Bug 4637 - The security fix for CVE-2007-2446 has broken my Samba domain
The security fix for CVE-2007-2446 has broken my Samba domain
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control
3.0.24
x86 Linux
: P3 major
: 3.0.25
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
http://us1.samba.org/samba/ftp/patche...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-18 04:32 UTC by SpOeK@DistroBit.Net
Modified: 2007-07-17 06:22 UTC (History)
3 users (show)

See Also:


Attachments
serverlog (530.61 KB, application/x-gzip)
2007-05-19 10:32 UTC, Marc Dietrich
no flags Details
server's nmbd log (1.16 KB, application/x-gzip)
2007-05-19 10:33 UTC, Marc Dietrich
no flags Details
configuration of the local server (711 bytes, text/plain)
2007-05-21 10:28 UTC, Marc Dietrich
no flags Details
smb.conf of the pdc (2.55 KB, text/plain)
2007-05-21 10:29 UTC, Marc Dietrich
no flags Details
smb.conf for the PDC (875 bytes, text/plain)
2007-05-21 10:47 UTC, SpOeK@DistroBit.Net
no flags Details
smb.conf for the sharing server (718 bytes, text/plain)
2007-05-21 10:48 UTC, SpOeK@DistroBit.Net
no flags Details
Patch (15.91 KB, patch)
2007-05-22 15:00 UTC, Jeremy Allison
no flags Details
parse_prs.c patch for 3.0.24 (2.37 KB, patch)
2007-05-23 11:26 UTC, Gerald (Jerry) Carter
no flags Details
Patch for 3.0.25 backported to 3.0.24 (15.93 KB, patch)
2007-05-23 12:16 UTC, SpOeK@DistroBit.Net
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description SpOeK@DistroBit.Net 2007-05-18 04:32:15 UTC
I'm using Gentoo (the stable tree) and Debian Etch. The recent update that fixes three security bugs has broken my samba domain. I'm able to login in the domain but when accessing the share of a machine which is not the PDC, the sharing machine denies my access.

"smbclient -L with my user" against that sharig machine returns me NT_STATUS_NO_LOGON_SERVERS. If I try smbclient against the PDC, the PDC returns me the list of shares. The problem seems to be the fix for CVE-2007-2446. If I recompile the samba package without that fix in my Gentoo boxes, the whole domain works perfectly. The same goes for the Debian machines, if I downgrade the version to the non fixed.

Gentoo: Samba 3.0.24-r2
Debian: 3.0.24-6etch1

The log on the sharing machine:
[2007/05/18 11:29:36, 0] auth/auth_domain.c:domain_client_validate(246)
  domain_client_validate: unable to validate password for user rafa in domain CRIPTODOMINIO to Domain controller DILMUN. Error was NT_STATUS_UNSUCCESSFUL.
Comment 1 Marc Dietrich 2007-05-18 06:44:09 UTC
I also seeing this problem. PDC and local server have both openSUSE 10.2. w2k and winxp workstations are not able to connect to the local server, but are able to connect to the PDC. I also found:

# net rpc share -U marc
Password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_NO_LOGON_SERVERS

# net rpc share -U marc/JLU13IAPKRYO
Password:
print$
mnt
IPC$
LaserJet6P
LaserJet2100
HP4050N

Somehow the domain is no longer added to the username?
Comment 2 Gerald (Jerry) Carter 2007-05-18 11:04:36 UTC
Please attach a full level 10 debug log (gzipped) from the server.  
Thanks.
Comment 3 SpOeK@DistroBit.Net 2007-05-19 10:28:12 UTC
May the log contain sensitive data? If the answer is yes, could I e-mail it to someone?
Comment 4 Marc Dietrich 2007-05-19 10:31:30 UTC
(In reply to comment #2)

ok. w2k machine (pc13messknecht1) tries to connect to server mostly-harmless, which authenticates with pdc fb07-iapwap1.

I also find it irritating, that mostly-harmless seem not to be able to find a master browser. So I also attached log.nmbd.

