86 lines
2.9 KiB
Diff
86 lines
2.9 KiB
Diff
From 953b8052a1f61fe5cdd81896d0101acf47ead205 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Wed, 30 Nov 2022 17:15:36 +0100
|
|
Subject: [PATCH 25/30] CVE-2022-38023 s4:rpc_server/netlogon: make sure all
|
|
dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
|
|
|
|
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
|
|
which are also required for dcesrv_netr_LogonSamLogonEx().
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
(cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662)
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17692
|
|
---
|
|
source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 +++++++++++++++----
|
|
1 file changed, 29 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
index 64d75c514f32..a9b16e5c42a3 100644
|
|
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
@@ -1401,6 +1401,35 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL
|
|
struct auth_usersupplied_info *user_info = NULL;
|
|
NTSTATUS nt_status;
|
|
struct tevent_req *subreq = NULL;
|
|
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
|
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
|
|
+
|
|
+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
|
|
+
|
|
+ switch (dce_call->pkt.u.request.opnum) {
|
|
+ case NDR_NETR_LOGONSAMLOGON:
|
|
+ case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
|
|
+ /*
|
|
+ * These already called dcesrv_netr_check_schannel()
|
|
+ * via dcesrv_netr_creds_server_step_check()
|
|
+ */
|
|
+ break;
|
|
+ case NDR_NETR_LOGONSAMLOGONEX:
|
|
+ default:
|
|
+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
+ return NT_STATUS_ACCESS_DENIED;
|
|
+ }
|
|
+
|
|
+ nt_status = dcesrv_netr_check_schannel(dce_call,
|
|
+ creds,
|
|
+ auth_type,
|
|
+ auth_level,
|
|
+ dce_call->pkt.u.request.opnum);
|
|
+ if (!NT_STATUS_IS_OK(nt_status)) {
|
|
+ return nt_status;
|
|
+ }
|
|
+ break;
|
|
+ }
|
|
|
|
*r->out.authoritative = 1;
|
|
|
|
@@ -1749,7 +1778,6 @@ static void dcesrv_netr_LogonSamLogon_base_reply(
|
|
static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
|
|
struct netr_LogonSamLogonEx *r)
|
|
{
|
|
- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
|
struct dcesrv_netr_LogonSamLogon_base_state *state;
|
|
NTSTATUS nt_status;
|
|
|
|
@@ -1787,12 +1815,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call,
|
|
return nt_status;
|
|
}
|
|
|
|
- dcesrv_call_auth_info(dce_call, &auth_type, NULL);
|
|
-
|
|
- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
- return NT_STATUS_ACCESS_DENIED;
|
|
- }
|
|
-
|
|
nt_status = dcesrv_netr_LogonSamLogon_base_call(state);
|
|
|
|
if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
|
|
--
|
|
2.34.1
|