1 |
vip-ire |
1.1 |
From ec42fe46d4c126d9c2ebc20c1cb168ad5e06a21e Mon Sep 17 00:00:00 2001 |
2 |
|
|
From: Stefan Metzmacher <metze@samba.org> |
3 |
|
|
Date: Wed, 20 Apr 2016 11:26:57 +0200 |
4 |
|
|
Subject: [PATCH 1/3] CVE-2016-2019: libcli/smb: don't allow guest sessions if |
5 |
|
|
we require signing |
6 |
|
|
|
7 |
|
|
Note real anonymous sessions (with "" as username) don't hit this |
8 |
|
|
as we don't even call smb2cli_session_set_session_key() in that case. |
9 |
|
|
|
10 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 |
11 |
|
|
|
12 |
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
13 |
|
|
--- |
14 |
|
|
libcli/smb/smbXcli_base.c | 19 +++++++++++++++++-- |
15 |
|
|
1 file changed, 17 insertions(+), 2 deletions(-) |
16 |
|
|
|
17 |
|
|
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c |
18 |
|
|
index b07fdad..6797207 100644 |
19 |
|
|
--- a/libcli/smb/smbXcli_base.c |
20 |
|
|
+++ b/libcli/smb/smbXcli_base.c |
21 |
|
|
@@ -4952,6 +4952,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session) |
22 |
|
|
return false; |
23 |
|
|
} |
24 |
|
|
|
25 |
|
|
+ if (session->conn->mandatory_signing) { |
26 |
|
|
+ return false; |
27 |
|
|
+ } |
28 |
|
|
+ |
29 |
|
|
if (session->conn->protocol >= PROTOCOL_SMB2_02) { |
30 |
|
|
if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { |
31 |
|
|
return true; |
32 |
|
|
@@ -5177,7 +5181,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, |
33 |
|
|
const struct iovec *recv_iov) |
34 |
|
|
{ |
35 |
|
|
struct smbXcli_conn *conn = session->conn; |
36 |
|
|
- uint16_t no_sign_flags; |
37 |
|
|
+ uint16_t no_sign_flags = 0; |
38 |
|
|
uint8_t session_key[16]; |
39 |
|
|
bool check_signature = true; |
40 |
|
|
uint32_t hdr_flags; |
41 |
|
|
@@ -5191,7 +5195,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, |
42 |
|
|
return NT_STATUS_INVALID_PARAMETER_MIX; |
43 |
|
|
} |
44 |
|
|
|
45 |
|
|
- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; |
46 |
|
|
+ if (!conn->mandatory_signing) { |
47 |
|
|
+ /* |
48 |
|
|
+ * only allow guest sessions without |
49 |
|
|
+ * mandatory signing. |
50 |
|
|
+ * |
51 |
|
|
+ * If we try an authentication with username != "" |
52 |
|
|
+ * and the server let us in without verifying the |
53 |
|
|
+ * password we don't have a negotiated session key |
54 |
|
|
+ * for signing. |
55 |
|
|
+ */ |
56 |
|
|
+ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST; |
57 |
|
|
+ } |
58 |
|
|
|
59 |
|
|
if (session->smb2->session_flags & no_sign_flags) { |
60 |
|
|
session->smb2->should_sign = false; |
61 |
|
|
-- |
62 |
|
|
1.9.1 |
63 |
|
|
|
64 |
|
|
|
65 |
|
|
From c303bd4bdf6e3f89e6821abb13e3ef40164944f5 Mon Sep 17 00:00:00 2001 |
66 |
|
|
From: Stefan Metzmacher <metze@samba.org> |
67 |
|
|
Date: Thu, 28 Apr 2016 02:36:35 +0200 |
68 |
|
|
Subject: [PATCH 2/3] CVE-2016-2019: s3:libsmb: add comment regarding |
69 |
|
|
smbXcli_session_is_guest() with mandatory signing |
70 |
|
|
|
71 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 |
72 |
|
|
|
73 |
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
74 |
|
|
--- |
75 |
|
|
source3/libsmb/cliconnect.c | 3 +++ |
76 |
|
|
1 file changed, 3 insertions(+) |
77 |
|
|
|
78 |
|
|
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c |
79 |
|
|
index 420fe3c..3de3796 100644 |
80 |
|
|
--- a/source3/libsmb/cliconnect.c |
81 |
|
|
+++ b/source3/libsmb/cliconnect.c |
82 |
|
|
@@ -1606,6 +1606,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq) |
83 |
|
|
* have a negotiated session key. |
84 |
|
|
* |
85 |
|
|
* So just pretend we are completely done. |
86 |
|
|
+ * |
87 |
|
|
+ * Note that smbXcli_session_is_guest() |
88 |
|
|
+ * always returns false if we require signing. |
89 |
|
|
*/ |
90 |
|
|
state->blob_in = data_blob_null; |
91 |
|
|
state->local_ready = true; |
92 |
|
|
-- |
93 |
|
|
1.9.1 |
94 |
|
|
|
95 |
|
|
|
96 |
|
|
From fd0750e860b18b1182126dcf7ccc1f7dd38560ce Mon Sep 17 00:00:00 2001 |
97 |
|
|
From: Stefan Metzmacher <metze@samba.org> |
98 |
|
|
Date: Thu, 28 Apr 2016 02:24:52 +0200 |
99 |
|
|
Subject: [PATCH 3/3] CVE-2016-2019: s3:selftest: add regression tests for |
100 |
|
|
guest logins and mandatory signing |
101 |
|
|
|
102 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 |
103 |
|
|
|
104 |
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
105 |
|
|
--- |
106 |
|
|
source3/script/tests/test_smbclient_ntlm.sh | 4 ++++ |
107 |
|
|
1 file changed, 4 insertions(+) |
108 |
|
|
|
109 |
|
|
diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh |
110 |
|
|
index b8fc564..33a927f 100755 |
111 |
|
|
--- a/source3/script/tests/test_smbclient_ntlm.sh |
112 |
|
|
+++ b/source3/script/tests/test_smbclient_ntlm.sh |
113 |
|
|
@@ -37,4 +37,8 @@ else |
114 |
|
|
|
115 |
|
|
testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS |
116 |
|
|
testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS |
117 |
|
|
+ |
118 |
|
|
+ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS |
119 |
|
|
+ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS |
120 |
|
|
+ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS |
121 |
|
|
fi |
122 |
|
|
-- |
123 |
|
|
1.9.1 |
124 |
|
|
|