Bug 11849 - CVE-2016-2110/NTLMSSP regression meta bug
Summary: CVE-2016-2110/NTLMSSP regression meta bug
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.4.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL:
Keywords:
: 11870 (view as bug list)
Depends on:
Blocks: 11841 11847 11850 11858 11870 11872 12061
  Show dependency treegraph
 
Reported: 2016-04-18 14:39 UTC by Stefan Metzmacher
Modified: 2016-09-06 13:29 UTC (History)
15 users (show)

See Also:


Attachments
Possible patches for master (51.24 KB, patch)
2016-04-28 03:05 UTC, Stefan Metzmacher
no flags Details
Possible patches for v4-4-test (51.24 KB, patch)
2016-04-28 03:05 UTC, Stefan Metzmacher
no flags Details
Possible patches for v4-3-test (51.22 KB, patch)
2016-04-28 03:06 UTC, Stefan Metzmacher
no flags Details
Possible patches for v4-2-test (51.29 KB, patch)
2016-04-28 03:06 UTC, Stefan Metzmacher
no flags Details
Patches for v4-4-test (61.65 KB, patch)
2016-04-28 22:51 UTC, Stefan Metzmacher
asn: review+
gd: review+
metze: review? (jra)
Details
Patches for v4-3-test (61.63 KB, patch)
2016-04-28 22:52 UTC, Stefan Metzmacher
asn: review+
gd: review+
metze: review? (jra)
Details
Patches for v4-2-test (61.68 KB, patch)
2016-04-28 22:53 UTC, Stefan Metzmacher
asn: review+
gd: review+
metze: review? (jra)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2016-04-18 14:39:52 UTC
There seem to be a few regressions regarding the NTLMSSP hardening
of CVE-2016-2110.
Comment 1 Stefan Metzmacher 2016-04-19 05:35:06 UTC
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-4-ntlmssp
has some work in progress patches
Comment 2 Stefan Metzmacher 2016-04-28 03:05:18 UTC
Created attachment 12034 [details]
Possible patches for master
Comment 3 Stefan Metzmacher 2016-04-28 03:05:46 UTC
Created attachment 12035 [details]
Possible patches for v4-4-test
Comment 4 Stefan Metzmacher 2016-04-28 03:06:13 UTC
Created attachment 12036 [details]
Possible patches for v4-3-test
Comment 5 Stefan Metzmacher 2016-04-28 03:06:48 UTC
Created attachment 12037 [details]
Possible patches for v4-2-test
Comment 6 Tom Schulz 2016-04-28 20:08:22 UTC
The problem reported in Bug 11870 is fixed by these patches.

The output of gpatch included the following while patching both 4.4.2 and 4.3.8:

patching file source3/libads/sasl.c
Hunk #1 succeeded at 319 (offset -9 lines).
Hunk #2 succeeded at 977 (offset -9 lines).
Comment 7 Stefan Metzmacher 2016-04-28 22:51:53 UTC
Created attachment 12043 [details]
Patches for v4-4-test
Comment 8 Stefan Metzmacher 2016-04-28 22:52:37 UTC
Created attachment 12044 [details]
Patches for v4-3-test
Comment 9 Stefan Metzmacher 2016-04-28 22:53:15 UTC
Created attachment 12045 [details]
Patches for v4-2-test
Comment 10 Andreas Schneider 2016-04-29 12:55:38 UTC
Comment on attachment 12045 [details]
Patches for v4-2-test

LGTM
Comment 11 Björn Jacke 2016-05-03 15:19:57 UTC
*** Bug 11870 has been marked as a duplicate of this bug. ***
Comment 12 Alexander Sack 2016-05-27 18:38:32 UTC
Will these patches be back ported to Samba 3 releases? I believe I am seeing similar issues with the 'net' command and our internal NetApps (all OnTap versions).
Comment 13 Jeremy Allison 2016-05-27 22:58:01 UTC
(In reply to Alexander Sack from comment #12)

No, Samba 3.6.x is out of Samba Team support, sorry. If you need this you'll have to contract with a vendor to request this.
Comment 14 Florent V 2016-07-27 13:37:13 UTC
Hi,
I'm not sure, but I think that the version of the patch that is currently already checked in broke something.

I'm used to do discovery of local devices like that:
smbclient -N -L localhost

Then look for the master of the workgroup (let's say BIGMASTER) and do:
smbclient -N -L BIGMASTER

Then I have the list of devices on the local network.

This broke for me between samba 4.2.11 and 4.2.12.

Now, everything looks fine without new error, but nothing is shown in "Server" or "Workgroup" output lists.

For what it worth, in my case, the "master" as the following specs (and is probably not up to date):
Domain=[WORKGROUP] OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003 5.2]
but I had report of the same issue at some other places where it was working before.

After regression testing the different changes, I finally found that it is the following change that broke it for me (reverting would fix):
 https://git.samba.org/?p=samba.git;a=commitdiff;h=e72ad193a53e20b769f798d02c0610f91859bd38
(The second part, the changes of the 2 blocks starting around line 2095 et 2143)


I did try to debug the issue but without success.
What I noticed was that before, the connexion was setup with: "cli_session_setup_guest_send"
and later the list_server was returning the correct "list of servers".

Now, because of the change, everything goes through "cli_session_setup_spnego_send". First the parent code try to do this with my computer credentials, but logically it fails, then, it tries again with "" "" for login and password, for "anonymous" connection and then it looks like to go to the complete end of the connection code and succeed.
So I can even see the following log: "Anonymous login successful".
Everything goes well, but when the list_server is issued, the request goes well and no error is encountered but the "list of servers" (and workgroups) is empty.

(additional note, it looks like that in cli_session_setup_spnego_send, the code use the "ntlmssp" auth code path)

One final point is that it looks like that everything works well for listing servers when using "smbtree".
Comment 15 Stefan Metzmacher 2016-07-28 08:04:12 UTC
(In reply to Florent V from comment #14)

Can you upload captures of the following 3 combinations
all against the exact same server:

- The broken one, where we use cli_session_setup_spnego_send()

- The working one, where we use cli_session_setup_guest_send()

- The unmodified code with smbtree.

Please run each command with -d10 and 2>&1 | tee output
to get the level 10 output. At the same time
to a capture on port 139 and 445, see
https://wiki.samba.org/index.php/Capture_Packets

Thanks!
Comment 16 Stefan Metzmacher 2016-08-01 07:41:46 UTC
Fixed with 4.4.3, 4.3.9, 4.2.12.
Comment 17 Florent V 2016-08-02 09:50:24 UTC
(In reply to Stefan Metzmacher from comment #15)
Thank you for your reply.

I will try to provide that to you as soon as possible in the coming days.
Comment 18 Stefan Metzmacher 2016-08-02 10:00:26 UTC
(In reply to Florent V from comment #17)

Lets track that as https://bugzilla.samba.org/show_bug.cgi?id=12061
Comment 19 Stefan Metzmacher 2016-09-06 13:29:55 UTC
Please notice the patches on
https://bugzilla.samba.org/show_bug.cgi?id=11994