diff options
author | Stefan Metzmacher <metze@samba.org> | 2015-11-20 09:29:11 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:23 +0200 |
commit | bbaba64329f21bb89fd83f2fff8bdfe8f97b15eb (patch) | |
tree | d7c53a2aa15350a3fb93681216d485a7e45b3931 | |
parent | 8a647ae1e1c355f48b0d2a5a6c8bb0105e3d2318 (diff) | |
download | samba-bbaba64329f21bb89fd83f2fff8bdfe8f97b15eb.tar.gz |
CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
-rw-r--r-- | auth/credentials/credentials.h | 4 | ||||
-rw-r--r-- | auth/credentials/credentials_ntlm.c | 4 | ||||
-rw-r--r-- | auth/ntlmssp/ntlmssp_client.c | 5 | ||||
-rw-r--r-- | source4/libcli/smb_composite/sesssetup.c | 2 | ||||
-rw-r--r-- | source4/torture/rpc/netlogon.c | 1 | ||||
-rw-r--r-- | source4/torture/rpc/remote_pac.c | 1 | ||||
-rw-r--r-- | source4/torture/rpc/samba3rpc.c | 2 | ||||
-rw-r--r-- | source4/torture/rpc/samr.c | 1 | ||||
-rw-r--r-- | source4/torture/rpc/schannel.c | 2 |
9 files changed, 17 insertions, 5 deletions
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index fdedd630048..78dd59d0158 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -80,7 +80,9 @@ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALL const char **domain); NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, int *flags, - DATA_BLOB challenge, DATA_BLOB target_info, + DATA_BLOB challenge, + const NTTIME *server_timestamp, + DATA_BLOB target_info, DATA_BLOB *_lm_response, DATA_BLOB *_nt_response, DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key); const char *cli_credentials_get_realm(struct cli_credentials *cred); diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c index 3711b1eda41..a69add02f53 100644 --- a/auth/credentials/credentials_ntlm.c +++ b/auth/credentials/credentials_ntlm.c @@ -30,7 +30,9 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, int *flags, - DATA_BLOB challenge, DATA_BLOB target_info, + DATA_BLOB challenge, + const NTTIME *server_timestamp, + DATA_BLOB target_info, DATA_BLOB *_lm_response, DATA_BLOB *_nt_response, DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key) { diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index e91692bb0cd..af4d2498e18 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -228,6 +228,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, const char *user = NULL, *domain = NULL, *workstation = NULL; bool is_anonymous = false; const DATA_BLOB version_blob = ntlmssp_version_blob(); + const NTTIME *server_timestamp = NULL; TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx); if (!mem_ctx) { @@ -454,10 +455,10 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx, - &flags, challenge_blob, target_info, + &flags, challenge_blob, + server_timestamp, target_info, &lm_response, &nt_response, &lm_session_key, &session_key); - if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c index e4964c19b5d..903055f1eda 100644 --- a/source4/libcli/smb_composite/sesssetup.c +++ b/source4/libcli/smb_composite/sesssetup.c @@ -332,6 +332,7 @@ static NTSTATUS session_setup_nt1(struct composite_context *c, nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, &flags, session->transport->negotiate.secblob, + NULL, /* server_timestamp */ names_blob, &state->setup.nt1.in.password1, &state->setup.nt1.in.password2, @@ -426,6 +427,7 @@ static NTSTATUS session_setup_old(struct composite_context *c, nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, &flags, session->transport->negotiate.secblob, + NULL, /* server_timestamp */ names_blob, &state->setup.old.in.password, NULL, diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 01bba978430..c8e864d00a7 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -882,6 +882,7 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx, &flags, chal, + NULL, /* server_timestamp */ names_blob, &lm_resp, &nt_resp, NULL, NULL); diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index dd44796f0d1..2b72f38ab3b 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -735,6 +735,7 @@ static bool test_S2U4Self(struct torture_context *tctx, status = cli_credentials_get_ntlm_response(client_creds, tctx, &flags, chal, + NULL, /* server_timestamp */ names_blob, &lm_resp, &nt_resp, NULL, NULL); diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c index 5f3f3d5a1f5..c454257874a 100644 --- a/source4/torture/rpc/samba3rpc.c +++ b/source4/torture/rpc/samba3rpc.c @@ -1192,7 +1192,7 @@ static bool schan(struct torture_context *tctx, cli_credentials_get_workstation(user_creds), cli_credentials_get_domain(user_creds)); status = cli_credentials_get_ntlm_response( - user_creds, mem_ctx, &flags, chal, names_blob, + user_creds, mem_ctx, &flags, chal, NULL, names_blob, &lm_resp, &nt_resp, NULL, NULL); if (!NT_STATUS_IS_OK(status)) { torture_comment(tctx, "cli_credentials_get_ntlm_response failed:" diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index 0c786c1efe1..dcdbb8ad550 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -3096,6 +3096,7 @@ static bool test_SamLogon(struct torture_context *tctx, status = cli_credentials_get_ntlm_response(test_credentials, tctx, &flags, chal, + NULL, /* server_timestamp */ names_blob, &lm_resp, &nt_resp, NULL, NULL); diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index 57a97f3e1b2..829c969ecf5 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -87,6 +87,7 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx, &flags, chal, + NULL, /* server_timestamp */ names_blob, &lm_resp, &nt_resp, NULL, NULL); @@ -853,6 +854,7 @@ static bool torture_schannel_bench_start(struct torture_schannel_bench_conn *con status = cli_credentials_get_ntlm_response(user_creds, conn->tmp, &flags, chal, + NULL, /* server_timestamp */ names_blob, &lm_resp, &nt_resp, NULL, NULL); |