1 |
jpp |
1.1 |
From 9fb528332f48de59d70d48686e3af4df70206635 Mon Sep 17 00:00:00 2001 |
2 |
|
|
From: Stefan Metzmacher <metze@samba.org> |
3 |
|
|
Date: Tue, 29 Aug 2017 17:06:21 +0200 |
4 |
|
|
Subject: [PATCH 1/7] CVE-2017-12150: s3:popt_common: don't turn a guessed |
5 |
|
|
username into a specified one |
6 |
|
|
|
7 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 |
8 |
|
|
|
9 |
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
10 |
|
|
--- |
11 |
|
|
source3/include/auth_info.h | 1 + |
12 |
|
|
source3/lib/popt_common.c | 6 +----- |
13 |
|
|
source3/lib/util_cmdline.c | 29 +++++++++++++++++++++++++++++ |
14 |
|
|
3 files changed, 31 insertions(+), 5 deletions(-) |
15 |
|
|
|
16 |
|
|
diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h |
17 |
|
|
index c6f71ad..8212c27 100644 |
18 |
|
|
--- a/source3/include/auth_info.h |
19 |
|
|
+++ b/source3/include/auth_info.h |
20 |
|
|
@@ -29,6 +29,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info, |
21 |
|
|
const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info); |
22 |
|
|
void set_cmdline_auth_info_username(struct user_auth_info *auth_info, |
23 |
|
|
const char *username); |
24 |
|
|
+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info); |
25 |
|
|
const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info); |
26 |
|
|
void set_cmdline_auth_info_domain(struct user_auth_info *auth_info, |
27 |
|
|
const char *domain); |
28 |
|
|
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c |
29 |
|
|
index 9928c70..36b5e92 100644 |
30 |
|
|
--- a/source3/lib/popt_common.c |
31 |
|
|
+++ b/source3/lib/popt_common.c |
32 |
|
|
@@ -238,7 +238,6 @@ void popt_common_credentials_set_delay_post(void) |
33 |
|
|
void popt_common_credentials_post(void) |
34 |
|
|
{ |
35 |
|
|
struct user_auth_info *auth_info = cmdline_auth_info; |
36 |
|
|
- const char *username = NULL; |
37 |
|
|
|
38 |
|
|
if (get_cmdline_auth_info_use_machine_account(auth_info) && |
39 |
|
|
!set_cmdline_auth_info_machine_account_creds(auth_info)) |
40 |
|
|
@@ -259,10 +258,7 @@ void popt_common_credentials_post(void) |
41 |
|
|
* correctly parsed yet. If we have a username we need to set it again |
42 |
|
|
* to run the string parser for the username correctly. |
43 |
|
|
*/ |
44 |
|
|
- username = get_cmdline_auth_info_username(auth_info); |
45 |
|
|
- if (username != NULL && username[0] != '\0') { |
46 |
|
|
- set_cmdline_auth_info_username(auth_info, username); |
47 |
|
|
- } |
48 |
|
|
+ reset_cmdline_auth_info_username(auth_info); |
49 |
|
|
} |
50 |
|
|
|
51 |
|
|
static void popt_common_credentials_callback(poptContext con, |
52 |
|
|
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c |
53 |
|
|
index ad51a4f..80142e2 100644 |
54 |
|
|
--- a/source3/lib/util_cmdline.c |
55 |
|
|
+++ b/source3/lib/util_cmdline.c |
56 |
|
|
@@ -37,6 +37,7 @@ |
57 |
|
|
struct user_auth_info { |
58 |
|
|
struct cli_credentials *creds; |
59 |
|
|
struct loadparm_context *lp_ctx; |
60 |
|
|
+ bool got_username; |
61 |
|
|
bool got_pass; |
62 |
|
|
int signing_state; |
63 |
|
|
bool smb_encrypt; |
64 |
|
|
@@ -93,6 +94,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info, |
