| 1 |
From 3f8b6a3c56ec188d662767027703999faf14e71f Mon Sep 17 00:00:00 2001 |
| 2 |
From: Stefan Metzmacher <metze@samba.org> |
| 3 |
Date: Wed, 20 Apr 2016 11:26:57 +0200 |
| 4 |
Subject: [PATCH 1/3] CVE-2016-2019: libcli/smb: don't allow guest sessions if |
| 5 |
we require signing |
| 6 |
|
| 7 |
Note real anonymous sessions (with "" as username) don't hit this |
| 8 |
as we don't even call smb2cli_session_set_session_key() in that case. |
| 9 |
|
| 10 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 |
| 11 |
|
| 12 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
| 13 |
--- |
| 14 |
libcli/smb/smbXcli_base.c | 19 +++++++++++++++++-- |
| 15 |
1 file changed, 17 insertions(+), 2 deletions(-) |
| 16 |
|
| 17 |
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c |
| 18 |
index 4332374..691b8ff 100644 |
| 19 |
--- a/libcli/smb/smbXcli_base.c |
| 20 |
+++ b/libcli/smb/smbXcli_base.c |
| 21 |
@@ -5312,6 +5312,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session) |
| 22 |
return false; |
| 23 |
} |
| 24 |
|
| 25 |
+ if (session->conn->mandatory_signing) { |
| 26 |
+ return false; |
| 27 |
+ } |
| 28 |
+ |
| 29 |
if (session->conn->protocol >= PROTOCOL_SMB2_02) { |
| 30 |
if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { |
| 31 |
return true; |
| 32 |
@@ -5571,7 +5575,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, |
| 33 |
const struct iovec *recv_iov) |
| 34 |
{ |
| 35 |
struct smbXcli_conn *conn = session->conn; |
| 36 |
- uint16_t no_sign_flags; |
| 37 |
+ uint16_t no_sign_flags = 0; |
| 38 |
uint8_t session_key[16]; |
| 39 |
bool check_signature = true; |
| 40 |
uint32_t hdr_flags; |
| 41 |
@@ -5596,7 +5600,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, |
| 42 |
return NT_STATUS_INVALID_PARAMETER_MIX; |
| 43 |
} |
| 44 |
|
| 45 |
- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; |
| 46 |
+ if (!conn->mandatory_signing) { |
| 47 |
+ /* |
| 48 |
+ * only allow guest sessions without |
| 49 |
+ * mandatory signing. |
| 50 |
+ * |
| 51 |
+ * If we try an authentication with username != "" |
| 52 |
+ * and the server let us in without verifying the |
| 53 |
+ * password we don't have a negotiated session key |
| 54 |
+ * for signing. |
| 55 |
+ */ |
| 56 |
+ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST; |
| 57 |
+ } |
| 58 |
|
| 59 |
if (session->smb2->session_flags & no_sign_flags) { |
| 60 |
session->smb2->should_sign = false; |
| 61 |
-- |
| 62 |
1.9.1 |
| 63 |
|
| 64 |
|
| 65 |
From 11db8ea97ddb3cf9fde48dbe5df14a71ebc308db Mon Sep 17 00:00:00 2001 |
| 66 |
From: Stefan Metzmacher <metze@samba.org> |
| 67 |
Date: Thu, 28 Apr 2016 02:36:35 +0200 |
| 68 |
Subject: [PATCH 2/3] CVE-2016-2019: s3:libsmb: add comment regarding |
| 69 |
smbXcli_session_is_guest() with mandatory signing |
| 70 |
|
| 71 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 |
| 72 |
|
| 73 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
| 74 |
--- |
| 75 |
source3/libsmb/cliconnect.c | 3 +++ |
| 76 |
1 file changed, 3 insertions(+) |
| 77 |
|
| 78 |
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c |
| 79 |
index ea92c8f..ebba8f2 100644 |
| 80 |
--- a/source3/libsmb/cliconnect.c |
| 81 |
+++ b/source3/libsmb/cliconnect.c |
| 82 |
@@ -1588,6 +1588,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq) |
| 83 |
* have a negotiated session key. |
| 84 |
* |
| 85 |
* So just pretend we are completely done. |
| 86 |
+ * |
| 87 |
+ * Note that smbXcli_session_is_guest() |
| 88 |
+ * always returns false if we require signing. |
| 89 |
*/ |
| 90 |
state->blob_in = data_blob_null; |
| 91 |
state->local_ready = true; |
| 92 |
-- |
| 93 |
1.9.1 |
| 94 |
|
| 95 |
|
| 96 |
From 28ed026b9486fb248daf713655ea307c478d2832 Mon Sep 17 00:00:00 2001 |
| 97 |
From: Stefan Metzmacher <metze@samba.org> |
| 98 |
Date: Thu, 28 Apr 2016 02:24:52 +0200 |
| 99 |
Subject: [PATCH 3/3] CVE-2016-2019: s3:selftest: add regression tests for |
| 100 |
guest logins and mandatory signing |
| 101 |
|
| 102 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 |
| 103 |
|
| 104 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
| 105 |
--- |
| 106 |
source3/script/tests/test_smbclient_ntlm.sh | 4 ++++ |
| 107 |
1 file changed, 4 insertions(+) |
| 108 |
|
| 109 |
diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh |
| 110 |
index b8fc564..33a927f 100755 |
| 111 |
--- a/source3/script/tests/test_smbclient_ntlm.sh |
| 112 |
+++ b/source3/script/tests/test_smbclient_ntlm.sh |
| 113 |
@@ -37,4 +37,8 @@ else |
| 114 |
|
| 115 |
testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS |
| 116 |
testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS |
| 117 |
+ |
| 118 |
+ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS |
| 119 |
+ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS |
| 120 |
+ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS |
| 121 |
fi |
| 122 |
-- |
| 123 |
1.9.1 |
| 124 |
|
Parent Directory
| 
Revision Log
| 
Revision Graph
