93 lines
3.1 KiB
Diff
93 lines
3.1 KiB
Diff
From 0bc08daf4c191c370cb218e9a0ecac51b8c36468 Mon Sep 17 00:00:00 2001
|
|
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Date: Thu, 28 Apr 2022 20:34:36 +1200
|
|
Subject: [PATCH 1/4] CVE-2023-0225 CVE-2020-25720 s4/dsdb/util: Add functions
|
|
for dsHeuristics 28, 29
|
|
|
|
These are the newly-added AttributeAuthorizationOnLDAPAdd and
|
|
BlockOwnerImplicitRights.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
|
|
|
|
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
(cherry picked from commit 0af5706b559e89c77123ed174b41fd3d01705aa5)
|
|
|
|
[abartlet@samba.org This patch is needed for a clean backport of
|
|
CVE-2023-0225 as these constants are used in the acl_modify test
|
|
even when this behaviour is not itself used.]
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17833
|
|
---
|
|
libds/common/flags.h | 2 ++
|
|
source4/dsdb/samdb/ldb_modules/util.c | 40 +++++++++++++++++++++++++++
|
|
2 files changed, 42 insertions(+)
|
|
|
|
diff --git a/libds/common/flags.h b/libds/common/flags.h
|
|
index 75e04b0c488..bee1016b294 100644
|
|
--- a/libds/common/flags.h
|
|
+++ b/libds/common/flags.h
|
|
@@ -258,6 +258,8 @@
|
|
#define DS_HR_KVNOEMUW2K 0x00000011
|
|
|
|
#define DS_HR_TWENTIETH_CHAR 0x00000014
|
|
+#define DS_HR_ATTR_AUTHZ_ON_LDAP_ADD 0x0000001C
|
|
+#define DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS 0x0000001D
|
|
#define DS_HR_THIRTIETH_CHAR 0x0000001E
|
|
#define DS_HR_FOURTIETH_CHAR 0x00000028
|
|
#define DS_HR_FIFTIETH_CHAR 0x00000032
|
|
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
|
|
index 9e00aedd09e..c2949f0734d 100644
|
|
--- a/source4/dsdb/samdb/ldb_modules/util.c
|
|
+++ b/source4/dsdb/samdb/ldb_modules/util.c
|
|
@@ -1433,6 +1433,46 @@ bool dsdb_do_list_object(struct ldb_module *module,
|
|
return result;
|
|
}
|
|
|
|
+bool dsdb_attribute_authz_on_ldap_add(struct ldb_module *module,
|
|
+ TALLOC_CTX *mem_ctx,
|
|
+ struct ldb_request *parent)
|
|
+{
|
|
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
|
+ bool result = false;
|
|
+ const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
|
|
+ tmp_ctx,
|
|
+ parent);
|
|
+ if (hr_val != NULL && hr_val->length >= DS_HR_ATTR_AUTHZ_ON_LDAP_ADD) {
|
|
+ uint8_t val = hr_val->data[DS_HR_ATTR_AUTHZ_ON_LDAP_ADD - 1];
|
|
+ if (val != '0' && val != '2') {
|
|
+ result = true;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ talloc_free(tmp_ctx);
|
|
+ return result;
|
|
+}
|
|
+
|
|
+bool dsdb_block_owner_implicit_rights(struct ldb_module *module,
|
|
+ TALLOC_CTX *mem_ctx,
|
|
+ struct ldb_request *parent)
|
|
+{
|
|
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
|
+ bool result = false;
|
|
+ const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
|
|
+ tmp_ctx,
|
|
+ parent);
|
|
+ if (hr_val != NULL && hr_val->length >= DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS) {
|
|
+ uint8_t val = hr_val->data[DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS - 1];
|
|
+ if (val != '0' && val != '2') {
|
|
+ result = true;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ talloc_free(tmp_ctx);
|
|
+ return result;
|
|
+}
|
|
+
|
|
/*
|
|
show the chain of requests, useful for debugging async requests
|
|
*/
|
|
--
|
|
2.25.1
|