packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0009-CVE-2020-25718-Put-msDS-KrbTgtLinkBL.patch
haochenstar 8378df4821 fix CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2016-2124,CVE-2021-3738 
(cherry picked from commit aee849c6c0708056f62f6445e3b5274d1cec6408)
2022-01-19 11:41:35 +08:00

111 lines
4.0 KiB
Diff
Raw Blame History

From f83e48a60bee40e5a20ed8281aca97906d047639 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 1 Oct 2021 11:55:11 +1300
Subject: [PATCH 235/284] CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL
Conflict: NA
Reference: https://git.samba.org/samba.git/?p=samba.git;a=patch;h=f83e48a60bee40e5a20ed8281aca97906d047639
and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
While these checks were not in the NETLOGON case, there is no sense where
an RODC should be resetting a bad password count on either a
UF_INTERDOMAIN_TRUST_ACCOUNT nor a RODC krbtgt account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
source4/rpc_server/common/sid_helper.c | 29 ++++++++++++++++---
source4/rpc_server/drsuapi/getncchanges.c | 13 +--------
source4/rpc_server/netlogon/dcerpc_netlogon.c | 1 +
3 files changed, 27 insertions(+), 16 deletions(-)
diff --git a/source4/rpc_server/common/sid_helper.c b/source4/rpc_server/common/sid_helper.c
index eaeab236fc01..ab2b4373b473 100644
--- a/source4/rpc_server/common/sid_helper.c
+++ b/source4/rpc_server/common/sid_helper.c
@@ -133,16 +133,37 @@ WERROR samdb_result_sid_array_dn(struct ldb_context *sam_ctx,
WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ctx,
struct ldb_message *rodc_msg,
+ struct ldb_message *obj_msg,
uint32_t num_token_sids,
struct dom_sid *token_sids)
{
uint32_t num_never_reveal_sids, num_reveal_sids;
struct dom_sid *never_reveal_sids, *reveal_sids;
TALLOC_CTX *frame = talloc_stackframe();
- WERROR werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg,
- frame, "msDS-NeverRevealGroup",
- &num_never_reveal_sids,
- &never_reveal_sids);
+ WERROR werr;
+
+ /*
+ * We are not allowed to get anyone elses krbtgt secrets (and
+ * in callers that don't shortcut before this, the RODC should
+ * not deal with any krbtgt)
+ */
+ if (samdb_result_dn(sam_ctx, frame,
+ obj_msg, "msDS-KrbTgtLinkBL", NULL)) {
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_SECRETS_DENIED;
+ }
+
+ if (ldb_msg_find_attr_as_uint(obj_msg,
+ "userAccountControl", 0) &
+ UF_INTERDOMAIN_TRUST_ACCOUNT) {
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_SECRETS_DENIED;
+ }
+
+ werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg,
+ frame, "msDS-NeverRevealGroup",
+ &num_never_reveal_sids,
+ &never_reveal_sids);
if (!W_ERROR_IS_OK(werr)) {
TALLOC_FREE(frame);
return WERR_DS_DRA_SECRETS_DENIED;
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 3b1d674573ff..a9d305fc9a05 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -1296,20 +1296,9 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
goto denied;
}
- /* but it isn't allowed to get anyone elses krbtgt secrets */
- if (samdb_result_dn(b_state->sam_ctx_system, mem_ctx,
- obj_res->msgs[0], "msDS-KrbTgtLinkBL", NULL)) {
- goto denied;
- }
-
- if (ldb_msg_find_attr_as_uint(obj_res->msgs[0],
- "userAccountControl", 0) &
- UF_INTERDOMAIN_TRUST_ACCOUNT) {
- goto denied;
- }
-
werr = samdb_confirm_rodc_allowed_to_repl_to_sid_list(b_state->sam_ctx_system,
rodc_res->msgs[0],
+ obj_res->msgs[0],
num_token_sids,
token_sids);
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 1aecd65bb618..92dd693ddcc1 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2888,6 +2888,7 @@ static bool sam_rodc_access_check(struct ldb_context *sam_ctx,
werr = samdb_confirm_rodc_allowed_to_repl_to_sid_list(sam_ctx,
rodc_res->msgs[0],
+ obj_res->msgs[0],
num_token_sids,
token_sids);
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink