82 lines
2.7 KiB
Diff
82 lines
2.7 KiB
Diff
From ec1962e20deb4cbe95e861eb57107f08cb3a6de9 Mon Sep 17 00:00:00 2001
|
|
From: Samuel Cabrero <scabrero@suse.de>
|
|
Date: Thu, 22 Dec 2022 09:29:04 +0100
|
|
Subject: [PATCH 36/40] CVE-2022-38023 s3:rpc_server/netlogon: make sure all
|
|
dcesrv_netr_LogonSamLogon*() calls go through netr_check_schannel()
|
|
|
|
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
|
|
which are also required for dcesrv_netr_LogonSamLogonEx().
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17736
|
|
---
|
|
source3/rpc_server/netlogon/srv_netlog_nt.c | 30 ++++++++++++++++-----
|
|
1 file changed, 23 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
|
index b254ca72a48..a66b929b479 100644
|
|
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
|
|
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
|
@@ -1771,6 +1771,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
|
|
struct auth_serversupplied_info *server_info = NULL;
|
|
struct auth_context *auth_context = NULL;
|
|
const char *fn;
|
|
+ enum dcerpc_AuthType auth_type = p->auth.auth_type;
|
|
+ enum dcerpc_AuthLevel auth_level = p->auth.auth_level;
|
|
|
|
#ifdef DEBUG_PASSWORD
|
|
logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
|
|
@@ -1784,11 +1786,32 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
|
|
switch (p->opnum) {
|
|
case NDR_NETR_LOGONSAMLOGON:
|
|
fn = "_netr_LogonSamLogon";
|
|
+ /*
|
|
+ * Already called netr_check_schannel() via
|
|
+ * netr_creds_server_step_check()
|
|
+ */
|
|
break;
|
|
case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
|
|
fn = "_netr_LogonSamLogonWithFlags";
|
|
+ /*
|
|
+ * Already called netr_check_schannel() via
|
|
+ * netr_creds_server_step_check()
|
|
+ */
|
|
break;
|
|
case NDR_NETR_LOGONSAMLOGONEX:
|
|
+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
+ return NT_STATUS_ACCESS_DENIED;
|
|
+ }
|
|
+
|
|
+ status = netr_check_schannel(p,
|
|
+ creds,
|
|
+ auth_type,
|
|
+ auth_level,
|
|
+ p->opnum);
|
|
+ if (NT_STATUS_IS_ERR(status)) {
|
|
+ return status;
|
|
+ }
|
|
+
|
|
fn = "_netr_LogonSamLogonEx";
|
|
break;
|
|
default:
|
|
@@ -2130,13 +2153,6 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
|
|
return status;
|
|
}
|
|
|
|
- /* Only allow this if the pipe is protected. */
|
|
- if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
- DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
|
|
- get_remote_machine_name() ));
|
|
- return NT_STATUS_INVALID_PARAMETER;
|
|
- }
|
|
-
|
|
lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
|
|
if (lp_ctx == NULL) {
|
|
DEBUG(0, ("loadparm_init_s3 failed\n"));
|
|
--
|
|
2.39.0
|