diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-06-10 19:17:11 +1200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-07-24 09:23:56 +0200 |
commit | ff66f68a11c87531648c907ae2a7a6753868bc03 (patch) | |
tree | dfe00a012422bb22adb960528f09d41141a96adc | |
parent | 7ee246ef9ca9c057779466bc9d0319606de46eff (diff) | |
download | samba-ff66f68a11c87531648c907ae2a7a6753868bc03.tar.gz |
CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
The kpasswd service should require a kpasswd service ticket, and
disallow TGTs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Fixed knownfail conflicts]
-rwxr-xr-x | python/samba/tests/krb5/kpasswd_tests.py | 28 | ||||
-rw-r--r-- | selftest/knownfail_heimdal_kdc | 3 | ||||
-rw-r--r-- | selftest/knownfail_mit_kdc | 4 |
3 files changed, 35 insertions, 0 deletions
diff --git a/python/samba/tests/krb5/kpasswd_tests.py b/python/samba/tests/krb5/kpasswd_tests.py index 3a6c7d818dc..0db857f7bbd 100755 --- a/python/samba/tests/krb5/kpasswd_tests.py +++ b/python/samba/tests/krb5/kpasswd_tests.py @@ -31,6 +31,7 @@ from samba.tests.krb5.rfc4120_constants import ( KDC_ERR_TGT_REVOKED, KDC_ERR_TKT_EXPIRED, KPASSWD_ACCESSDENIED, + KPASSWD_AUTHERROR, KPASSWD_HARDERROR, KPASSWD_INITIAL_FLAG_NEEDED, KPASSWD_MALFORMED, @@ -779,6 +780,33 @@ class KpasswdTests(KDCBaseTest): self._make_tgs_request(creds, service_creds, ticket, expect_error=False) + # Show that we cannot provide a TGT to kpasswd to change the password. + def test_kpasswd_tgt(self): + # Create an account for testing, and get a TGT. + creds = self._get_creds() + tgt = self.get_tgt(creds) + + # Change the sname of the ticket to match that of kadmin/changepw. + tgt.set_sname(self.get_kpasswd_sname()) + + expected_code = KPASSWD_AUTHERROR + expected_msg = b'A TGT may not be used as a ticket to kpasswd' + + # Set the password. + new_password = generate_random_password(32, 32) + self.kpasswd_exchange(tgt, + new_password, + expected_code, + expected_msg, + mode=self.KpasswdMode.SET) + + # Change the password. + self.kpasswd_exchange(tgt, + new_password, + expected_code, + expected_msg, + mode=self.KpasswdMode.CHANGE) + # Test that kpasswd rejects requests with a service ticket. def test_kpasswd_non_initial(self): # Create an account for testing, and get a TGT. diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 0e363f67754..c31ec8e11a1 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -48,3 +48,6 @@ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed # +# Kpasswd tests +# +^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 6d07ca4efb6..db0f3541bf7 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -550,3 +550,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc +# +# Kpasswd tests +# +samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc |