87 lines
3.0 KiB
Diff
87 lines
3.0 KiB
Diff
From 340181bc1100fa31c63af88214a3d8328b944fe9 Mon Sep 17 00:00:00 2001
|
|
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Date: Mon, 30 May 2022 19:16:02 +1200
|
|
Subject: [PATCH 92/99] CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd
|
|
server principal into krb5_rd_req_ctx()
|
|
|
|
To ensure that, when decrypting the kpasswd ticket, we look up the
|
|
correct principal and don't trust the sname from the ticket, we should
|
|
pass the principal name of the kpasswd service into krb5_rd_req_ctx().
|
|
However, gensec_krb5_update_internal() will pass in NULL unless the
|
|
principal in our credentials is CRED_SPECIFIED.
|
|
|
|
At present, our principal will be considered obtained as CRED_SMB_CONF
|
|
(from the cli_credentials_set_conf() a few lines up), so we explicitly
|
|
set the realm again, but this time as CRED_SPECIFIED. Now the value of
|
|
server_in_keytab that we provide to smb_krb5_rd_req_decoded() will not
|
|
be NULL.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
|
|
|
|
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
|
[jsutton@samba.org Removed knownfail as KDC no longer panics]
|
|
Conflict: remove selftest/knownfail_heimdal_kdc selftest/knownfail_mit_kdc
|
|
---
|
|
source4/kdc/kpasswd-service.c | 30 ++++++++++++++++++++++++++++++
|
|
3 files changed, 30 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/source4/kdc/kpasswd-service.c b/source4/kdc/kpasswd-service.c
|
|
index 0d2acd8d9e8..b6400be0c49 100644
|
|
--- a/source4/kdc/kpasswd-service.c
|
|
+++ b/source4/kdc/kpasswd-service.c
|
|
@@ -29,6 +29,7 @@
|
|
#include "kdc/kdc-server.h"
|
|
#include "kdc/kpasswd-service.h"
|
|
#include "kdc/kpasswd-helper.h"
|
|
+#include "param/param.h"
|
|
|
|
#define HEADER_LEN 6
|
|
#ifndef RFC3244_VERSION
|
|
@@ -158,6 +159,20 @@ kdc_code kpasswd_process(struct kdc_server *kdc,
|
|
|
|
cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx);
|
|
|
|
+ /*
|
|
+ * After calling cli_credentials_set_conf(), explicitly set the realm
|
|
+ * with CRED_SPECIFIED. We need to do this so the result of
|
|
+ * principal_from_credentials() called from the gensec layer is
|
|
+ * CRED_SPECIFIED rather than CRED_SMB_CONF, avoiding a fallback to
|
|
+ * match-by-key (very undesirable in this case).
|
|
+ */
|
|
+ ok = cli_credentials_set_realm(server_credentials,
|
|
+ lpcfg_realm(kdc->task->lp_ctx),
|
|
+ CRED_SPECIFIED);
|
|
+ if (!ok) {
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
ok = cli_credentials_set_username(server_credentials,
|
|
"kadmin/changepw",
|
|
CRED_SPECIFIED);
|
|
@@ -165,6 +180,21 @@ kdc_code kpasswd_process(struct kdc_server *kdc,
|
|
goto done;
|
|
}
|
|
|
|
+ /* Check that the server principal is indeed CRED_SPECIFIED. */
|
|
+ {
|
|
+ char *principal = NULL;
|
|
+ enum credentials_obtained obtained;
|
|
+
|
|
+ principal = cli_credentials_get_principal_and_obtained(server_credentials,
|
|
+ tmp_ctx,
|
|
+ &obtained);
|
|
+ if (obtained < CRED_SPECIFIED) {
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ TALLOC_FREE(principal);
|
|
+ }
|
|
+
|
|
rv = cli_credentials_set_keytab_name(server_credentials,
|
|
kdc->task->lp_ctx,
|
|
kdc->kpasswd_keytab_name,
|
|
--
|
|
2.25.1
|