samba/0011-CVE-2022-32743-s4-rpc_server-netlogon-Connect-to-sam.patch

From f545142380151a626848dbae9ee746167f3299fa Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 7 Jun 2022 17:29:02 +1200
Subject: [PATCH 11/15] CVE-2022-32743 s4:rpc_server/netlogon: Connect to samdb
 as a user, rather than as system

This allows us to perform validation on a client-specified dNSHostName
value, to ensure that it matches the sAMAccountName.

We might not have any rights to modify the account, so pass the control
FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE which allows us to perform
a validated write to dNSHostName and servicePrincipalName (and
unvalidated writes to other attributes, such as operatingSystem).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 selftest/knownfail.d/netlogon-dns-host-name   | 17 ++---------------
 source4/rpc_server/netlogon/dcerpc_netlogon.c |  5 +++--
 2 files changed, 5 insertions(+), 17 deletions(-)

diff --git a/selftest/knownfail.d/netlogon-dns-host-name b/selftest/knownfail.d/netlogon-dns-host-name
index 30c157f..3eca0cd 100644
--- a/selftest/knownfail.d/netlogon-dns-host-name
+++ b/selftest/knownfail.d/netlogon-dns-host-name
@@ -1,15 +1,2 @@
-^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_suffix\(
-^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_validated_write\(
-^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_write_property\(
-^samba4.rpc.netlogon on ncacn_ip_tcp with bigendian.netlogon.GetDomainInfo\(
-^samba4.rpc.netlogon on ncacn_ip_tcp with seal,padcheck.netlogon.GetDomainInfo\(
-^samba4.rpc.netlogon on ncacn_ip_tcp with validate.netlogon.GetDomainInfo\(
-^samba4.rpc.netlogon on ncacn_np with bigendian.netlogon.GetDomainInfo\(
-^samba4.rpc.netlogon on ncacn_np with seal,padcheck.netlogon.GetDomainInfo\(
-^samba4.rpc.netlogon on ncacn_np with validate.netlogon.GetDomainInfo\(
-^samba4.rpc.netlogon on ncalrpc with bigendian.netlogon.GetDomainInfo\(
-^samba4.rpc.netlogon on ncalrpc with seal,padcheck.netlogon.GetDomainInfo\(
-^samba4.rpc.netlogon on ncalrpc with validate.netlogon.GetDomainInfo\(
-^samba4.rpc.netlogon with bigendian.netlogon.GetDomainInfo\(
-^samba4.rpc.netlogon with seal,padcheck.netlogon.GetDomainInfo\(
-^samba4.rpc.netlogon with validate.netlogon.GetDomainInfo\(
+^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_valid\(
+^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_valid_denied\(
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index efba013..15cd27b 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2450,7 +2450,8 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
 	}
 	NT_STATUS_NOT_OK_RETURN(status);
 
-	sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call);
+	/* We want to avoid connecting as system. */
+	sam_ctx = dcesrv_samdb_connect_as_user(mem_ctx, dce_call);
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -2607,7 +2608,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
 			}
 		}
 
-		if (dsdb_replace(sam_ctx, new_msg, 0) != LDB_SUCCESS) {
+		if (dsdb_replace(sam_ctx, new_msg, DSDB_FLAG_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE) != LDB_SUCCESS) {
 			DEBUG(3,("Impossible to update samdb: %s\n",
 				ldb_errstring(sam_ctx)));
 		}
-- 
1.8.3.1
fix CVE-2022-32743 (cherry picked from commit 19b3bebe9779312107668174e345d9844f5dc75f) 2022-08-26 16:27:39 +08:00			`From f545142380151a626848dbae9ee746167f3299fa Mon Sep 17 00:00:00 2001`
			`From: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Date: Tue, 7 Jun 2022 17:29:02 +1200`
			`Subject: [PATCH 11/15] CVE-2022-32743 s4:rpc_server/netlogon: Connect to samdb`
			`as a user, rather than as system`

			`This allows us to perform validation on a client-specified dNSHostName`
			`value, to ensure that it matches the sAMAccountName.`

			`We might not have any rights to modify the account, so pass the control`
			`FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE which allows us to perform`
			`a validated write to dNSHostName and servicePrincipalName (and`
			`unvalidated writes to other attributes, such as operatingSystem).`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833`

			`Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>`
			`---`
			`selftest/knownfail.d/netlogon-dns-host-name \| 17 ++---------------`
			`source4/rpc_server/netlogon/dcerpc_netlogon.c \| 5 +++--`
			`2 files changed, 5 insertions(+), 17 deletions(-)`

			`diff --git a/selftest/knownfail.d/netlogon-dns-host-name b/selftest/knownfail.d/netlogon-dns-host-name`
			`index 30c157f..3eca0cd 100644`
			`--- a/selftest/knownfail.d/netlogon-dns-host-name`
			`+++ b/selftest/knownfail.d/netlogon-dns-host-name`
			`@@ -1,15 +1,2 @@`
			`-^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_suffix\(`
			`-^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_validated_write\(`
			`-^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_write_property\(`
			`-^samba4.rpc.netlogon on ncacn_ip_tcp with bigendian.netlogon.GetDomainInfo\(`
			`-^samba4.rpc.netlogon on ncacn_ip_tcp with seal,padcheck.netlogon.GetDomainInfo\(`
			`-^samba4.rpc.netlogon on ncacn_ip_tcp with validate.netlogon.GetDomainInfo\(`
			`-^samba4.rpc.netlogon on ncacn_np with bigendian.netlogon.GetDomainInfo\(`
			`-^samba4.rpc.netlogon on ncacn_np with seal,padcheck.netlogon.GetDomainInfo\(`
			`-^samba4.rpc.netlogon on ncacn_np with validate.netlogon.GetDomainInfo\(`
			`-^samba4.rpc.netlogon on ncalrpc with bigendian.netlogon.GetDomainInfo\(`
			`-^samba4.rpc.netlogon on ncalrpc with seal,padcheck.netlogon.GetDomainInfo\(`
			`-^samba4.rpc.netlogon on ncalrpc with validate.netlogon.GetDomainInfo\(`
			`-^samba4.rpc.netlogon with bigendian.netlogon.GetDomainInfo\(`
			`-^samba4.rpc.netlogon with seal,padcheck.netlogon.GetDomainInfo\(`
			`-^samba4.rpc.netlogon with validate.netlogon.GetDomainInfo\(`
			`+^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_valid\(`
			`+^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_valid_denied\(`
			`diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c`
			`index efba013..15cd27b 100644`
			`--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c`
			`+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c`
			`@@ -2450,7 +2450,8 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal`
			`}`
			`NT_STATUS_NOT_OK_RETURN(status);`

			`- sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call);`
			`+ /* We want to avoid connecting as system. */`
			`+ sam_ctx = dcesrv_samdb_connect_as_user(mem_ctx, dce_call);`
			`if (sam_ctx == NULL) {`
			`return NT_STATUS_INVALID_SYSTEM_SERVICE;`
			`}`
			`@@ -2607,7 +2608,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal`
			`}`
			`}`

			`- if (dsdb_replace(sam_ctx, new_msg, 0) != LDB_SUCCESS) {`
			`+ if (dsdb_replace(sam_ctx, new_msg, DSDB_FLAG_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE) != LDB_SUCCESS) {`
			`DEBUG(3,("Impossible to update samdb: %s\n",`
			`ldb_errstring(sam_ctx)));`
			`}`
			`--`
			`1.8.3.1`