CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets

If TGTs can be used as kpasswd tickets, the two-minute lifetime of a
authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets
are not supposed to be cached, but using this flaw, a stolen credentials
cache containing a TGT may be used to change that account's password,
and thus is made more valuable to an attacker.

Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and
service tickets without it, we assert the absence of this buffer to
ensure we're not accepting a TGT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

1 files changed, 13 insertions, 0 deletions

diff --git a/source4/kdc/kpasswd-service-heimdal.c b/source4/kdc/kpasswd-service-heimdal.c
index 00470af7cf2..c92b13def93 100644
--- a/source4/kdc/kpasswd-service-heimdal.c
+++ b/source4/kdc/kpasswd-service-heimdal.c
@@ -252,6 +252,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
 {
 	struct auth_session_info *session_info;
 	NTSTATUS status;
+	krb5_error_code code;
 
 	status = gensec_session_info(gensec_security,
 				     mem_ctx,
@@ -263,6 +264,18 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
 		return KRB5_KPASSWD_HARDERROR;
 	}
 
+	/*
+	 * Since the kpasswd service shares its keys with the krbtgt, we might
+	 * have received a TGT rather than a kpasswd ticket. We need to check
+	 * the ticket type to ensure that TGTs cannot be misused in this manner.
+	 */
+	code = kpasswd_check_non_tgt(session_info,
+				     error_string);
+	if (code != 0) {
+		DBG_WARNING("%s\n", *error_string);
+		return code;
+	}
+
 	switch(verno) {
 	case KRB5_KPASSWD_VERS_CHANGEPW: {
 		DATA_BLOB password = data_blob_null;