From ebcbbcddafc87d3b433cb904559fb09568242e5f Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 12 Sep 2023 18:59:44 +1200
Subject: [PATCH 1/3] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
 default

The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
 lib/param/loadparm.c                                   | 2 +-
 selftest/target/Samba4.pm                              | 2 +-
 source3/param/loadparm.c                               | 2 +-
 source4/rpc_server/wscript_build                       | 3 ++-
 5 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
index 8a217cc7f11..c6642b795fd 100644
--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
@@ -6,6 +6,6 @@
 	<para>Specifies which DCE/RPC endpoint servers should be run.</para>
 </description>
 
-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
 <value type="example">rpcecho</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 447087911b5..02eef6929d0 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
 	lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
 
-	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
 	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
 	lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
 	/* the winbind method for domain controllers is for both RODC
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 49e3c174b07..5f1f1bfffad 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -783,7 +783,7 @@ sub provision_raw_step1($$)
 	wins support = yes
 	server role = $ctx->{server_role}
 	server services = +echo $services
-        dcerpc endpoint servers = +winreg +srvsvc
+        dcerpc endpoint servers = +winreg +srvsvc +rpcecho
 	notify:inotify = false
 	ldb:nosync = true
 	ldap server require strong auth = yes
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 238b725e278..366884d845f 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
 	Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
 
-	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
 
 	Globals.tls_enabled = true;
 	Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
index 0e44a3c2bae..31ec4f60c9a 100644
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
                  source='echo/rpc_echo.c',
                  subsystem='dcerpc_server',
                  init_function='dcerpc_server_rpcecho_init',
-                 deps='ndr-standard events'
+                 deps='ndr-standard events',
+                 enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
                  )
 
 
-- 
2.25.1


From bc66db51cdeb2226ae3c080eec703ab3bf648b3d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 12 Sep 2023 19:01:03 +1200
Subject: [PATCH 2/3] CVE-2023-42669 s3-rpc_server: Disable rpcecho for
 consistency with the AD DC

The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact.  Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/rpc_server/wscript_build | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build
index 341df41a321..5ed81283395 100644
--- a/source3/rpc_server/wscript_build
+++ b/source3/rpc_server/wscript_build
@@ -38,6 +38,7 @@ bld.SAMBA3_BINARY('rpcd_rpcecho',
                   RPC_WORKER
                   RPC_RPCECHO
                   ''',
+                  for_selftest=True,
                   install_path='${SAMBA_LIBEXECDIR}')
 
 bld.SAMBA3_BINARY('rpcd_classic',
-- 
2.25.1


From a403da98b3dd26cdefc010c88e9bf7bf5af87467 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 12 Sep 2023 19:03:10 +1200
Subject: [PATCH 3/3] s4-echo: Remove the "echo" server (port 7, RFC 862) in
 production builds

This demonstration should never be enabled in production, if
echo service is required other software is far better positioned
to provide it.  Reflection attacks on echo are a known issue.

This is removed for consistency with the removal of rpcecho, but was
never enabled in the default smb.conf so is mostly harmless.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/echo_server/wscript_build | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/echo_server/wscript_build b/source4/echo_server/wscript_build
index 8c40ec8c418..3d70f0c397a 100644
--- a/source4/echo_server/wscript_build
+++ b/source4/echo_server/wscript_build
@@ -6,5 +6,5 @@ bld.SAMBA_MODULE('ECHO',
         init_function='server_service_echo_init',
         deps='samba-hostconfig LIBTSOCKET LIBSAMBA_TSOCKET',
         local_include=False,
-        enabled=bld.AD_DC_BUILD_IS_ENABLED()
+        enabled=bld.CONFIG_GET('ENABLE_SELFTEST'),
         )
-- 
2.25.1