diff options
author | Samuel Cabrero <scabrero@suse.de> | 2022-12-22 09:29:04 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2023-01-09 14:23:36 +0000 |
commit | ca07f4340ce58a7e940a1123888b7409176412f7 (patch) | |
tree | e5800bbdf74853646cb44b9fd92bf8a07bbf16ea /source3 | |
parent | 25300d354c80995997d552581cd91dddaf4bbf48 (diff) | |
download | samba-ca07f4340ce58a7e940a1123888b7409176412f7.tar.gz |
CVE-2022-38023 s3:rpc_server/netlogon: make sure all _netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
Some checks are also required for _netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'source3')
-rw-r--r-- | source3/rpc_server/netlogon/srv_netlog_nt.c | 45 |
1 files changed, 28 insertions, 17 deletions
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index c00cdce8ffb..42e0eb2cea2 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1630,6 +1630,11 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, struct auth_serversupplied_info *server_info = NULL; struct auth_context *auth_context = NULL; const char *fn; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; + uint16_t opnum = dce_call->pkt.u.request.opnum; + + dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); #ifdef DEBUG_PASSWORD logon = netlogon_creds_shallow_copy_logon(p->mem_ctx, @@ -1640,15 +1645,37 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, } #endif - switch (dce_call->pkt.u.request.opnum) { + switch (opnum) { case NDR_NETR_LOGONSAMLOGON: fn = "_netr_LogonSamLogon"; + /* + * Already called netr_check_schannel() via + * netr_creds_server_step_check() + */ break; case NDR_NETR_LOGONSAMLOGONWITHFLAGS: fn = "_netr_LogonSamLogonWithFlags"; + /* + * Already called netr_check_schannel() via + * netr_creds_server_step_check() + */ break; case NDR_NETR_LOGONSAMLOGONEX: fn = "_netr_LogonSamLogonEx"; + + if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { + return NT_STATUS_ACCESS_DENIED; + } + + status = dcesrv_netr_check_schannel(p->dce_call, + creds, + auth_type, + auth_level, + opnum); + if (NT_STATUS_IS_ERR(status)) { + return status; + } + break; default: return NT_STATUS_INTERNAL_ERROR; @@ -1879,10 +1906,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, r->out.validation->sam3); break; case 6: { - enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; - - dcesrv_call_auth_info(dce_call, NULL, &auth_level); - /* Only allow this if the pipe is protected. */ if (auth_level < DCERPC_AUTH_LEVEL_PRIVACY) { DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n", @@ -1995,8 +2018,6 @@ NTSTATUS _netr_LogonSamLogon(struct pipes_struct *p, NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, struct netr_LogonSamLogonEx *r) { - struct dcesrv_call_state *dce_call = p->dce_call; - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; NTSTATUS status; struct netlogon_creds_CredentialState *creds = NULL; struct loadparm_context *lp_ctx; @@ -2008,16 +2029,6 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, return status; } - /* Only allow this if the pipe is protected. */ - - dcesrv_call_auth_info(dce_call, &auth_type, NULL); - - if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { - DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n", - get_remote_machine_name() )); - return NT_STATUS_INVALID_PARAMETER; - } - lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); if (lp_ctx == NULL) { DEBUG(0, ("loadparm_init_s3 failed\n")); |