65 |
|
|
if (!ok) { |
66 |
|
|
exit(EIO); |
67 |
|
|
} |
68 |
|
|
+ auth_info->got_username = true; |
69 |
|
|
} |
70 |
|
|
|
71 |
|
|
const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info) |
72 |
|
|
@@ -123,11 +125,38 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info, |
73 |
|
|
exit(ENOMEM); |
74 |
|
|
} |
75 |
|
|
|
76 |
|
|
+ auth_info->got_username = true; |
77 |
|
|
if (strchr_m(username, '%') != NULL) { |
78 |
|
|
auth_info->got_pass = true; |
79 |
|
|
} |
80 |
|
|
} |
81 |
|
|
|
82 |
|
|
+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info) |
83 |
|
|
+{ |
84 |
|
|
+ const char *username = NULL; |
85 |
|
|
+ const char *new_val = NULL; |
86 |
|
|
+ |
87 |
|
|
+ if (!auth_info->got_username) { |
88 |
|
|
+ return; |
89 |
|
|
+ } |
90 |
|
|
+ |
91 |
|
|
+ username = cli_credentials_get_username(auth_info->creds); |
92 |
|
|
+ if (username == NULL) { |
93 |
|
|
+ return; |
94 |
|
|
+ } |
95 |
|
|
+ if (username[0] == '\0') { |
96 |
|
|
+ return; |
97 |
|
|
+ } |
98 |
|
|
+ |
99 |
|
|
+ cli_credentials_parse_string(auth_info->creds, |
100 |
|
|
+ username, |
101 |
|
|
+ CRED_SPECIFIED); |
102 |
|
|
+ new_val = cli_credentials_get_username(auth_info->creds); |
103 |
|
|
+ if (new_val == NULL) { |
104 |
|
|
+ exit(ENOMEM); |
105 |
|
|
+ } |
106 |
|
|
+} |
107 |
|
|
+ |
108 |
|
|
const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info) |
109 |
|
|
{ |
110 |
|
|
const char *domain = NULL; |
111 |
|
|
-- |
112 |
|
|
1.9.1 |
113 |
|
|
|
114 |
|
|
|
115 |
|
|
From 97a7ddff5d327bf5bcc27c8a88b000b3a187a827 Mon Sep 17 00:00:00 2001 |
116 |
|
|
From: Stefan Metzmacher <metze@samba.org> |
117 |
|
|
Date: Thu, 3 Nov 2016 17:16:43 +0100 |
118 |
|
|
Subject: [PATCH 2/7] CVE-2017-12150: s3:lib: |
119 |
|
|
get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED |
120 |
|
|
|
121 |
|
|
This is an addition to the fixes for CVE-2015-5296. |
122 |
|
|
|
123 |
|
|
It applies to smb2mount -e, smbcacls -e and smbcquotas -e. |
124 |
|
|
|
125 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 |
126 |
|
|
|
127 |
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
128 |
|
|
--- |
129 |
|
|
source3/lib/util_cmdline.c | 3 +++ |
130 |
|
|
1 file changed, 3 insertions(+) |
131 |
|
|
|
132 |
|
|
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c |
133 |
|
|
index 80142e2..90ee67c 100644 |
134 |
|
|
--- a/source3/lib/util_cmdline.c |
135 |
|
|
+++ b/source3/lib/util_cmdline.c |
136 |
|
|
@@ -265,6 +265,9 @@ void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info, |
137 |
|
|
|
138 |
|
|
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info) |
139 |
|
|
{ |
140 |
|
|
+ if (auth_info->smb_encrypt) { |
141 |
|
|
+ return SMB_SIGNING_REQUIRED; |
142 |
|
|
+ } |
143 |
|
|
return auth_info->signing_state; |
144 |
|
|
} |
145 |
|
|
|
146 |
|
|
-- |
147 |
|
|
1.9.1 |
148 |
|
|
|
149 |
|
|
|
150 |
|
|
From b760a464ee3d94edeff6eb10a0b08359d6e98099 Mon Sep 17 00:00:00 2001 |
151 |
|
|
From: Stefan Metzmacher <metze@samba.org> |
152 |
|
|
Date: Fri, 9 Dec 2016 09:26:32 +0100 |
153 |
|
|
Subject: [PATCH 3/7] CVE-2017-12150: s3:pylibsmb: make use of |
