected"); >+ >+ return true; >+} >+ >+static bool test_ServerReqChallenge_zero_challenge( >+ struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *credentials) >+{ >+ struct netr_ServerReqChallenge r; >+ struct netr_Credential credentials1, credentials2, credentials3; >+ const char *machine_name; >+ struct dcerpc_binding_handle *b = p->binding_handle; >+ struct netr_ServerAuthenticate2 a; >+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ uint32_t out_negotiate_flags = 0; >+ const struct samr_Password *mach_password = NULL; >+ enum netr_SchannelType sec_chan_type = 0; >+ struct netlogon_creds_CredentialState *creds = NULL; >+ const char *account_name = NULL; >+ >+ machine_name = cli_credentials_get_workstation(credentials); >+ mach_password = cli_credentials_get_nt_hash(credentials, tctx); >+ account_name = cli_credentials_get_username(credentials); >+ sec_chan_type = cli_credentials_get_secure_channel_type(credentials); >+ >+ torture_comment(tctx, "Testing ServerReqChallenge\n"); >+ >+ r.in.server_name = NULL; >+ r.in.computer_name = machine_name; >+ r.in.credentials = &credentials1; >+ r.out.return_credentials = &credentials2; >+ >+ /* >+ * Set the client challenge to zero, this should fail >+ * CVE-2020-1472(ZeroLogon) >+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 >+ */ >+ ZERO_STRUCT(credentials1); >+ >+ torture_assert_ntstatus_ok( >+ tctx, >+ dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), >+ "ServerReqChallenge failed"); >+ torture_assert_ntstatus_ok( >+ tctx, >+ r.out.result, >+ "ServerReqChallenge failed"); >+ a.in.server_name = NULL; >+ a.in.account_name = account_name; >+ a.in.secure_channel_type = sec_chan_type; >+ a.in.computer_name = machine_name; >+ a.in.negotiate_flags = &in_negotiate_flags; >+ a.out.negotiate_flags = &out_negotiate_flags; >+ a.in.credentials = &credentials3; >+ a.out.return_credentials = &credentials3; >+ >+ creds = netlogon_creds_client_init(tctx, a.in.account_name, >+ a.in.computer_name, >+ a.in.secure_channel_type, >+ &credentials1, &credentials2, >+ mach_password, &credentials3, >+ in_negotiate_flags); >+ >+ torture_assert(tctx, creds != NULL, "memory allocation"); >+ >+ torture_comment(tctx, "Testing ServerAuthenticate2\n"); >+ >+ torture_assert_ntstatus_ok( >+ tctx, >+ dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a), >+ "ServerAuthenticate2 failed"); >+ torture_assert_ntstatus_equal( >+ tctx, >+ a.out.result, >+ NT_STATUS_ACCESS_DENIED, >+ "ServerAuthenticate2 unexpected"); >+ >+ return true; >+} >+ >+static bool test_ServerReqChallenge_5_repeats( >+ struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *credentials) >+{ >+ struct netr_ServerReqChallenge r; >+ struct netr_Credential credentials1, credentials2, credentials3; >+ const char *machine_name; >+ struct dcerpc_binding_handle *b = p->binding_handle; >+ struct netr_ServerAuthenticate2 a; >+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ uint32_t out_negotiate_flags = 0; >+ const struct samr_Password *mach_password = NULL; >+ enum netr_SchannelType sec_chan_type = 0; >+ struct netlogon_creds_CredentialState *creds = NULL; >+ const char *account_name = NULL; >+ >+ machine_name = cli_credentials_get_workstation(credentials); >+ mach_password = cli_credentials_get_nt_hash(credentials, tctx); >+ account_name = cli_credentials_get_username(credentials); >+ sec_chan_type = cli_credentials_get_secure_channel_type(credentials); >+ >+ torture_comment(tctx, "Testing ServerReqChallenge\n"); >+ >+ r.in.server_name = NULL; >+ r.in.computer_name = machine_name; >+ r.in.credentials = &credentials1; >+ r.out.return_credentials = &credentials2; >+ >+ /* >+ * Set the first 5 bytes of the client challenge to the same value, >+ * this should fail CVE-2020-1472(ZeroLogon) >+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 >+ */ >+ credentials1.data[0] = 'A'; >+ credentials1.data[1] = 'A'; >+ credentials1.data[2] = 'A'; >+ credentials1.data[3] = 'A'; >+ credentials1.data[4] = 'A'; >+ credentials1.data[5] = 'B'; >+ credentials1.data[6] = 'C'; >+ credentials1.data[7] = 'D'; >+ >+ torture_assert_ntstatus_ok( >+ tctx, >+ dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), >+ "ServerReqChallenge failed"); >+ torture_assert_ntstatus_ok( >+ tctx, >+ r.out.result, >+ "ServerReqChallenge failed"); >+ a.in.server_name = NULL; >+ a.in.account_name = account_name; >+ a.in.secure_channel_type = sec_chan_type; >+ a.in.computer_name = machine_name; >+ a.in.negotiate_flags = &in_negotiate_flags; >+ a.out.negotiate_flags = &out_negotiate_flags; >+ a.in.credentials = &credentials3; >+ a.out.return_credentials = &credentials3; >+ >+ creds = netlogon_creds_client_init(tctx, a.in.account_name, >+ a.in.computer_name, >+ a.in.secure_channel_type, >+ &credentials1, &credentials2, >+ mach_password, &credentials3, >+ in_negotiate_flags); >+ >+ torture_assert(tctx, creds != NULL, "memory allocation"); >+ >+ torture_comment(tctx, "Testing ServerAuthenticate2\n"); >+ >+ torture_assert_ntstatus_ok( >+ tctx, >+ dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a), >+ "ServerAuthenticate2 failed"); >+ torture_assert_ntstatus_equal( >+ tctx, >+ a.out.result, >+ NT_STATUS_ACCESS_DENIED, >+ "ServerAuthenticate2 unexpected"); >+ >+ return true; >+} >+ >+static bool test_ServerReqChallenge_4_repeats( >+ struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *credentials) >+{ >+ struct netr_ServerReqChallenge r; >+ struct netr_Credential credentials1, credentials2, credentials3; >+ const char *machine_name; >+ struct dcerpc_binding_handle *b = p->binding_handle; >+ struct netr_ServerAuthenticate2 a; >+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ uint32_t out_negotiate_flags = 0; >+ const struct samr_Password *mach_password = NULL; >+ enum netr_SchannelType sec_chan_type = 0; >+ struct netlogon_creds_CredentialState *creds = NULL; >+ const char *account_name = NULL; >+ >+ machine_name = cli_credentials_get_workstation(credentials); >+ mach_password = cli_credentials_get_nt_hash(credentials, tctx); >+ account_name = cli_credentials_get_username(credentials); >+ sec_chan_type = cli_credentials_get_secure_channel_type(credentials); >+ >+ torture_comment(tctx, "Testing ServerReqChallenge\n"); >+ >+ r.in.server_name = NULL; >+ r.in.computer_name = machine_name; >+ r.in.credentials = &credentials1; >+ r.out.return_credentials = &credentials2; >+ >+ /* >+ * Set the first 4 bytes of the client challenge to the same value, >+ * this should fail pass, CVE-2020-1472(ZeroLogon) >+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 >+ */ >+ credentials1.data[0] = 'A'; >+ credentials1.data[1] = 'A'; >+ credentials1.data[2] = 'A'; >+ credentials1.data[3] = 'A'; >+ credentials1.data[4] = 'B'; >+ credentials1.data[5] = 'C'; >+ credentials1.data[6] = 'D'; >+ credentials1.data[7] = 'E'; >+ >+ torture_assert_ntstatus_ok( >+ tctx, >+ dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), >+ "ServerReqChallenge failed"); >+ torture_assert_ntstatus_ok( >+ tctx, >+ r.out.result, >+ "ServerReqChallenge failed"); >+ a.in.server_name = NULL; >+ a.in.account_name = account_name; >+ a.in.secure_channel_type = sec_chan_type; >+ a.in.computer_name = machine_name; >+ a.in.negotiate_flags = &in_negotiate_flags; >+ a.out.negotiate_flags = &out_negotiate_flags; >+ a.in.credentials = &credentials3; >+ a.out.return_credentials = &credentials3; >+ >+ creds = netlogon_creds_client_init(tctx, a.in.account_name, >+ a.in.computer_name, >+ a.in.secure_channel_type, >+ &credentials1, &credentials2, >+ mach_password, &credentials3, >+ in_negotiate_flags); >+ >+ torture_assert(tctx, creds != NULL, "memory allocation"); >+ >+ torture_comment(tctx, "Testing ServerAuthenticate2\n"); >+ >+ torture_assert_ntstatus_ok( >+ tctx, >+ dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a), >+ "ServerAuthenticate2 failed"); >+ torture_assert_ntstatus_equal( >+ tctx, >+ a.out.result, >+ NT_STATUS_OK, >+ "ServerAuthenticate2 unexpected"); >+ >+ return true; >+} >+ > /* > try a change password for our machine account > */ >@@ -4955,7 +5272,22 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx) > > torture_rpc_tcase_add_test(tcase, "Broken RPC binding handle", > test_netr_broken_binding_handle); >- >+ torture_rpc_tcase_add_test_creds( >+ tcase, >+ "ServerReqChallenge", >+ test_ServerReqChallenge); >+ torture_rpc_tcase_add_test_creds( >+ tcase, >+ "ServerReqChallenge_zero_challenge", >+ test_ServerReqChallenge_zero_challenge); >+ torture_rpc_tcase_add_test_creds( >+ tcase, >+ "ServerReqChallenge_5_repeats", >+ test_ServerReqChallenge_5_repeats); >+ torture_rpc_tcase_add_test_creds( >+ tcase, >+ "ServerReqChallenge_4_repeats", >+ test_ServerReqChallenge_4_repeats); > return suite; > } > >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14497
:
16228
|
16229
|
16230
|
16231
|
16232
|
16233
|
16234
|
16235
|
16236
|
16237
|
16238
|
16239
|
16240
|
16241
|
16242
|
16243
|
16244
|
16245
|
16246
|
16247
|
16248
|
16249
|
16250
|
16251
|
16268
|
16269