diff options
| author | Samuel Cabrero <scabrero@suse.de> | 2022-12-22 09:29:04 +0100 |
|---|---|---|
| committer | Jule Anger <janger@samba.org> | 2023-01-23 09:27:12 +0000 |
| commit | 03a65b246b57645993887a087d6d8349aec7a4e1 (patch) | |
| tree | d0b7f99525c9c0895bac3e16d53dd2b6062f7c17 | |
| parent | de2e2045bbbd8f2fdddfa4471f6c4b0b4b01368a (diff) | |
| download | samba-03a65b246b57645993887a087d6d8349aec7a4e1.tar.gz | |
CVE-2022-38023 s3:rpc_server/netlogon: make sure all _netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
Some checks are also required for _netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ca07f4340ce58a7e940a1123888b7409176412f7)
| -rw-r--r-- | source3/rpc_server/netlogon/srv_netlog_nt.c | 45 |
1 files changed, 28 insertions, 17 deletions
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index f5038a9525a..304a42d9af9 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1632,6 +1632,11 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, struct auth_serversupplied_info *server_info = NULL; struct auth_context *auth_context = NULL; const char *fn; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; + uint16_t opnum = dce_call->pkt.u.request.opnum; + + dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); #ifdef DEBUG_PASSWORD logon = netlogon_creds_shallow_copy_logon(p->mem_ctx, @@ -1642,15 +1647,37 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, } #endif - switch (dce_call->pkt.u.request.opnum) { + switch (opnum) { case NDR_NETR_LOGONSAMLOGON: fn = "_netr_LogonSamLogon"; + /* + * Already called netr_check_schannel() via + * netr_creds_server_step_check() + */ break; case NDR_NETR_LOGONSAMLOGONWITHFLAGS: fn = "_netr_LogonSamLogonWithFlags"; + /* + * Already called netr_check_schannel() via + * netr_creds_server_step_check() + */ break; case NDR_NETR_LOGONSAMLOGONEX: fn = "_netr_LogonSamLogonEx"; + + if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { + return NT_STATUS_ACCESS_DENIED; + } + + status = dcesrv_netr_check_schannel(p->dce_call, + creds, + auth_type, + auth_level, + opnum); + if (NT_STATUS_IS_ERR(status)) { + return status; + } + break; default: return NT_STATUS_INTERNAL_ERROR; @@ -1881,10 +1908,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, r->out.validation->sam3); break; case 6: { - enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; - - dcesrv_call_auth_info(dce_call, NULL, &auth_level); - /* Only allow this if the pipe is protected. */ if (auth_level < DCERPC_AUTH_LEVEL_PRIVACY) { DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n", @@ -1997,8 +2020,6 @@ NTSTATUS _netr_LogonSamLogon(struct pipes_struct *p, NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, struct netr_LogonSamLogonEx *r) { - struct dcesrv_call_state *dce_call = p->dce_call; - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; NTSTATUS status; struct netlogon_creds_CredentialState *creds = NULL; struct loadparm_context *lp_ctx; @@ -2010,16 +2031,6 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, return status; } - /* Only allow this if the pipe is protected. */ - - dcesrv_call_auth_info(dce_call, &auth_type, NULL); - - if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { - DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n", - get_remote_machine_name() )); - return NT_STATUS_INVALID_PARAMETER; - } - lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); if (lp_ctx == NULL) { DEBUG(0, ("loadparm_init_s3 failed\n")); |