diff options
author | Stefan Metzmacher <metze@samba.org> | 2020-09-16 10:18:45 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-09-18 12:45:37 +0200 |
commit | f867164dc57b85c3c69b08be51c64aa430a23b2e (patch) | |
tree | 63e3a0b92ba741d53b8aad645af3a16aeda1c175 | |
parent | 0da2f3e2455999cc30761a40715a1f1a88e1b725 (diff) | |
download | samba-f867164dc57b85c3c69b08be51c64aa430a23b2e.tar.gz |
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check()
We should debug more details about the failing request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 45 |
1 files changed, 33 insertions, 12 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index a8d8d95130f..afc0687b882 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -622,26 +622,47 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc NTSTATUS nt_status; int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); bool schannel_global_required = (schannel == true); + struct netlogon_creds_CredentialState *creds = NULL; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + uint16_t opnum = dce_call->pkt.u.request.opnum; + const char *opname = "<unknown>"; - if (schannel_global_required) { - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; - - dcesrv_call_auth_info(dce_call, &auth_type, NULL); - - if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { - DBG_ERR("[%s] is not using schannel\n", - computer_name); - return NT_STATUS_ACCESS_DENIED; - } + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; } + dcesrv_call_auth_info(dce_call, &auth_type, NULL); + nt_status = schannel_check_creds_state(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, computer_name, received_authenticator, return_authenticator, - creds_out); - return nt_status; + &creds); + if (!NT_STATUS_IS_OK(nt_status)) { + ZERO_STRUCTP(return_authenticator); + return nt_status; + } + + if (schannel_global_required) { + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + *creds_out = creds; + return NT_STATUS_OK; + } + + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, + log_escape(mem_ctx, creds->account_name), + log_escape(mem_ctx, creds->computer_name)); + TALLOC_FREE(creds); + ZERO_STRUCTP(return_authenticator); + return NT_STATUS_ACCESS_DENIED; + } + + *creds_out = creds; + return NT_STATUS_OK; } /* |