diff options
| author | Stefan Metzmacher <metze@samba.org> | 2020-09-16 16:17:29 +0200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2020-09-18 12:48:38 +0000 |
| commit | d3123858fb59046e826cf2c7ec2a3839e6508624 (patch) | |
| tree | d5c3ba41c1b0636677f429c399827ff87e41bdb7 | |
| parent | 53528c71ffdb3377c4e73ac596c8507bc3898e83 (diff) | |
| download | samba-d3123858fb59046e826cf2c7ec2a3839e6508624.tar.gz | |
CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in netlogon_creds_server_init()
This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:
7. If none of the first 5 bytes of the client challenge is unique, the
server MUST fail session-key negotiation without further processing of
the following steps.
It lets ./zerologon_tester.py from
https://github.com/SecuraBV/CVE-2020-1472.git
report: "Attack failed. Target is probably patched."
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
| -rw-r--r-- | libcli/auth/credentials.c | 17 | ||||
| -rw-r--r-- | libcli/auth/wscript_build | 2 |
2 files changed, 17 insertions, 2 deletions
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index 54a20100b51..23339d98bfa 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -24,6 +24,7 @@ #include "system/time.h" #include "libcli/auth/libcli_auth.h" #include "../libcli/security/dom_sid.h" +#include "lib/util/util_str_escape.h" #ifndef HAVE_GNUTLS_AES_CFB8 #include "lib/crypto/aes.h" @@ -704,7 +705,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); NTSTATUS status; - + bool ok; if (!creds) { return NULL; @@ -717,6 +718,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data)); dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash)); + ok = netlogon_creds_is_random_challenge(client_challenge); + if (!ok) { + DBG_WARNING("CVE-2020-1472(ZeroLogon): " + "non-random client challenge rejected for " + "client_account[%s] client_computer_name[%s]\n", + log_escape(mem_ctx, client_account), + log_escape(mem_ctx, client_computer_name)); + dump_data(DBGLVL_WARNING, + client_challenge->data, + sizeof(client_challenge->data)); + talloc_free(creds); + return NULL; + } + creds->computer_name = talloc_strdup(creds, client_computer_name); if (!creds->computer_name) { talloc_free(creds); diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build index 41937623630..2a6a7468e45 100644 --- a/libcli/auth/wscript_build +++ b/libcli/auth/wscript_build @@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('NTLM_CHECK', bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH', source='credentials.c session.c smbencrypt.c smbdes.c', - public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS', + public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS util_str_escape', public_headers='credentials.h:domain_credentials.h' ) |