From 0bc08daf4c191c370cb218e9a0ecac51b8c36468 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 28 Apr 2022 20:34:36 +1200
Subject: [PATCH 1/4] CVE-2023-0225 CVE-2020-25720 s4/dsdb/util: Add functions
 for dsHeuristics 28, 29

These are the newly-added AttributeAuthorizationOnLDAPAdd and
BlockOwnerImplicitRights.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0af5706b559e89c77123ed174b41fd3d01705aa5)

[abartlet@samba.org This patch is needed for a clean backport of
 CVE-2023-0225 as these constants are used in the acl_modify test
 even when this behaviour is not itself used.]

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17833
---
 libds/common/flags.h                  |  2 ++
 source4/dsdb/samdb/ldb_modules/util.c | 40 +++++++++++++++++++++++++++
 2 files changed, 42 insertions(+)

diff --git a/libds/common/flags.h b/libds/common/flags.h
index 75e04b0c488..bee1016b294 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -258,6 +258,8 @@
 #define DS_HR_KVNOEMUW2K                          0x00000011
 
 #define DS_HR_TWENTIETH_CHAR                      0x00000014
+#define DS_HR_ATTR_AUTHZ_ON_LDAP_ADD              0x0000001C
+#define DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS         0x0000001D
 #define DS_HR_THIRTIETH_CHAR                      0x0000001E
 #define DS_HR_FOURTIETH_CHAR                      0x00000028
 #define DS_HR_FIFTIETH_CHAR                       0x00000032
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 9e00aedd09e..c2949f0734d 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -1433,6 +1433,46 @@ bool dsdb_do_list_object(struct ldb_module *module,
 	return result;
 }
 
+bool dsdb_attribute_authz_on_ldap_add(struct ldb_module *module,
+				      TALLOC_CTX *mem_ctx,
+				      struct ldb_request *parent)
+{
+	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	bool result = false;
+	const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
+								     tmp_ctx,
+								     parent);
+	if (hr_val != NULL && hr_val->length >= DS_HR_ATTR_AUTHZ_ON_LDAP_ADD) {
+		uint8_t val = hr_val->data[DS_HR_ATTR_AUTHZ_ON_LDAP_ADD - 1];
+		if (val != '0' && val != '2') {
+			result = true;
+		}
+	}
+
+	talloc_free(tmp_ctx);
+	return result;
+}
+
+bool dsdb_block_owner_implicit_rights(struct ldb_module *module,
+				      TALLOC_CTX *mem_ctx,
+				      struct ldb_request *parent)
+{
+	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	bool result = false;
+	const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
+								     tmp_ctx,
+								     parent);
+	if (hr_val != NULL && hr_val->length >= DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS) {
+		uint8_t val = hr_val->data[DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS - 1];
+		if (val != '0' && val != '2') {
+			result = true;
+		}
+	}
+
+	talloc_free(tmp_ctx);
+	return result;
+}
+
 /*
   show the chain of requests, useful for debugging async requests
  */
-- 
2.25.1