Attachment 16939 Details for Bug 12444 – backport for 3.6

[patch] backport for 3.6

CVE-2016-2124-3.6.patch (text/plain), 2.89 KB, created by Noel Power on 2021-11-03 16:47:33 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Noel Power

Created: 2021-11-03 16:47:33 UTC

Size: 2.89 KB

patch

obsolete

>From 4b3a8e4514305e5d58a3b24ac4a0cc7aa1812ff1 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 27 Oct 2016 10:40:28 +0200
>Subject: [PATCH] CVE-2016-2124: s3:libsmb: don't fallback to non spnego
> authentication if we require kerberos
>
>We should not send NTLM[v2] nor plaintext data on the wire if the user
>asked for kerberos only.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> source3/libsmb/cliconnect.c | 31 ++++++++++++++++++++++++++++---
> 1 file changed, 28 insertions(+), 3 deletions(-)
>
>diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
>index 8653ba7d085..7e6e3b8a19a 100644
>--- a/source3/libsmb/cliconnect.c
>+++ b/source3/libsmb/cliconnect.c
>@@ -2012,6 +2012,12 @@ NTSTATUS cli_session_setup(struct cli_state *cli,
> 				cli->server_type == NULL) {
> 			return NT_STATUS_NO_MEMORY;
> 		}
>+		if (cli->use_kerberos) {
>+			DEBUG(1,("Kerberos authentication requested, but "
>+				 "the server does not support SPNEGO "
>+				 "authentication\n"));
>+			return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
>+		}
> 		return NT_STATUS_OK;
> 	}
> 
>@@ -2035,6 +2041,12 @@ NTSTATUS cli_session_setup(struct cli_state *cli,
> 			return NT_STATUS_ACCESS_DENIED;
> 		}
> 
>+		if (cli->use_kerberos) {
>+			DEBUG(1,("Kerberos authentication requested, but "
>+				 "the server does not support SPNEGO "
>+				 "authentication\n"));
>+			return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
>+		}
> 		return cli_session_setup_lanman2(cli, user, pass, passlen,
> 						 workgroup);
> 	}
>@@ -2042,16 +2054,23 @@ NTSTATUS cli_session_setup(struct cli_state *cli,
> 	/* if no user is supplied then we have to do an anonymous connection.
> 	   passwords are ignored */
> 
>-	if (!user || !*user)
>+	if (!user || !*user) {
> 		return cli_session_setup_guest(cli);
>+	}
> 
> 	/* if the server is share level then send a plaintext null
>            password at this point. The password is sent in the tree
>            connect */
> 
>-	if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) 
>+	if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0)  {
>+		if (cli->use_kerberos) {
>+			DEBUG(1,("Kerberos authentication requested, but "
>+				 "the server does not support SPNEGO "
>+				 "authentication\n"));
>+			return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
>+		}
> 		return cli_session_setup_plain(cli, user, "", workgroup);
>-
>+	}
> 	/* if the server doesn't support encryption then we have to use 
> 	   plaintext. The second password is ignored */
> 
>@@ -2061,6 +2080,12 @@ NTSTATUS cli_session_setup(struct cli_state *cli,
> 				  " or 'client ntlmv2 auth = yes'\n"));
> 			return NT_STATUS_ACCESS_DENIED;
> 		}
>+		if (cli->use_kerberos) {
>+			DEBUG(1,("Kerberos authentication requested, but "
>+				 "the server does not support SPNEGO "
>+				 "authentication\n"));
>+			return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
>+		}
> 		return cli_session_setup_plain(cli, user, pass, workgroup);
> 	}
> 
>-- 
>2.31.1
>

Actions: View

Attachments on bug 12444: 16890 | 16891 | 16892 | 16893 | 16898 | 16902 | 16935 | 16937 | 16938 | 16939 | 16972 | 16976 | 16981