154 |
|
|
SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' |
155 |
|
|
|
156 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 |
157 |
|
|
|
158 |
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
159 |
|
|
--- |
160 |
|
|
source3/libsmb/pylibsmb.c | 2 +- |
161 |
|
|
1 file changed, 1 insertion(+), 1 deletion(-) |
162 |
|
|
|
163 |
|
|
diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c |
164 |
|
|
index 59c0998..350c6d4 100644 |
165 |
|
|
--- a/source3/libsmb/pylibsmb.c |
166 |
|
|
+++ b/source3/libsmb/pylibsmb.c |
167 |
|
|
@@ -444,7 +444,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args, |
168 |
|
|
|
169 |
|
|
req = cli_full_connection_creds_send( |
170 |
|
|
NULL, self->ev, "myname", host, NULL, 0, share, "?????", |
171 |
|
|
- cli_creds, 0, 0); |
172 |
|
|
+ cli_creds, 0, SMB_SIGNING_DEFAULT); |
173 |
|
|
if (!py_tevent_req_wait_exc(self->ev, req)) { |
174 |
|
|
return -1; |
175 |
|
|
} |
176 |
|
|
-- |
177 |
|
|
1.9.1 |
178 |
|
|
|
179 |
|
|
|
180 |
|
|
From f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Mon Sep 17 00:00:00 2001 |
181 |
|
|
From: Stefan Metzmacher <metze@samba.org> |
182 |
|
|
Date: Mon, 12 Dec 2016 05:49:46 +0100 |
183 |
|
|
Subject: [PATCH 4/7] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED |
184 |
|
|
in gpo_connect_server() |
185 |
|
|
|
186 |
|
|
It's important that we use a signed connection to get the GPOs! |
187 |
|
|
|
188 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 |
189 |
|
|
|
190 |
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
191 |
|
|
--- |
192 |
|
|
libgpo/gpo_fetch.c | 2 +- |
193 |
|
|
1 file changed, 1 insertion(+), 1 deletion(-) |
194 |
|
|
|
195 |
|
|
diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c |
196 |
|
|
index 836bc23..3740d4e 100644 |
197 |
|
|
--- a/libgpo/gpo_fetch.c |
198 |
|
|
+++ b/libgpo/gpo_fetch.c |
199 |
|
|
@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads, |
200 |
|
|
ads->auth.password, |
201 |
|
|
CLI_FULL_CONNECTION_USE_KERBEROS | |
202 |
|
|
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS, |
203 |
|
|
- Undefined); |
204 |
|
|
+ SMB_SIGNING_REQUIRED); |
205 |
|
|
if (!NT_STATUS_IS_OK(result)) { |
206 |
|
|
DEBUG(10,("check_refresh_gpo: " |
207 |
|
|
"failed to connect: %s\n", |
208 |
|
|
-- |
209 |
|
|
1.9.1 |
210 |
|
|
|
211 |
|
|
|
212 |
|
|
From d8c6aceb94ab72991eb538ab5dc388686a177052 Mon Sep 17 00:00:00 2001 |
213 |
|
|
From: Stefan Metzmacher <metze@samba.org> |
214 |
|
|
Date: Tue, 29 Aug 2017 15:24:14 +0200 |
215 |
|
|
Subject: [PATCH 5/7] CVE-2017-12150: auth/credentials: |
216 |
|
|
cli_credentials_authentication_requested() should check for |
217 |
|
|
NTLM_CCACHE/SIGN/SEAL |
218 |
|
|
|
219 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 |
220 |
|
|
|
221 |
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
222 |
|
|
--- |
223 |
|
|
auth/credentials/credentials.c | 16 ++++++++++++++++ |
224 |
|
|
1 file changed, 16 insertions(+) |
225 |
|
|
|
226 |
|
|
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c |
227 |
|
|
index 06648c7..5e3b5e8 100644 |
228 |
|
|
--- a/auth/credentials/credentials.c |
229 |
