The Samba-Bugzilla – Attachment 17299 Details for
Bug 15047
[SECURITY] CVE-2022-2031 kadmin/changew gets a krbtgt key as AS-REP
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for canonicalisation issue
kadmin-canon.patch (text/plain), 6.51 KB, created by
Jo Sutton
on 2022-05-24 04:25:47 UTC
(
hide
)
Description:
patch for canonicalisation issue
Filename:
MIME Type:
Creator:
Jo Sutton
Created:
2022-05-24 04:25:47 UTC
Size:
6.51 KB
patch
obsolete
>From 56cc2ac144f90c1e2e27cfe908ca609341516d63 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 18 May 2022 16:56:01 +1200 >Subject: [PATCH] s4:kdc: Fix canonicalisation of kadmin/changepw principal > >Since this principal goes through the samba_kdc_fetch_server() path, >setting the canonicalisation flag would cause the principal to be >replaced with the sAMAccountName; this meant requests to >kadmin/changepw@REALM would result in a ticket to krbtgt@REALM. Now we >properly handle canonicalisation for the kadmin/changepw principal. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > source4/kdc/db-glue.c | 155 ++++++++++++++++++++++-------------------- > 1 file changed, 82 insertions(+), 73 deletions(-) > >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index ea329b7edab..390205c02d5 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -917,6 +917,75 @@ static int principal_comp_strcmp(krb5_context context, > component, string, false); > } > >+static krb5_error_code samba_kdc_get_entry_principal(krb5_context context, >+ struct samba_kdc_db_context *kdc_db_ctx, >+ const char *samAccountName, >+ enum samba_kdc_ent_type ent_type, >+ unsigned flags, >+ bool change_pw, >+ krb5_const_principal in_princ, >+ krb5_principal *out_princ) >+{ >+ struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; >+ krb5_error_code ret = 0; >+ >+ if (!change_pw && ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL) { >+ ret = smb_krb5_make_principal(context, out_princ, lpcfg_realm(lp_ctx), >+ samAccountName, NULL); >+ return ret; >+ } >+ >+ if (!change_pw && flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) { >+ if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) { >+ /* >+ * When requested to do so, ensure that the >+ * both realm values in the principal are set >+ * to the upper case, canonical realm >+ */ >+ ret = smb_krb5_make_principal(context, out_princ, >+ lpcfg_realm(lp_ctx), "krbtgt", >+ lpcfg_realm(lp_ctx), NULL); >+ if (ret) { >+ return ret; >+ } >+ smb_krb5_principal_set_type(context, *out_princ, KRB5_NT_SRV_INST); >+ return 0; >+ } >+ if (flags & (SDB_F_FORCE_CANON|SDB_F_FOR_AS_REQ)) { >+ /* >+ * SDB_F_CANON maps from the canonicalize flag in the >+ * packet, and has a different meaning between AS-REQ >+ * and TGS-REQ. We only change the principal in the AS-REQ case >+ * >+ * The SDB_F_FORCE_CANON if for new MIT KDC code that wants >+ * the canonical name in all lookups, and takes care to >+ * canonicalize only when appropriate. >+ */ >+ ret = smb_krb5_make_principal(context, out_princ, lpcfg_realm(lp_ctx), >+ samAccountName, NULL); >+ return ret; >+ } >+ } >+ >+ /* >+ * for a krbtgt entry, this appears to be >+ * required regardless of the canonicalize >+ * flag from the client >+ */ >+ ret = krb5_copy_principal(context, in_princ, out_princ); >+ if (ret) { >+ return ret; >+ } >+ >+ /* While we have copied the client principal, tests >+ * show that Win2k3 returns the 'corrected' realm, not >+ * the client-specified realm. This code attempts to >+ * replace the client principal's realm with the one >+ * we determine from our records */ >+ ret = smb_krb5_principal_set_realm(context, *out_princ, lpcfg_realm(lp_ctx)); >+ return ret; >+} >+ > /* > * Construct an hdb_entry from a directory entry. > */ >@@ -1023,79 +1092,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, > > if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) { > p->is_krbtgt = true; >- >- if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) { >- /* >- * When requested to do so, ensure that the >- * both realm values in the principal are set >- * to the upper case, canonical realm >- */ >- ret = smb_krb5_make_principal(context, &entry->principal, >- lpcfg_realm(lp_ctx), "krbtgt", >- lpcfg_realm(lp_ctx), NULL); >- if (ret) { >- krb5_clear_error_message(context); >- goto out; >- } >- smb_krb5_principal_set_type(context, entry->principal, KRB5_NT_SRV_INST); >- } else { >- ret = krb5_copy_principal(context, principal, &entry->principal); >- if (ret) { >- krb5_clear_error_message(context); >- goto out; >- } >- /* >- * this appears to be required regardless of >- * the canonicalize flag from the client >- */ >- ret = smb_krb5_principal_set_realm(context, entry->principal, lpcfg_realm(lp_ctx)); >- if (ret) { >- krb5_clear_error_message(context); >- goto out; >- } >- } >- >- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { >- ret = smb_krb5_make_principal(context, &entry->principal, lpcfg_realm(lp_ctx), samAccountName, NULL); >- if (ret) { >- krb5_clear_error_message(context); >- goto out; >- } >- } else if ((flags & SDB_F_FORCE_CANON) || >- ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) { >- /* >- * SDB_F_CANON maps from the canonicalize flag in the >- * packet, and has a different meaning between AS-REQ >- * and TGS-REQ. We only change the principal in the AS-REQ case >- * >- * The SDB_F_FORCE_CANON if for new MIT KDC code that wants >- * the canonical name in all lookups, and takes care to >- * canonicalize only when appropriate. >- */ >- ret = smb_krb5_make_principal(context, &entry->principal, lpcfg_realm(lp_ctx), samAccountName, NULL); >- if (ret) { >- krb5_clear_error_message(context); >- goto out; >- } >- } else { >- ret = krb5_copy_principal(context, principal, &entry->principal); >- if (ret) { >- krb5_clear_error_message(context); >- goto out; >- } >- >- /* While we have copied the client principal, tests >- * show that Win2k3 returns the 'corrected' realm, not >- * the client-specified realm. This code attempts to >- * replace the client principal's realm with the one >- * we determine from our records */ >- >- /* this has to be with malloc() */ >- ret = smb_krb5_principal_set_realm(context, entry->principal, lpcfg_realm(lp_ctx)); >- if (ret) { >- krb5_clear_error_message(context); >- goto out; >- } > } > > /* First try and figure out the flags based on the userAccountControl */ >@@ -1290,6 +1286,19 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, > } > } > >+ ret = samba_kdc_get_entry_principal(context, >+ kdc_db_ctx, >+ samAccountName, >+ ent_type, >+ flags, >+ entry->flags.change_pw, >+ principal, >+ &entry->principal); >+ if (ret) { >+ krb5_clear_error_message(context); >+ goto out; >+ } >+ > entry->valid_start = NULL; > > entry->max_life = malloc(sizeof(*entry->max_life)); >-- >2.35.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 15047
:
17299
|
17300
|
17302
|
17303
|
17305
|
17306
|
17307
|
17308
|
17309
|
17310
|
17311
|
17312
|
17313
|
17337
|
17342
|
17346
|
17352
|
17353
|
17357
|
17358
|
17359
|
17360
|
17361
|
17368
|
17372
|
17373
|
17394
|
17395
|
17396
|
17397
|
17398
|
17433
|
17446
|
17450