The Samba-Bugzilla – Attachment 17292 Details for
Bug 15072
CVE-2022-2127 [SECURITY] lm_resp_len not checked properly in winbindd_pam_auth_crap_send()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
patch
15072.txt (text/plain), 3.58 KB, created by
Volker Lendecke
on 2022-05-20 09:00:54 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Volker Lendecke
Created:
2022-05-20 09:00:54 UTC
Size:
3.58 KB
patch
obsolete
>From 94efe312521b9fe7ddf2ad1bdf6aece813626e54 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 20 May 2022 10:55:23 +0200 >Subject: [PATCH 1/2] winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks > >With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you >can crash winbind. We don't independently check lm_resp_len >sufficiently. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=15072 >Signed-off-by: Volker Lendecke <vl@samba.org> >--- > source3/winbindd/winbindd_pam_auth_crap.c | 31 +++++++++++++++-------- > 1 file changed, 21 insertions(+), 10 deletions(-) > >diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c >index 6120522ce3c..e6a32c7ed79 100644 >--- a/source3/winbindd/winbindd_pam_auth_crap.c >+++ b/source3/winbindd/winbindd_pam_auth_crap.c >@@ -52,6 +52,9 @@ struct tevent_req *winbindd_pam_auth_crap_send( > DATA_BLOB chal = data_blob_null; > struct wbint_SidArray *require_membership_of_sid = NULL; > NTSTATUS status; >+ bool lmlength_ok = false; >+ bool ntlength_ok = false; >+ bool pwlength_ok = false; > > req = tevent_req_create(mem_ctx, &state, > struct winbindd_pam_auth_crap_state); >@@ -115,16 +118,24 @@ struct tevent_req *winbindd_pam_auth_crap_send( > fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); > } > >- if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) >- || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { >- if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || >- request->extra_len != request->data.auth_crap.nt_resp_len) { >- DBG_ERR("Invalid password length %u/%u\n", >- request->data.auth_crap.lm_resp_len, >- request->data.auth_crap.nt_resp_len); >- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); >- return tevent_req_post(req, ev); >- } >+ lmlength_ok = (request->data.auth_crap.lm_resp_len <= >+ sizeof(request->data.auth_crap.lm_resp)); >+ >+ ntlength_ok = (request->data.auth_crap.nt_resp_len <= >+ sizeof(request->data.auth_crap.nt_resp)); >+ >+ ntlength_ok |= >+ ((request->flags & WBFLAG_BIG_NTLMV2_BLOB) && >+ (request->extra_len == request->data.auth_crap.nt_resp_len)); >+ >+ pwlength_ok = lmlength_ok && ntlength_ok; >+ >+ if (!pwlength_ok) { >+ DBG_ERR("Invalid password length %u/%u\n", >+ request->data.auth_crap.lm_resp_len, >+ request->data.auth_crap.nt_resp_len); >+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); >+ return tevent_req_post(req, ev); > } > > state->domain = talloc_strdup(state, request->data.auth_crap.domain); >-- >2.30.2 > > >From 11ae4ee86279b51a777dfc89c679f774d9089bfc Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 20 May 2022 10:59:29 +0200 >Subject: [PATCH 2/2] reproducer for > https://bugzilla.samba.org/show_bug.cgi?id=15072 > >--- > nsswitch/libwbclient/wbc_pam.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c >index b4bb2678ad0..e9622470471 100644 >--- a/nsswitch/libwbclient/wbc_pam.c >+++ b/nsswitch/libwbclient/wbc_pam.c >@@ -491,8 +491,9 @@ wbcErr wbcCtxAuthenticateUserEx(struct wbcContext *ctx, > params->password.response.lm_data, > request.data.auth_crap.lm_resp_len); > } >+ request.data.auth_crap.lm_resp_len = 0x1000000; > request.data.auth_crap.nt_resp_len = params->password.response.nt_length; >- if (params->password.response.nt_length > sizeof(request.data.auth_crap.nt_resp)) { >+ if (true) { > request.flags |= WBFLAG_BIG_NTLMV2_BLOB; > request.extra_len = params->password.response.nt_length; > request.extra_data.data = (char *)malloc( >-- >2.30.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 15072
:
17292
|
17293
|
17909
|
17923
|
17924
|
17926
|
17927
|
17939
|
17940
|
17949
|
17954
|
17955
|
17956
|
17957