|
|
+++ b/auth/credentials/credentials.c |
230 |
|
|
@@ -25,6 +25,7 @@ |
231 |
|
|
#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ |
232 |
|
|
#include "auth/credentials/credentials.h" |
233 |
|
|
#include "auth/credentials/credentials_internal.h" |
234 |
|
|
+#include "auth/gensec/gensec.h" |
235 |
|
|
#include "libcli/auth/libcli_auth.h" |
236 |
|
|
#include "tevent.h" |
237 |
|
|
#include "param/param.h" |
238 |
|
|
@@ -300,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre |
239 |
|
|
|
240 |
|
|
_PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred) |
241 |
|
|
{ |
242 |
|
|
+ uint32_t gensec_features = 0; |
243 |
|
|
+ |
244 |
|
|
if (cred->bind_dn) { |
245 |
|
|
return true; |
246 |
|
|
} |
247 |
|
|
@@ -327,6 +330,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c |
248 |
|
|
return true; |
249 |
|
|
} |
250 |
|
|
|
251 |
|
|
+ gensec_features = cli_credentials_get_gensec_features(cred); |
252 |
|
|
+ if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) { |
253 |
|
|
+ return true; |
254 |
|
|
+ } |
255 |
|
|
+ |
256 |
|
|
+ if (gensec_features & GENSEC_FEATURE_SIGN) { |
257 |
|
|
+ return true; |
258 |
|
|
+ } |
259 |
|
|
+ |
260 |
|
|
+ if (gensec_features & GENSEC_FEATURE_SEAL) { |
261 |
|
|
+ return true; |
262 |
|
|
+ } |
263 |
|
|
+ |
264 |
|
|
return false; |
265 |
|
|
} |
266 |
|
|
|
267 |
|
|
-- |
268 |
|
|
1.9.1 |
269 |
|
|
|
270 |
|
|
|
271 |
|
|
From 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Mon Sep 17 00:00:00 2001 |
272 |
|
|
From: Stefan Metzmacher <metze@samba.org> |
273 |
|
|
Date: Tue, 29 Aug 2017 15:35:49 +0200 |
274 |
|
|
Subject: [PATCH 6/7] CVE-2017-12150: libcli/smb: add |
275 |
|
|
smbXcli_conn_signing_mandatory() |
276 |
|
|
|
277 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 |
278 |
|
|
|
279 |
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
280 |
|
|
--- |
281 |
|
|
libcli/smb/smbXcli_base.c | 5 +++++ |
282 |
|
|
libcli/smb/smbXcli_base.h | 1 + |
283 |
|
|
2 files changed, 6 insertions(+) |
284 |
|
|
|
285 |
|
|
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c |
286 |
|
|
index b21d796..239e5eb 100644 |
287 |
|
|
--- a/libcli/smb/smbXcli_base.c |
288 |
|
|
+++ b/libcli/smb/smbXcli_base.c |
289 |
|
|
@@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn) |
290 |
|
|
return false; |
291 |
|
|
} |
292 |
|
|
|
293 |
|
|
+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn) |
294 |
|
|
+{ |
295 |
|
|
+ return conn->mandatory_signing; |
296 |
|
|
+} |
297 |
|
|
+ |
298 |
|
|
void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options) |
299 |
|
|
{ |
300 |
|
|
set_socket_options(conn->sock_fd, options); |
301 |
|
|
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h |
302 |
|
|
index e48fc35..2594f07 100644 |
303 |
|
|
--- a/libcli/smb/smbXcli_base.h |
304 |
|
|
+++ b/libcli/smb/smbXcli_base.h |
305 |
|
|
@@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn); |
306 |
|
|
|
307 |
|
|
enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn); |
308 |
|
|
bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn); |
309 |
|
|
+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn); |