Hope this helps.
Comment 5 Marc Dietrich 2007-05-19 10:32:46 UTC
Created attachment 2706 [details]
serverlog
Comment 6 Marc Dietrich 2007-05-19 10:33:22 UTC
Created attachment 2707 [details]
server's nmbd log
Comment 7 Lars Müller 2007-05-21 10:19:47 UTC
Is the local or non PDC server a member of the same domain?

Is a force user or group parameter used for the non working share?
Comment 8 Marc Dietrich 2007-05-21 10:27:12 UTC
(In reply to comment #7)
> Is the local or non PDC server a member of the same domain?

yes

> Is a force user or group parameter used for the non working share?

no

attached are the local server's smb.conf and the pdc smb.conf
Comment 9 Marc Dietrich 2007-05-21 10:28:15 UTC
Created attachment 2710 [details]
configuration of the local server
Comment 10 Marc Dietrich 2007-05-21 10:29:33 UTC
Created attachment 2711 [details]
smb.conf of the pdc
Comment 11 SpOeK@DistroBit.Net 2007-05-21 10:45:25 UTC
(In reply to comment #7)
> Is the local or non PDC server a member of the same domain?
The sharing server and the PDC are on the same domain.

> Is a force user or group parameter used for the non working share?
Neither "force user" nor "force group" parameters used.
Comment 12 SpOeK@DistroBit.Net 2007-05-21 10:47:40 UTC
Created attachment 2712 [details]
smb.conf for the PDC
Comment 13 SpOeK@DistroBit.Net 2007-05-21 10:48:19 UTC
Created attachment 2713 [details]
smb.conf for the sharing server
Comment 14 Marc Dietrich 2007-05-21 15:30:19 UTC
I debugged this problem a little bit further and found out, that this hunk causes the problem:

--- source/rpc_parse/parse_prs.c        2007-05-10 09:47:19.000000000 -0500
+++ source/rpc_parse/parse_prs.c        2007-05-10 09:48:03.000000000 -0500
@@ -156,7 +156,7 @@
 {
        char *ret = NULL;

-       if (size) {
+       if (size && count) {
                /* We can't call the type-safe version here. */
                ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs");
        }

I don't know what this code is doing, but it may help ...

Comment 15 Jeremy Allison 2007-05-21 18:36:02 UTC
This code is part of the security fix. You must not remove it.

What I need to know is the call stack above this - ie. what call is being
made that triggers this code ?

Jeremy.
Comment 16 Marc Dietrich 2007-05-22 06:42:46 UTC
(In reply to comment #15)
> This code is part of the security fix. You must not remove it.
> 
> What I need to know is the call stack above this - ie. what call is being
> made that triggers this code ?

something like this?

