Bug 14385 - Make spoofing of the workstaiton name more difficult to improve userWorkstations attribute access verification
Summary: Make spoofing of the workstaiton name more difficult to improve userWorkstati...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 enhancement (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-16 22:05 UTC by Sysadmin HTL-Leonding
Modified: 2020-12-21 21:16 UTC (History)
1 user (show)

See Also:


Attachments
Patch for ntlmssp_server.c (14.22 KB, patch)
2020-05-16 22:08 UTC, Sysadmin HTL-Leonding
no flags Details
Patch to add config options to make things configurable (7.29 KB, patch)
2020-05-16 22:09 UTC, Sysadmin HTL-Leonding
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sysadmin HTL-Leonding 2020-05-16 22:05:51 UTC
According to the docs the userWorkstations attribute defines DNS/NETBIOS names from which a user is allowed to log on from
https://docs.microsoft.com/en-us/windows/win32/adschema/a-userworkstations

Although this attribute is regarded as being deprecated, it seems to be the only way to restrict specific users to be forced to use specific workstations via AD user attributes (while the other suggestion prevents users from using a specific workstation but not from using other unconfigured ones (and that workstation has to verify GPOs, otherwise it doesn't prevent access)).

When a user connects to a file share the file server is responsible to verify whether the connection is initiated from an allowed workstation. Unfortunately with the current implementation the verification of the connecting workstation only depends on a client supplied value to match the userWorkstations attribute with no protection against spoofed values.

This verification could be enhanced by verifying whether the connection comes from an allowed IPv4 address (by encoding it into the workstation name) or whether the workstation name matches the reverse lookup address of the workstations IP address. While this still depends on a secured network (clients must not be able to spoof their IP addresses), it would prevent access from BYOD devices which allow users to enter an arbitrary workstation name.
Comment 1 Sysadmin HTL-Leonding 2020-05-16 22:08:19 UTC
Created attachment 15985 [details]
Patch for ntlmssp_server.c

Draft implementation of verification of encoded IPv4 addresses in workstation names and for comparision of client supplied workstation names with the reverse lookup names of the connecting IPv4 address.
Comment 2 Sysadmin HTL-Leonding 2020-05-16 22:09:29 UTC
Created attachment 15986 [details]
Patch to add config options to make things configurable
Comment 3 Sysadmin HTL-Leonding 2020-05-16 22:18:46 UTC
Sorry for not using format_intend.sh, but it messed up the original ntlmssp_server.c file causing too much noise in the patch file.

This is rather a draft and not an acceptable implementation. It probably contains operations on unverified variables (which could be NULL) and might cause random segmentation faults.

This code probably would probably have to be moved to another .c file to enable this verifications for all authentication methods to be effective.

It also would need improvements to dynamically find out which users have an userWorkstations attribute set (if this is possible) or to have the workstation authenticate itself (if this is possible without making incompatible changes in the protocol). 

And it would need to allow groups and make the user prefix option unnecessary, but I didn't find out how to create the necessary tokens to copy the code from the "valid users" parameter.
Comment 4 Sysadmin HTL-Leonding 2020-05-16 22:27:53 UTC
If you are using mount.cifs (or mount -t cifs) instead of smbclient you might need to install a patch for cifs.ko to be able to mount shares at all (as new clients newer send the workstation name causing the userWorkstation name verification on the AD side to fail every time)

https://bugzilla.kernel.org/show_bug.cgi?id=207675

The patch unfortunately also allows easy spoofing of the workstation name, but this could also be useful if you want to test the samba patch with different workstation names.