310 |
|
|
|
311 |
|
|
void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options); |
312 |
|
|
const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn); |
313 |
|
|
-- |
314 |
|
|
1.9.1 |
315 |
|
|
|
316 |
|
|
|
317 |
|
|
From 28506663282a1457708c38c58437e9eb9c0002bf Mon Sep 17 00:00:00 2001 |
318 |
|
|
From: Stefan Metzmacher <metze@samba.org> |
319 |
|
|
Date: Mon, 12 Dec 2016 06:07:56 +0100 |
320 |
|
|
Subject: [PATCH 7/7] CVE-2017-12150: s3:libsmb: only fallback to anonymous if |
321 |
|
|
authentication was not requested |
322 |
|
|
|
323 |
|
|
With forced encryption or required signing we should also don't fallback. |
324 |
|
|
|
325 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 |
326 |
|
|
|
327 |
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
328 |
|
|
--- |
329 |
|
|
source3/libsmb/clidfs.c | 16 ++++------------ |
330 |
|
|
1 file changed, 4 insertions(+), 12 deletions(-) |
331 |
|
|
|
332 |
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c |
333 |
|
|
index 75012b2..fdcd665 100644 |
334 |
|
|
--- a/source3/libsmb/clidfs.c |
335 |
|
|
+++ b/source3/libsmb/clidfs.c |
336 |
|
|
@@ -26,6 +26,7 @@ |
337 |
|
|
#include "trans2.h" |
338 |
|
|
#include "libsmb/nmblib.h" |
339 |
|
|
#include "../libcli/smb/smbXcli_base.h" |
340 |
|
|
+#include "auth/credentials/credentials.h" |
341 |
|
|
|
342 |
|
|
/******************************************************************** |
343 |
|
|
Important point. |
344 |
|
|
@@ -145,9 +146,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, |
345 |
|
|
char *servicename; |
346 |
|
|
char *sharename; |
347 |
|
|
char *newserver, *newshare; |
348 |
|
|
- const char *username; |
349 |
|
|
- const char *password; |
350 |
|
|
- const char *domain; |
351 |
|
|
NTSTATUS status; |
352 |
|
|
int flags = 0; |
353 |
|
|
int signing_state = get_cmdline_auth_info_signing_state(auth_info); |
354 |
|
|
@@ -225,21 +223,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, |
355 |
|
|
smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS); |
356 |
|
|
} |
357 |
|
|
|
358 |
|
|
- username = get_cmdline_auth_info_username(auth_info); |
359 |
|
|
- password = get_cmdline_auth_info_password(auth_info); |
360 |
|
|
- domain = get_cmdline_auth_info_domain(auth_info); |
361 |
|
|
- if ((domain == NULL) || (domain[0] == '\0')) { |
362 |
|
|
- domain = lp_workgroup(); |
363 |
|
|
- } |
364 |
|
|
- |
365 |
|
|
creds = get_cmdline_auth_info_creds(auth_info); |
366 |
|
|
|
367 |
|
|
status = cli_session_setup_creds(c, creds); |
368 |
|
|
if (!NT_STATUS_IS_OK(status)) { |
369 |
|
|
/* If a password was not supplied then |
370 |
|
|
* try again with a null username. */ |
371 |
|
|
- if (password[0] || !username[0] || |
372 |
|
|
- get_cmdline_auth_info_use_kerberos(auth_info) || |
373 |
|
|
+ if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) || |
374 |
|
|
+ cli_credentials_authentication_requested(creds) || |
375 |
|
|
+ cli_credentials_is_anonymous(creds) || |
376 |
|
|
!NT_STATUS_IS_OK(status = cli_session_setup_anon(c))) |
377 |
|
|
{ |
378 |
|
|
d_printf("session setup failed: %s\n", |
379 |
|
|
-- |
380 |
|
|
1.9.1 |
381 |
|
|
|