Breakpoint 1, prs_alloc_mem (ps=0xbfce6fd4, size=2, count=4) at rpc_parse/parse_prs.c:156
156     {
(gdb) bt
#0  prs_alloc_mem (ps=0xbfce6fd4, size=2, count=4) at rpc_parse/parse_prs.c:156
#1  0x800e8fb7 in prs_unistr2 (charmode=1, name=0x802df59f "buffer     ", ps=0xbfce6fd4, depth=3, str=0xbfce71cc)
    at rpc_parse/parse_prs.c:1130
#2  0x800eb390 in smb_io_unistr2 (desc=0x80301212 "uni_user_name", uni2=0xbfce71cc, buffer=1, ps=0xbfce6fd4, depth=3)
    at rpc_parse/parse_misc.c:1040
#3  0x80176675 in net_io_user_info3 (desc=0x802fceb8 "", usr=0xbfce70f0, ps=0xbfce6fd4, depth=2, validation_level=3,
    kerb_validation_level=0) at rpc_parse/parse_net.c:1782
#4  0x80176e4e in net_io_r_sam_logon (desc=0x802fceb8 "", r_l=0xbfce7024, ps=0xbfce6fd4, depth=1)
    at rpc_parse/parse_net.c:1934
#5  0x8027663a in rpccli_netlogon_sam_network_logon (cli=0x8040f0e0, mem_ctx=0x80369348, logon_parameters=2080,
    server=0xbfce7308 "FB07-IAPWAP1", username=0x80380ff8 "marc", domain=0x8036a058 "JLU13IAPKRYO",
    workstation=0x80369780 "FEM1", chal=0x803893a0 "��<ʪnQ�@", lm_response={data = 0x0, length = 0, free = 0},
    nt_response=
      {data = 0x80381248 "\231\035�\220\223\226��AS����\034\223ɻ;a\214��8 ", length = 24, free = 0x80213e20 <free_data_blob>}, info3=0xbfce70f0) at rpc_client/cli_netlogon.c:906
#6  0x8025946a in domain_client_validate (mem_ctx=0x80369348, user_info=0x8040d978, domain=0x803698d8 "JLU13IAPKRYO",
    chal=0x803893a0 "��<ʪnQ�@", server_info=0x803c5b70, dc_name=0xbfce7308 "FB07-IAPWAP1", dc_ip={s_addr = 2031333510})
    at auth/auth_domain.c:224
#7  0x80259c13 in check_ntdomain_security (auth_context=0x80369738, my_private_data=0x0, mem_ctx=0x80369348,
    user_info=0x8040d978, server_info=0x803c5b70) at auth/auth_domain.c:319
#8  0x802579bc in check_winbind_security (auth_context=0x80369738, my_private_data=0x80399660, mem_ctx=0x80369348,
    user_info=0x8040d978, server_info=0x803c5b70) at auth/auth_winbind.c:118
#9  0x802546ab in check_ntlm_password (auth_context=0x80369738, user_info=0x8040d978, server_info=0x803c5b70)
    at auth/auth.c:257
#10 0x8025fa10 in auth_ntlmssp_check_password (ntlmssp_state=0x80466850, user_session_key=0xbfce8ce4,
    lm_session_key=0xbfce8cd8) at auth/auth_ntlmssp.c:111
#11 0x800f407f in ntlmssp_server_auth (ntlmssp_state=0x80466850, request=
      {data = 0x803b22f8 "NTLMSSP", length = 176, free = 0x80213e20 <free_data_blob>}, reply=0xbfce9ca0)
    at libsmb/ntlmssp.c:790
#12 0x800f2672 in ntlmssp_update (ntlmssp_state=0x80466850, in=
      {data = 0x803b22f8 "NTLMSSP", length = 176, free = 0x80213e20 <free_data_blob>}, out=0xbfce9ca0)
    at libsmb/ntlmssp.c:341
#13 0x8025f6eb in auth_ntlmssp_update (auth_ntlmssp_state=0x803c5b68, request=
      {data = 0x803b22f8 "NTLMSSP", length = 176, free = 0x80213e20 <free_data_blob>}, reply=0xbfce9ca0)
    at auth/auth_ntlmssp.c:204
#14 0x8008734c in reply_sesssetup_and_X (conn=0x0, inbuf=0x804120b8 "", outbuf=0x80432500 "", length=324, bufsize=131072)
    at smbd/sesssetup.c:625
#15 0x800b3d40 in switch_message (type=115, inbuf=0x804120b8 "", outbuf=0x80432500 "", size=324, bufsize=131072)
    at smbd/process.c:991
#16 0x800b4e3b in smbd_process () at smbd/process.c:1018
#17 0x802bf020 in main (argc=Cannot access memory at address 0x1
) at smbd/server.c:1024

in this case the client is FEM1.

Comment 17 Marc Dietrich 2007-05-22 08:13:02 UTC
ohh - I guess you wanted a trace with count=0. Sorry.

(gdb) set follow-fork-mode child
(gdb) break prs_alloc_mem if count=0
Breakpoint 1 at 0x800e89e7: file rpc_parse/parse_prs.c, line 159.
(gdb) cont
Continuing.

