286 lines
11 KiB
Diff
286 lines
11 KiB
Diff
From 5249cad8b435d162584f010f492568d6f4526662 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Wed, 30 Oct 2019 15:59:16 +0100
|
|
Subject: [PATCH 7/9] CVE-2019-14870: heimdal: add S4U test for
|
|
delegation_not_allowed
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
|
---
|
|
selftest/knownfail.d/heimdal_not_delegated | 1 +
|
|
source4/selftest/tests.py | 1 +
|
|
testprogs/blackbox/test_s4u_heimdal.sh | 73 ++++++++++++++++++++++
|
|
3 files changed, 75 insertions(+)
|
|
create mode 100644 selftest/knownfail.d/heimdal_not_delegated
|
|
create mode 100755 testprogs/blackbox/test_s4u_heimdal.sh
|
|
|
|
diff --git a/selftest/knownfail.d/heimdal_not_delegated b/selftest/knownfail.d/heimdal_not_delegated
|
|
new file mode 100644
|
|
index 00000000000..bfc382a3fc2
|
|
--- /dev/null
|
|
+++ b/selftest/knownfail.d/heimdal_not_delegated
|
|
@@ -0,0 +1 @@
|
|
+^samba4.blackbox.krb5.s4u
|
|
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
|
|
index 9c3c77f1c56..2ec0bee923b 100755
|
|
--- a/source4/selftest/tests.py
|
|
+++ b/source4/selftest/tests.py
|
|
@@ -425,6 +425,7 @@ if have_heimdal_support:
|
|
plantestsuite("samba4.blackbox.kinit_trust(fl2003dc:local)", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"])
|
|
plantestsuite("samba4.blackbox.export.keytab(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4])
|
|
plantestsuite("samba4.blackbox.kpasswd(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
|
|
+ plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', configuration])
|
|
else:
|
|
plantestsuite("samba4.blackbox.kinit(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration])
|
|
plantestsuite("samba4.blackbox.kinit(fl2000dc:local)", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration])
|
|
diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh
|
|
new file mode 100755
|
|
index 00000000000..0e12c7ec096
|
|
--- /dev/null
|
|
+++ b/testprogs/blackbox/test_s4u_heimdal.sh
|
|
@@ -0,0 +1,73 @@
|
|
+#!/bin/sh
|
|
+
|
|
+if [ $# -lt 5 ]; then
|
|
+cat <<EOF
|
|
+Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
|
|
+EOF
|
|
+exit 1;
|
|
+fi
|
|
+
|
|
+SERVER=$1
|
|
+USERNAME=$2
|
|
+PASSWORD=$3
|
|
+REALM=$4
|
|
+DOMAIN=$5
|
|
+PREFIX=$6
|
|
+shift 6
|
|
+failed=0
|
|
+
|
|
+
|
|
+samba_tool="$VALGRIND $PYTHON $BINDIR/samba-tool"
|
|
+
|
|
+samba4kinit=kinit
|
|
+if test -x $BINDIR/samba4kinit; then
|
|
+ samba4kinit=$BINDIR/samba4kinit
|
|
+fi
|
|
+
|
|
+samba4kgetcred=kgetcred
|
|
+if test -x $BINDIR/samba4kgetcred; then
|
|
+ samba4kgetcred=$BINDIR/samba4kgetcred
|
|
+fi
|
|
+
|
|
+. `dirname $0`/subunit.sh
|
|
+. `dirname $0`/common_test_fns.inc
|
|
+
|
|
+ocache="$PREFIX/tmpoutcache"
|
|
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
|
|
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
|
|
+export KRB5CCNAME
|
|
+rm -rf $KRB5CCNAME_PATH
|
|
+
|
|
+princ=test_impersonate_princ
|
|
+impersonator=test_impersonator
|
|
+target="CIFS/$SERVER.$REALM"
|
|
+
|
|
+
|
|
+testit "add impersonator principal" $samba_tool user add $impersonator $PASSWORD || failed=`expr $failed + 1`
|
|
+testit "become a service" $samba_tool spn add "HOST/$impersonator" $impersonator || failed=`expr $failed + 1`
|
|
+
|
|
+testit "set TrustedToAuthForDelegation" $samba_tool delegation for-any-protocol $impersonator on || failed=`expr $failed + 1`
|
|
+testit "add msDS-AllowedToDelegateTo" $samba_tool delegation add-service $impersonator $target || failed=`expr $failed + 1`
|
|
+
|
|
