Bug 13089 - smbc_open etc. in libsmbclient doesn't enforce smb signing
smbc_open etc. in libsmbclient doesn't enforce smb signing
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient
unspecified
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-17 05:34 UTC by Motohiro Kanda
Modified: 2017-10-17 05:34 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Motohiro Kanda 2017-10-17 05:34:29 UTC
Hi,

I have researched the bug 12997(CVE-2017-12150) and found
there also is a code path which ignores smb signing requirement
and falls back to anonymous.

SMBC_server_internal uses cli_session_setup_anon when login fails.
It sees NO_AUTO_ANONYMOUS_LOGON option flag but ignores for example,
client signing = mandatory in smb.conf. Is this by design?
Don't we need to see smbXcli_conn_signing_mandatory also?

Sample session on Fedora 25 follows.

$ smbd --version
Version 4.5.14

# smbclient does not fall back to anonymous due to fix on do_connect.

$ smbclient -U kanda //kandaw2016/temp
Enter kanda's password:
session setup failed: NT_STATUS_LOGON_FAILURE

# testread uses SMBC_server via smbc_open.

$ pwd
/home/kanda/rpmbuild/BUILD/samba-4.5.14/bin/default/examples/libsmbclient

$ ./testread
Path: smb://kandaw2016/temp/hello
Workgroup: [KANDA]
Username: [kanda]
Password:
smbc_open: File exists
Path: ^C
$

Packet monitor shows that after ntlm session setup error, libsmbclient
attempts anonymous login and succeeds. It then tries tree connect to "temp"
and gets STATUS_ACCESS_DENIED from Windows server 2016.
It has restrictnullsessaccess=1 and maybe that's the cause of the error.

The point is, libsmbclient sometimes falls back to anonymous session
and messages go unsigned on wire, unless the caller sets NO_AUTO_ANONYMOUS_LOGON option.