diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-06-10 19:18:53 +1200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-07-27 10:52:36 +0000 |
commit | 958f2bce695c3721a23cd7e81575da181be83828 (patch) | |
tree | d8ed874c61405c0773c73c541ce47873df8c5c6d /source4/kdc/kpasswd-service-heimdal.c | |
parent | 0d8995910f9846d38f705abcaa19dede98294f58 (diff) | |
download | samba-958f2bce695c3721a23cd7e81575da181be83828.tar.gz |
CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
If TGTs can be used as kpasswd tickets, the two-minute lifetime of a
authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets
are not supposed to be cached, but using this flaw, a stolen credentials
cache containing a TGT may be used to change that account's password,
and thus is made more valuable to an attacker.
Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and
service tickets without it, we assert the absence of this buffer to
ensure we're not accepting a TGT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'source4/kdc/kpasswd-service-heimdal.c')
-rw-r--r-- | source4/kdc/kpasswd-service-heimdal.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/source4/kdc/kpasswd-service-heimdal.c b/source4/kdc/kpasswd-service-heimdal.c index 00470af7cf2..c92b13def93 100644 --- a/source4/kdc/kpasswd-service-heimdal.c +++ b/source4/kdc/kpasswd-service-heimdal.c @@ -252,6 +252,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, { struct auth_session_info *session_info; NTSTATUS status; + krb5_error_code code; status = gensec_session_info(gensec_security, mem_ctx, @@ -263,6 +264,18 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, return KRB5_KPASSWD_HARDERROR; } + /* + * Since the kpasswd service shares its keys with the krbtgt, we might + * have received a TGT rather than a kpasswd ticket. We need to check + * the ticket type to ensure that TGTs cannot be misused in this manner. + */ + code = kpasswd_check_non_tgt(session_info, + error_string); + if (code != 0) { + DBG_WARNING("%s\n", *error_string); + return code; + } + switch(verno) { case KRB5_KPASSWD_VERS_CHANGEPW: { DATA_BLOB password = data_blob_null; |