+testit "add a new principal" $samba_tool user add $princ --random-password || failed=`expr $failed + 1`
|
|
+testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=`expr $failed + 1`
|
|
+
|
|
+
|
|
+echo $PASSWORD > $PREFIX/tmppassfile
|
|
+testit "kinit with password" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1`
|
|
+
|
|
+testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1`
|
|
+testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
|
|
+
|
|
+testit "test S4U2Self with sensitive user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1`
|
|
+testit_expect_failure "test S4U2Proxy with sensitive user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
|
|
+
|
|
+rm -f $ocache
|
|
+testit "unset not-delegated flag" $samba_tool user sensitive $princ off || failed=`expr $failed + 1`
|
|
+
|
|
+testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1`
|
|
+testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
|
|
+
|
|
+
|
|
+rm -f $ocache $PREFIX/tmpccache tmppassfile
|
|
+exit $failed
|
|
--
|
|
2.17.1
|
|
|
|
|
|
From d0d4954b9b4643678b6f465959dd69de0faafd07 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Mon, 28 Oct 2019 02:54:09 +0200
|
|
Subject: [PATCH 8/9] CVE-2019-14870: heimdal: enforce delegation_not_allowed
|
|
in S4U2Self
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
|
---
|
|
selftest/knownfail.d/heimdal_not_delegated | 1 -
|
|
source4/heimdal/kdc/krb5tgs.c | 58 ++++++++++++++--------
|
|
2 files changed, 36 insertions(+), 23 deletions(-)
|
|
delete mode 100644 selftest/knownfail.d/heimdal_not_delegated
|
|
|
|
diff --git a/selftest/knownfail.d/heimdal_not_delegated b/selftest/knownfail.d/heimdal_not_delegated
|
|
deleted file mode 100644
|
|
index bfc382a3fc2..00000000000
|
|
--- a/selftest/knownfail.d/heimdal_not_delegated
|
|
+++ /dev/null
|
|
@@ -1 +0,0 @@
|
|
-^samba4.blackbox.krb5.s4u
|
|
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
|
|
index ff7d93138c0..ee3ac3d8f53 100644
|
|
--- a/source4/heimdal/kdc/krb5tgs.c
|
|
+++ b/source4/heimdal/kdc/krb5tgs.c
|
|
@@ -1975,30 +1975,42 @@ server_lookup:
|
|
if (ret)
|
|
goto out;
|
|
|
|
+ ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
|
|
+ NULL, &s4u2self_impersonated_clientdb,
|
|
+ &s4u2self_impersonated_client);
|
|
+ if (ret) {
|
|
+ const char *msg;
|
|
+
|
|
+ /*
|
|
+ * If the client belongs to the same realm as our krbtgt, it
|
|
+ * should exist in the local database.
|
|
+ *
|
|
+ */
|
|
+
|
|
+ if (ret == HDB_ERR_NOENTRY)
|
|
+ ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
|
+ msg = krb5_get_error_message(context, ret);
|
|
+ kdc_log(context, config, 1,
|
|
+ "S2U4Self principal to impersonate %s not found in database: %s",
|
|
+ tpn, msg);
|
|
+ krb5_free_error_message(context, msg);
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
+ /* Ignore pw_end attributes (as Windows does),
|
|
+ * since S4U2Self is not password authentication. */
|
|
+ free(s4u2self_impersonated_client->entry.pw_end);
|
|
+ s4u2self_impersonated_client->entry.pw_end = NULL;
|
|
+
|
|
+ ret = kdc_check_flags(context, config, s4u2self_impersonated_client, tpn,
|
|
+ NULL, NULL, FALSE);
|
|
+ if (ret)
|
|
+ goto out;
|
|
+
|
|
/* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
|
|
if(rspac.data) {
|
|
krb5_pac p = NULL;
|
|
krb5_data_free(&rspac);
|
|
- ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
|
|
- NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
|
|
- if (ret) {
|
|
- const char *msg;
|
|
-
|
|
- /*
|
|
- * If the client belongs to the same realm as our krbtgt, it
|
|
- * should exist in the local database.
