1 |
From ec42fe46d4c126d9c2ebc20c1cb168ad5e06a21e Mon Sep 17 00:00:00 2001 |
2 |
From: Stefan Metzmacher <metze@samba.org> |
3 |
Date: Wed, 20 Apr 2016 11:26:57 +0200 |
4 |
Subject: [PATCH 1/3] CVE-2016-2019: libcli/smb: don't allow guest sessions if |
5 |
we require signing |
6 |
|
7 |
Note real anonymous sessions (with "" as username) don't hit this |
8 |
as we don't even call smb2cli_session_set_session_key() in that case. |
9 |
|
10 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 |
11 |
|
12 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
13 |
--- |
14 |
libcli/smb/smbXcli_base.c | 19 +++++++++++++++++-- |
15 |
1 file changed, 17 insertions(+), 2 deletions(-) |
16 |
|
17 |
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c |
18 |
index b07fdad..6797207 100644 |
19 |
--- a/libcli/smb/smbXcli_base.c |
20 |
+++ b/libcli/smb/smbXcli_base.c |
21 |
@@ -4952,6 +4952,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session) |
22 |
return false; |
23 |
} |
24 |
|
25 |
+ if (session->conn->mandatory_signing) { |
26 |
+ return false; |
27 |
+ } |
28 |
+ |
29 |
if (session->conn->protocol >= PROTOCOL_SMB2_02) { |
30 |
if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { |
31 |
return true; |
32 |
@@ -5177,7 +5181,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, |
33 |
const struct iovec *recv_iov) |
34 |
{ |
35 |
struct smbXcli_conn *conn = session->conn; |
36 |
- uint16_t no_sign_flags; |
37 |
+ uint16_t no_sign_flags = 0; |
38 |
uint8_t session_key[16]; |
39 |
bool check_signature = true; |
40 |
uint32_t hdr_flags; |
41 |
@@ -5191,7 +5195,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, |
42 |
return NT_STATUS_INVALID_PARAMETER_MIX; |
43 |
} |
44 |
|
45 |
- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; |
46 |
+ if (!conn->mandatory_signing) { |
47 |
+ /* |
48 |
+ * only allow guest sessions without |
49 |
+ * mandatory signing. |
50 |
+ * |
51 |
+ * If we try an authentication with username != "" |
52 |
+ * and the server let us in without verifying the |
53 |
+ * password we don't have a negotiated session key |
54 |
+ * for signing. |
55 |
+ */ |
56 |
+ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST; |
57 |
+ } |
58 |
|
59 |
if (session->smb2->session_flags & no_sign_flags) { |
60 |
session->smb2->should_sign = false; |
61 |
-- |
62 |
1.9.1 |
63 |
|
64 |
|
65 |
From c303bd4bdf6e3f89e6821abb13e3ef40164944f5 Mon Sep 17 00:00:00 2001 |
66 |
From: Stefan Metzmacher <metze@samba.org> |
67 |
Date: Thu, 28 Apr 2016 02:36:35 +0200 |
68 |
Subject: [PATCH 2/3] CVE-2016-2019: s3:libsmb: add comment regarding |
69 |
smbXcli_session_is_guest() with mandatory signing |
70 |
|
71 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 |
72 |
|
73 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
74 |
--- |
75 |
source3/libsmb/cliconnect.c | 3 +++ |
76 |
1 file changed, 3 insertions(+) |
77 |
|
78 |
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c |
79 |
index 420fe3c..3de3796 100644 |
80 |
--- a/source3/libsmb/cliconnect.c |
81 |
+++ b/source3/libsmb/cliconnect.c |
82 |
@@ -1606,6 +1606,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq) |
83 |
* have a negotiated session key. |
84 |
* |
85 |
* So just pretend we are completely done. |
86 |
+ * |
87 |
+ * Note that smbXcli_session_is_guest() |
88 |
+ * always returns false if we require signing. |
89 |
*/ |
90 |
state->blob_in = data_blob_null; |
91 |
state->local_ready = true; |
92 |
-- |
93 |
1.9.1 |
94 |
|
95 |
|
96 |
From fd0750e860b18b1182126dcf7ccc1f7dd38560ce Mon Sep 17 00:00:00 2001 |
97 |
From: Stefan Metzmacher <metze@samba.org> |
98 |
Date: Thu, 28 Apr 2016 02:24:52 +0200 |
99 |
Subject: [PATCH 3/3] CVE-2016-2019: s3:selftest: add regression tests for |
100 |
guest logins and mandatory signing |
101 |
|
102 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 |
103 |
|
104 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
105 |
--- |
106 |
source3/script/tests/test_smbclient_ntlm.sh | 4 ++++ |
107 |
1 file changed, 4 insertions(+) |
108 |
|
109 |
diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh |
110 |
index b8fc564..33a927f 100755 |
111 |
--- a/source3/script/tests/test_smbclient_ntlm.sh |
112 |
+++ b/source3/script/tests/test_smbclient_ntlm.sh |
113 |
@@ -37,4 +37,8 @@ else |
114 |
|
115 |
testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS |
116 |
testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS |
117 |
+ |
118 |
+ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS |
119 |
+ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS |
120 |
+ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS |
121 |
fi |
122 |
-- |
123 |
1.9.1 |
124 |
|