CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2015-11-20 09:29:11 +0100
committer: Stefan Metzmacher <metze@samba.org> 2016-04-12 19:25:23 +0200
commit: bbaba64329f21bb89fd83f2fff8bdfe8f97b15eb (patch)
tree: d7c53a2aa15350a3fb93681216d485a7e45b3931
parent: 8a647ae1e1c355f48b0d2a5a6c8bb0105e3d2318 (diff)
download: samba-bbaba64329f21bb89fd83f2fff8bdfe8f97b15eb.tar.gz
9 files changed, 17 insertions, 5 deletions
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index fdedd630048..78dd59d0158 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -80,7 +80,9 @@ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALL
 					      const char **domain);
 NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, 
 					   int *flags,
-					   DATA_BLOB challenge, DATA_BLOB target_info, 
+					   DATA_BLOB challenge,
+					   const NTTIME *server_timestamp,
+					   DATA_BLOB target_info,
 					   DATA_BLOB *_lm_response, DATA_BLOB *_nt_response, 
 					   DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
 const char *cli_credentials_get_realm(struct cli_credentials *cred);
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index 3711b1eda41..a69add02f53 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -30,7 +30,9 @@
 
 _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, 
 					   int *flags,
-					   DATA_BLOB challenge, DATA_BLOB target_info, 
+					   DATA_BLOB challenge,
+					   const NTTIME *server_timestamp,
+					   DATA_BLOB target_info,
 					   DATA_BLOB *_lm_response, DATA_BLOB *_nt_response, 
 					   DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key) 
 {
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index e91692bb0cd..af4d2498e18 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -228,6 +228,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 	const char *user = NULL, *domain = NULL, *workstation = NULL;
 	bool is_anonymous = false;
 	const DATA_BLOB version_blob = ntlmssp_version_blob();
+	const NTTIME *server_timestamp = NULL;
 
 	TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
 	if (!mem_ctx) {
@@ -454,10 +455,10 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 	}
 
 	nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx,
-						      &flags, challenge_blob, target_info,
+						      &flags, challenge_blob,
+						      server_timestamp, target_info,
 						      &lm_response, &nt_response,
 						      &lm_session_key, &session_key);
-
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
index e4964c19b5d..903055f1eda 100644
--- a/source4/libcli/smb_composite/sesssetup.c
+++ b/source4/libcli/smb_composite/sesssetup.c
@@ -332,6 +332,7 @@ static NTSTATUS session_setup_nt1(struct composite_context *c,
 		nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, 
 							      &flags, 
 							      session->transport->negotiate.secblob, 
+							      NULL, /* server_timestamp */
 							      names_blob,
 							      &state->setup.nt1.in.password1,
 							      &state->setup.nt1.in.password2,
@@ -426,6 +427,7 @@ static NTSTATUS session_setup_old(struct composite_context *c,
 		nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, 
 							      &flags, 
 							      session->transport->negotiate.secblob, 
+							      NULL, /* server_timestamp */
 							      names_blob,
 							      &state->setup.old.in.password,
 							      NULL,
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 01bba978430..c8e864d00a7 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -882,6 +882,7 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context
 	status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
 						   &flags,
 						   chal,
+						   NULL, /* server_timestamp */
 						   names_blob,
 						   &lm_resp, &nt_resp,
 						   NULL, NULL);
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index dd44796f0d1..2b72f38ab3b 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -735,6 +735,7 @@ static bool test_S2U4Self(struct torture_context *tctx,
 	status = cli_credentials_get_ntlm_response(client_creds, tctx,
 						   &flags,
 						   chal,
+						   NULL, /* server_timestamp */
 						   names_blob,
 						   &lm_resp, &nt_resp,
 						   NULL, NULL);
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index 5f3f3d5a1f5..c454257874a 100644
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -1192,7 +1192,7 @@ static bool schan(struct torture_context *tctx,
 			cli_credentials_get_workstation(user_creds),
 			cli_credentials_get_domain(user_creds));
 		status = cli_credentials_get_ntlm_response(
-			user_creds, mem_ctx, &flags, chal, names_blob,
+			user_creds, mem_ctx, &flags, chal, NULL, names_blob,
 			&lm_resp, &nt_resp, NULL, NULL);
 		if (!NT_STATUS_IS_OK(status)) {
 			torture_comment(tctx, "cli_credentials_get_ntlm_response failed:"
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 0c786c1efe1..dcdbb8ad550 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -3096,6 +3096,7 @@ static bool test_SamLogon(struct torture_context *tctx,
 		status = cli_credentials_get_ntlm_response(test_credentials, tctx,
 							   &flags,
 							   chal,
+							   NULL, /* server_timestamp */
 							   names_blob,
 							   &lm_resp, &nt_resp,
 							   NULL, NULL);
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index 57a97f3e1b2..829c969ecf5 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -87,6 +87,7 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
 	status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
 						   &flags,
 						   chal,
+						   NULL, /* server_timestamp */
 						   names_blob,
 						   &lm_resp, &nt_resp,
 						   NULL, NULL);
@@ -853,6 +854,7 @@ static bool torture_schannel_bench_start(struct torture_schannel_bench_conn *con
 	status = cli_credentials_get_ntlm_response(user_creds, conn->tmp,
 						   &flags,
 						   chal,
+						   NULL, /* server_timestamp */
 						   names_blob,
 						   &lm_resp, &nt_resp,
 						   NULL, NULL);
author	Stefan Metzmacher <metze@samba.org>	2015-11-20 09:29:11 +0100
committer	Stefan Metzmacher <metze@samba.org>	2016-04-12 19:25:23 +0200
commit	bbaba64329f21bb89fd83f2fff8bdfe8f97b15eb (patch)
tree	d7c53a2aa15350a3fb93681216d485a7e45b3931
parent	8a647ae1e1c355f48b0d2a5a6c8bb0105e3d2318 (diff)
download	samba-bbaba64329f21bb89fd83f2fff8bdfe8f97b15eb.tar.gz