samba/0015-CVE-2022-32743-s4-rpc_server-netlogon-Reconnect-to-s.patch

From 15c86028a861139cee4560fe093c965ffc30eb13 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 9 Jun 2022 19:46:07 +1200
Subject: [PATCH 15/15] CVE-2022-32743 s4:rpc_server/netlogon: Reconnect to
 samdb as workstation account

This ensures that the database update can be attributed to the
workstation account, rather than to the anonymous SID, in the audit
logs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jul 28 23:41:27 UTC 2022 on sn-devel-184
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 +++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 15cd27b..12ad780 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2422,6 +2422,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
 	struct ldb_dn *workstation_dn;
 	struct netr_DomainInformation *domain_info;
 	struct netr_LsaPolicyInformation *lsa_policy_info;
+	struct auth_session_info *workstation_session_info = NULL;
 	uint32_t default_supported_enc_types = 0xFFFFFFFF;
 	bool update_dns_hostname = true;
 	int ret, i;
@@ -2468,6 +2469,33 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
 						dom_sid_string(mem_ctx, creds->sid));
 		NT_STATUS_HAVE_NO_MEMORY(workstation_dn);
 
+		/* Get the workstation's session info from the database. */
+		status = authsam_get_session_info_principal(mem_ctx,
+							    dce_call->conn->dce_ctx->lp_ctx,
+							    sam_ctx,
+							    NULL, /* principal */
+							    workstation_dn,
+							    0, /* session_info_flags */
+							    &workstation_session_info);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+
+		/*
+		 * Reconnect to samdb as the workstation, now that we have its
+		 * session info. We do this so the database update can be
+		 * attributed to the workstation account in the audit logs --
+		 * otherwise it might be incorrectly attributed to
+		 * SID_NT_ANONYMOUS.
+		 */
+		sam_ctx = dcesrv_samdb_connect_session_info(mem_ctx,
+							    dce_call,
+							    workstation_session_info,
+							    workstation_session_info);
+		if (sam_ctx == NULL) {
+			return NT_STATUS_INVALID_SYSTEM_SERVICE;
+		}
+
 		/* Lookup for attributes in workstation object */
 		ret = gendb_search_dn(sam_ctx, mem_ctx, workstation_dn, &res1,
 				      attrs2);
-- 
1.8.3.1
fix CVE-2022-32743 (cherry picked from commit 19b3bebe9779312107668174e345d9844f5dc75f) 2022-08-26 16:27:39 +08:00			`From 15c86028a861139cee4560fe093c965ffc30eb13 Mon Sep 17 00:00:00 2001`
			`From: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Date: Thu, 9 Jun 2022 19:46:07 +1200`
			`Subject: [PATCH 15/15] CVE-2022-32743 s4:rpc_server/netlogon: Reconnect to`
			`samdb as workstation account`

			`This ensures that the database update can be attributed to the`
			`workstation account, rather than to the anonymous SID, in the audit`
			`logs.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833`

			`Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>`

			`Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>`
			`Autobuild-Date(master): Thu Jul 28 23:41:27 UTC 2022 on sn-devel-184`
			`---`
			`source4/rpc_server/netlogon/dcerpc_netlogon.c \| 28 +++++++++++++++++++++++++++`
			`1 file changed, 28 insertions(+)`

			`diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c`
			`index 15cd27b..12ad780 100644`
			`--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c`
			`+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c`
			`@@ -2422,6 +2422,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal`
			`struct ldb_dn *workstation_dn;`
			`struct netr_DomainInformation *domain_info;`
			`struct netr_LsaPolicyInformation *lsa_policy_info;`
			`+ struct auth_session_info *workstation_session_info = NULL;`
			`uint32_t default_supported_enc_types = 0xFFFFFFFF;`
			`bool update_dns_hostname = true;`
			`int ret, i;`
			`@@ -2468,6 +2469,33 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal`
			`dom_sid_string(mem_ctx, creds->sid));`
			`NT_STATUS_HAVE_NO_MEMORY(workstation_dn);`

			`+ /* Get the workstation's session info from the database. */`
			`+ status = authsam_get_session_info_principal(mem_ctx,`
			`+ dce_call->conn->dce_ctx->lp_ctx,`
			`+ sam_ctx,`
			`+ NULL, /* principal */`
			`+ workstation_dn,`
			`+ 0, /* session_info_flags */`
			`+ &workstation_session_info);`
			`+ if (!NT_STATUS_IS_OK(status)) {`
			`+ return status;`
			`+ }`
			`+`
			`+ /*`
			`+ * Reconnect to samdb as the workstation, now that we have its`
			`+ * session info. We do this so the database update can be`
			`+ * attributed to the workstation account in the audit logs --`
			`+ * otherwise it might be incorrectly attributed to`
			`+ * SID_NT_ANONYMOUS.`
			`+ */`
			`+ sam_ctx = dcesrv_samdb_connect_session_info(mem_ctx,`
			`+ dce_call,`
			`+ workstation_session_info,`
			`+ workstation_session_info);`
			`+ if (sam_ctx == NULL) {`
			`+ return NT_STATUS_INVALID_SYSTEM_SERVICE;`
			`+ }`
			`+`
			`/* Lookup for attributes in workstation object */`
			`ret = gendb_search_dn(sam_ctx, mem_ctx, workstation_dn, &res1,`
			`attrs2);`
			`--`
			`1.8.3.1`