|
|
- *
|
|
- */
|
|
-
|
|
- if (ret == HDB_ERR_NOENTRY)
|
|
- ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
|
- msg = krb5_get_error_message(context, ret);
|
|
- kdc_log(context, config, 1,
|
|
- "S2U4Self principal to impersonate %s not found in database: %s",
|
|
- tpn, msg);
|
|
- krb5_free_error_message(context, msg);
|
|
- goto out;
|
|
- }
|
|
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, &p);
|
|
if (ret) {
|
|
kdc_log(context, config, 0, "PAC generation failed for -- %s",
|
|
@@ -2034,10 +2046,12 @@ server_lookup:
|
|
|
|
/*
|
|
* If the service isn't trusted for authentication to
|
|
- * delegation, remove the forward flag.
|
|
+ * delegation or if the impersonate client is disallowed
|
|
+ * forwardable, remove the forwardable flag.
|
|
*/
|
|
|
|
- if (client->entry.flags.trusted_for_delegation) {
|
|
+ if (client->entry.flags.trusted_for_delegation &&
|
|
+ s4u2self_impersonated_client->entry.flags.forwardable) {
|
|
str = "[forwardable]";
|
|
} else {
|
|
b->kdc_options.forwardable = 0;
|
|
--
|
|
2.17.1
|
|
|
|
|
|
From 277ab21fcf31bf60458410994e188d9c236963a3 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 21 Nov 2019 11:12:48 +0100
|
|
Subject: [PATCH 9/9] CVE-2019-14870: mit-kdc: enforce delegation_not_allowed
|
|
flag
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14187
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
---
|
|
source4/kdc/mit_samba.c | 5 +++++
|
|
source4/kdc/sdb_to_kdb.c | 17 ++++++-----------
|
|
2 files changed, 11 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
|
|
index eacca0903ec..06e680b60e2 100644
|
|
--- a/source4/kdc/mit_samba.c
|
|
+++ b/source4/kdc/mit_samba.c
|
|
@@ -304,6 +304,11 @@ fetch_referral_principal:
|
|
|
|
sdb_free_entry(&sentry);
|
|
|
|
+ if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) {
|
|
+ kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE;
|
|
+ kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE;
|
|
+ }
|
|
+
|
|
done:
|
|
krb5_free_principal(ctx->context, referral_principal);
|
|
referral_principal = NULL;
|
|
diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c
|
|
index 74d882738f8..b7253ade122 100644
|
|
--- a/source4/kdc/sdb_to_kdb.c
|
|
+++ b/source4/kdc/sdb_to_kdb.c
|
|
@@ -36,18 +36,13 @@ static int SDBFlags_to_kflags(const struct SDBFlags *s,
|
|
if (s->initial) {
|
|
*k |= KRB5_KDB_DISALLOW_TGT_BASED;
|
|
}
|
|
- /*
|
|
- * Do not set any disallow rules for forwardable, proxiable,
|
|
- * renewable, postdate and server.
|
|
- *
|
|
- * The KDC will take care setting the flags based on the incoming
|
|
- * ticket.
|
|
- */
|
|
- if (s->forwardable) {
|
|
- ;
|
|
+ /* The forwardable and proxiable flags are set according to client and
|
|
+ * server attributes. */
|
|
+ if (!s->forwardable) {
|
|
+ *k |= KRB5_KDB_DISALLOW_FORWARDABLE;
|
|
}
|
|
- if (s->proxiable) {
|
|
- ;
|
|
+ if (!s->proxiable) {
|
|
+ *k |= KRB5_KDB_DISALLOW_PROXIABLE;
|
|
}
|
|
if (s->renewable) {
|
|
;
|
|
--
|
|
2.17.1
|
|
|