Program received signal SIGABRT, Aborted.
[Switching to process 6456]
0xb7f85410 in ?? ()
(gdb) bt
#0  0xb7f85410 in ?? ()
#1  0xbfeea5d0 in ?? ()
#2  0x00000006 in ?? ()
#3  0x00001938 in ?? ()
#4  0xb7ae0060 in raise () from /lib/libc.so.6
#5  0xb7ae1801 in abort () from /lib/libc.so.6
#6  0xb7b15abb in __libc_message () from /lib/libc.so.6
#7  0xb7b1b6e1 in malloc_printerr () from /lib/libc.so.6
#8  0xb7b1d671 in _int_malloc () from /lib/libc.so.6
#9  0xb7b1f0c5 in malloc () from /lib/libc.so.6
#10 0x8021de53 in _talloc (context=0xb7be2140, size=0) at lib/talloc.c:183
#11 0x8021e119 in talloc_named_const (context=0x80411ce0, size=0, name=0x802def13 "parse_prs") at lib/talloc.c:425
#12 0x8021e2f3 in _talloc_zero (ctx=0x80411ce0, size=0, name=0x802def13 "parse_prs") at lib/talloc.c:1002
#13 0x8021e355 in _talloc_zero_array (ctx=0x80411ce0, el_size=6456, count=0, name=0x802def13 "parse_prs")
    at lib/talloc.c:1213
#14 0x800e8a0e in prs_alloc_mem (ps=0xbfeeb124, size=6, count=0) at rpc_parse/parse_prs.c:161
#15 0x800e8fb7 in prs_unistr2 (charmode=1, name=0x802df59f "buffer     ", ps=0xbfeeb124, depth=3, str=0xbfeeb34c)
    at rpc_parse/parse_prs.c:1130
#16 0x800eb390 in smb_io_unistr2 (desc=0x80301220 "uni_profile_path", uni2=0xbfeeb34c, buffer=1, ps=0xbfeeb124, depth=3)
    at rpc_parse/parse_misc.c:1040
#17 0x8017670e in net_io_user_info3 (desc=0x802fceb8 "", usr=0xbfeeb240, ps=0xbfeeb124, depth=2, validation_level=3,
    kerb_validation_level=0) at rpc_parse/parse_net.c:1788
#18 0x80176e4e in net_io_r_sam_logon (desc=0x802fceb8 "", r_l=0xbfeeb174, ps=0xbfeeb124, depth=1)
    at rpc_parse/parse_net.c:1934
#19 0x8027663a in rpccli_netlogon_sam_network_logon (cli=0x8040e3f8, mem_ctx=0x80411ce0, logon_parameters=2080,
    server=0xbfeeb458 "FB07-IAPWAP1", username=0x80369778 "marc", domain=0x803b3c10 "JLU13IAPKRYO",
    workstation=0x80380fe0 "FB07-FEM4", chal=0x803dd380 "�2��\022��\202@", lm_response={data = 0x0, length = 0, free = 0},
    nt_response=
      {data = 0x804116b8 "�J\022�\030��\205bz\025��\b��\231\217�\227�6\006\207 ", length = 24, free = 0x80213e20 <free_data_blob>}, info3=0xbfeeb240) at rpc_client/cli_netlogon.c:906
#20 0x8025946a in domain_client_validate (mem_ctx=0x80411ce0, user_info=0x8040d2a8, domain=0x803693a0 "JLU13IAPKRYO",
    chal=0x803dd380 "�2��\022��\202@", server_info=0x803c5920, dc_name=0xbfeeb458 "FB07-IAPWAP1", dc_ip=
      {s_addr = 2031333510}) at auth/auth_domain.c:224
#21 0x80259c13 in check_ntdomain_security (auth_context=0x8040f0c8, my_private_data=0x0, mem_ctx=0x80411ce0,
    user_info=0x8040d2a8, server_info=0x803c5920) at auth/auth_domain.c:319
#22 0x802579bc in check_winbind_security (auth_context=0x8040f0c8, my_private_data=0x80399648, mem_ctx=0x80411ce0,
    user_info=0x8040d2a8, server_info=0x803c5920) at auth/auth_winbind.c:118
#23 0x802546ab in check_ntlm_password (auth_context=0x8040f0c8, user_info=0x8040d2a8, server_info=0x803c5920)
    at auth/auth.c:257
#24 0x8025fa10 in auth_ntlmssp_check_password (ntlmssp_state=0x8040dfb0, user_session_key=0xbfeece34,
    lm_session_key=0xbfeece28) at auth/auth_ntlmssp.c:111
#25 0x800f407f in ntlmssp_server_auth (ntlmssp_state=0x8040dfb0, request=
      {data = 0x8040f7a8 "NTLMSSP", length = 170, free = 0x80213e20 <free_data_blob>}, reply=0xbfeeddf0)
    at libsmb/ntlmssp.c:790
#26 0x800f2672 in ntlmssp_update (ntlmssp_state=0x8040dfb0, in=
      {data = 0x8040f7a8 "NTLMSSP", length = 170, free = 0x80213e20 <free_data_blob>}, out=0xbfeeddf0)
    at libsmb/ntlmssp.c:341
#27 0x8025f6eb in auth_ntlmssp_update (auth_ntlmssp_state=0x803c5918, request=
      {data = 0x8040f7a8 "NTLMSSP", length = 170, free = 0x80213e20 <free_data_blob>}, reply=0xbfeeddf0)
    at auth/auth_ntlmssp.c:204
#28 0x8008734c in reply_sesssetup_and_X (conn=0x0, inbuf=0x80412040 "", outbuf=0x80432488 "", length=348, bufsize=131072)
    at smbd/sesssetup.c:625
#29 0x800b3d40 in switch_message (type=115, inbuf=0x80412040 "", outbuf=0x80432488 "", size=348, bufsize=131072)
    at smbd/process.c:991
#30 0x800b4e3b in smbd_process () at smbd/process.c:1018
#31 0x802bf020 in main (argc=0, argv=0xbfeee274) at smbd/server.c:1024
(gdb) 
Comment 18 Jeremy Allison 2007-05-22 13:49:13 UTC
I would like to see the content of this frame :

