Bug 11847 - [PATCH] only validate MIC if "map to guest" is not being used
[PATCH] only validate MIC if "map to guest" is not being used
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.3.8
All Mac OS X
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on: 11849
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-17 23:02 UTC by Derek Schrock
Modified: 2016-08-02 09:59 UTC (History)
3 users (show)

See Also:


Attachments
Only validate MIC if "map to guest" isn't being used (710 bytes, text/plain)
2016-04-17 23:02 UTC, Derek Schrock
no flags Details
tcpdump capture OS X to unpatch 4.3.8 (4.58 KB, application/vnd.tcpdump.pcap)
2016-04-19 02:51 UTC, Derek Schrock
no flags Details
tcpdump capture OS X to patched 4.3.8 (35.19 KB, application/vnd.tcpdump.pcap)
2016-04-19 02:53 UTC, Derek Schrock
no flags Details
tcpdump capture OS X to Windows 10 public share (30.88 KB, text/x-tex)
2016-04-19 02:55 UTC, Derek Schrock
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Derek Schrock 2016-04-17 23:02:34 UTC
Created attachment 12001 [details]
Only validate MIC if "map to guest" isn't being used

With the addition of CVE-2016-2110 (commit c0fc6a6d7) extra values (MIC) are validated by samba 4.3.8:

https://git.samba.org/?p=samba.git;a=blob;f=auth/ntlmssp/ntlmssp_server.c;hb=refs/heads/master#l902

On Mac OS X 10.11.4 (older releases not tested) this breaks 'guest ok' access to shares since memcmp() returns non-zero.

However, based off the commit message:

  ...
  This is still disabled if the "map to guest" feature is used. 
  ...

https://git.samba.org/?p=samba.git;a=commit;h=c0fc6a6d7f7a9d709f35c1a7e4812c0a89285977

It appears the MIC check is performed no matter the setting of 'map to guest':

https://git.samba.org/?p=samba.git;a=blob;f=auth/ntlmssp/ntlmssp_server.c;hb=refs/heads/master#l873

If the code follows the commit message shouldn't this be checking !ntlmssp_state->force_old_spnego to see if 'map to guest' is a non-Never value?

Running a patched samba 4.3.8 running on FreeBSD 10.3-RELEASE with Mac OS X 10.11.3 accessing a guest ok share works as expected.

Accessing unpatched 4.3.8 using smbutil(1) from Mac OS X with guest only access:

  $ smbutil view -g //host/
  smbutil: server connection failed: Invalid argument

log.smbd:
  ...
  [2016/04/17 18:28:54.402217,  5, pid=85059, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_server.c:851(ntlmssp_server_postauth)
    server session key is invalid (len == 0), cannot do KEY_EXCH!                      
  [2016/04/17 18:28:54.402267,  1, pid=85059, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_server.c:910(ntlmssp_server_postauth)
    ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[GUEST] domain=[] workstation=[MBP]
  [2016/04/17 18:28:54.402288,  1, pid=85059, effective(0, 0), real(0, 0)] ../lib/util/util.c:559(dump_data)
    [0000] E2 4B 85 2B 31 0B 55 45   B8 A3 CC 3C 29 AB 60 47   .K.+1.UE ...<).`G  
  [2016/04/17 18:28:54.402327,  1, pid=85059, effective(0, 0), real(0, 0)] ../lib/util/util.c:559(dump_data)
    [0000] 5D A8 7B 1E CF 24 19 CD   42 74 ED 12 30 05 28 F9   ].{..$.. Bt..0.(.  
  [2016/04/17 18:28:54.402365,  2, pid=85059, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg)
    SPNEGO login failed: NT_STATUS_INVALID_PARAMETER                                   
  [2016/04/17 18:28:54.402391,  4, pid=85059, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1                                         
  ...

With 4.3.8 patched:

  $ smbutil view -g //host/
  Share                                           Type    Comments
  -------------------------------
  backup                                          Disk   

Windows 10 accessing the same guest ok share works with and without the patch.
It's possible that Mac OS X smb implementation is broken and needs updated to support NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE?
Comment 1 Stefan Metzmacher 2016-04-17 23:47:17 UTC
(In reply to Derek Schrock from comment #0)

Can you please provide some network captures?
See https://wiki.samba.org/index.php/Capture_Packets

1. the failing case
2. with the patch applied
3. configure a public share on windows10
   see https://bugzilla.samba.org/show_bug.cgi?id=11841#c3
   and run the mac client against that, providing
   an invalid password

Thanks!
Comment 2 Derek Schrock 2016-04-19 02:51:43 UTC
Created attachment 12005 [details]
tcpdump capture OS X to unpatch 4.3.8

dump.failing

tcpdump of Mac OS X 10.11.4 smb://host/public via Finder's "Connect to Server" connecting to samba 4.3.8 running on FreeBSD 10.3-RELEASE.

This is the failing state of samba giving an invalid parameter.
Comment 3 Derek Schrock 2016-04-19 02:53:56 UTC
Created attachment 12006 [details]
tcpdump capture OS X to patched 4.3.8

dump.patched

tcpdump of Mac OS X 10.11.4 smb://host/public via Finder's "Connect to Server" connecting to patched samba 4.3.8 running on FreeBSD 10.3-RELEASE.

guest ok share connects as expected.
Comment 4 Derek Schrock 2016-04-19 02:55:01 UTC
Created attachment 12007 [details]
tcpdump capture OS X to Windows 10 public share

dump.windows10

tcpdump of Mac OS X 10.11.4 smb://host/public via Finder's "Connect to Server" connecting to Windows 10 public share.
Comment 5 lgkent 2016-04-23 13:09:00 UTC
I was able to recreate/confirm the problem with Samba version 4.3.8-Ubuntu and OS X 10.11.3
Comment 6 Stefan Metzmacher 2016-04-28 03:30:06 UTC
Please test the patches from bug #11849, thanks!
Comment 7 Derek Schrock 2016-04-28 03:47:21 UTC
Patching net/samba43 on FreeBSD 10.3-RELEASE with the the v4-3-test patch from bug #11849 allowed Mac OS X 10.11.4 to access a 'guest ok' share without getting an invalid parameter.

Windows 10 accessing the same guest share continued to work as well.
Comment 8 Stefan Metzmacher 2016-08-01 07:39:09 UTC
Fixed with 4.4.3, 4.3.9, 4.2.12.