The Samba-Bugzilla – Attachment 16963 Details for
Bug 14556
CVE-2020-25717 [SECURITY] A user on the domain can become root on domain members
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v3-6-test (wip)
CVE-2020-25717-only-3.6-wip.patch (text/plain), 3.89 KB, created by
Samuel Cabrero
on 2021-11-05 17:46:13 UTC
(
hide
)
Description:
Patches for v3-6-test (wip)
Filename:
MIME Type:
Creator:
Samuel Cabrero
Created:
2021-11-05 17:46:13 UTC
Size:
3.89 KB
patch
obsolete
>From b0ebabd95886892a7f1bca6f5a71fa29fb520dc9 Mon Sep 17 00:00:00 2001 >From: Samuel Cabrero <scabrero@suse.de> >Date: Fri, 5 Nov 2021 13:51:33 +0100 >Subject: [PATCH] CVE-2020-25717: s3:auth: Always require a PAC in domain mode > >AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set >on the service account, which can only be explicitly configured, >but that's an invalid configuration! > >We still try to support standalone servers in an MIT realm, as legacy setup. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 > >Signed-off-by: Samuel Cabrero <scabrero@samba.org> >--- > source3/auth/user_krb5.c | 17 ++++++++++++----- > source3/smbd/sesssetup.c | 8 ++++++++ > source3/smbd/smb2_sesssetup.c | 7 +++++++ > source3/utils/ntlm_auth.c | 9 +++++++++ > 4 files changed, 36 insertions(+), 5 deletions(-) > >diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c >index e52149afd7e..06ee8628e0c 100644 >--- a/source3/auth/user_krb5.c >+++ b/source3/auth/user_krb5.c >@@ -213,16 +213,23 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, > } > > } else { >- /* >- * We didn't get a PAC, we have to make up the user >- * ourselves. Try to ask the pdb backend to provide >- * SID consistency with ntlmssp session setup >- */ > struct samu *sampass; > /* The stupid make_server_info_XX functions here > don't take a talloc context. */ > struct auth_serversupplied_info *tmp = NULL; > >+ if (lp_server_role() != ROLE_STANDALONE) { >+ status = NT_STATUS_ACCESS_DENIED; >+ DEBUG(2, ("make_server_info_krb5: Kerberos ticket " >+ "has no PAC: %s\n", nt_errstr(status))); >+ return status; >+ } >+ >+ /* >+ * We didn't get a PAC, we have to make up the user >+ * ourselves. Try to ask the pdb backend to provide >+ * SID consistency with ntlmssp session setup >+ */ > sampass = samu_new(talloc_tos()); > if (sampass == NULL) { > return NT_STATUS_NO_MEMORY; >diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c >index 75c2a1551d1..9e4370539df 100644 >--- a/source3/smbd/sesssetup.c >+++ b/source3/smbd/sesssetup.c >@@ -345,6 +345,14 @@ static void reply_spnego_kerberos(struct smb_request *req, > return; > } > >+ if (lp_server_role() != ROLE_STANDALONE && logon_info == NULL) { >+ DEBUG(2, ("Unable to find PAC in ticket from %s, failing " >+ "to allow access\n", principal)); >+ ret = NT_STATUS_NO_IMPERSONATION_TOKEN; >+ reply_nterror(req, nt_status_squash(ret)); >+ return; >+ } >+ > ret = get_user_from_kerberos_info(talloc_tos(), > sconn->client_id.name, > principal, logon_info, >diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c >index 1f48e332e85..0673e498867 100644 >--- a/source3/smbd/smb2_sesssetup.c >+++ b/source3/smbd/smb2_sesssetup.c >@@ -207,6 +207,13 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, > goto fail; > } > >+ if (lp_server_role() != ROLE_STANDALONE && logon_info == NULL) { >+ DEBUG(2, ("Unable to find PAC in ticket from %s, failing " >+ "to allow access\n", principal)); >+ status = NT_STATUS_NO_IMPERSONATION_TOKEN; >+ goto fail; >+ } >+ > status = get_user_from_kerberos_info(talloc_tos(), > smb2req->sconn->client_id.name, > principal, logon_info, >diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c >index 73f41a7fe66..84119afbc12 100644 >--- a/source3/utils/ntlm_auth.c >+++ b/source3/utils/ntlm_auth.c >@@ -1530,6 +1530,15 @@ static void manage_gss_spnego_request(struct ntlm_auth_state *state, > > if (NT_STATUS_IS_OK(status)) { > >+ if (lp_server_role() != ROLE_STANDALONE && logon_info == NULL) { >+ DEBUG(2, ("Unable to find PAC in ticket from %s, failing " >+ "to allow access\n", principal)); >+ x_fprintf(x_stdout, "BH Unable to find PAC " >+ "in ticket from %s, failing " >+ "to allow access\n", principal); >+ return; >+ } >+ > domain = strchr_m(principal, '@'); > > if (domain == NULL) { >-- >2.33.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14556
:
16845
|
16924
|
16926
|
16934
|
16952
|
16953
|
16954
|
16955
|
16956
|
16958
|
16959
|
16963
|
16969
|
16970
|
16978
|
17449