#2  0x800eb390 in smb_io_unistr2 (desc=0x80301212 "uni_user_name",
uni2=0xbfce71cc, buffer=1, ps=0xbfce6fd4, depth=3)

- specifically the content of the uni2 variable.

Also a debug level 10 would really help also.

Thanks,

Jeremy.
Comment 19 Jeremy Allison 2007-05-22 15:00:17 UTC
Created attachment 2722 [details]
Patch

We missed some cases of requesting a zero-malloc. Here is the fix (will be in 3.0.25a).
Jeremy.
Comment 20 Gerald (Jerry) Carter 2007-05-22 16:26:55 UTC
Please reopen if the patch doesn't not fix the problem for you.
Comment 21 Marc Dietrich 2007-05-23 06:45:50 UTC
I can confirm, that this patch fixes the problem.

thanks!
Comment 22 SpOeK@DistroBit.Net 2007-05-23 11:02:19 UTC
The patch doesn't work for me because I'm using Samba 3.0.24 with security fixes. Are you going to fix this in the 3.0.24 branch?
Comment 23 Gerald (Jerry) Carter 2007-05-23 11:26:23 UTC
Created attachment 2724 [details]
parse_prs.c patch for 3.0.24

Backport of rpc_parse/parse_prs.c patch for 3.0.24.
Comment 24 Gerald (Jerry) Carter 2007-05-23 11:27:22 UTC
Rafael,  Please test the backported patch for 3.0.24.  This is not a complete
backport but on the changes to parse_prs.c which should be enough.
Comment 25 SpOeK@DistroBit.Net 2007-05-23 12:16:41 UTC
Created attachment 2725 [details]
Patch for 3.0.25 backported to 3.0.24

I've tried to backport the first patch published because the needed changes to make it work seemed too obvious. I've patched my Samba 3.0.24 with the security fixes and then with this patch. Now, the problem seems solved.
Comment 26 Gerald (Jerry) Carter 2007-05-25 12:51:37 UTC
Patches have been updated and posted to samba.org/samba/security/ 
Comment 27 Mark Pröhl 2007-07-17 06:22:49 UTC
(In reply to comment #26)
> Patches have been updated and posted to samba.org/samba/security/ 
> 

Hi,

I can't find that patch on samba.org/samba/security/ 

- Mark