CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user

This regression was introduced in Samba 4.7 by bug 12842 and in master git commit eb2e77970e41c1cb62c041877565e939c78ff52d. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13552 CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
author: Andrew Bartlett <abartlet@samba.org> 2018-07-30 14:00:18 +1200
committer: Karolin Seeger <kseeger@samba.org> 2018-08-11 08:16:01 +0200
commit: 87aa836153e6fb48ea05d3fd98b8e05c527daf72 (patch)
tree: 237e6e037e4ad9dc0a7f6ff84d7706bbee8ec9ef /source4/torture
parent: 5923c3ccfc11462b841db9e015a33e5f96459e47 (diff)
download: samba-87aa836153e6fb48ea05d3fd98b8e05c527daf72.tar.gz
1 files changed, 38 insertions, 0 deletions
diff --git a/source4/torture/drs/python/cracknames.py b/source4/torture/drs/python/cracknames.py
index d8c8ae53d60..9bf90f9c997 100644
--- a/source4/torture/drs/python/cracknames.py
+++ b/source4/torture/drs/python/cracknames.py
@@ -149,6 +149,44 @@ class DrsCracknamesTestCase(drs_base.DrsBaseTestCase):
 
         self.ldb_dc1.delete(user)
 
+    def test_NoSPNAttribute(self):
+        """
+        Verifies that, if we try and cracknames with the desired output
+        being an SPN, it returns
+        DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE.
+        """
+        username = "Cracknames_no_SPN"
+        user = "cn=%s,%s" % (username, self.ou)
+
+        user_record = {
+            "dn": user,
+            "objectclass": "user",
+            "sAMAccountName" : username,
+            "userPrincipalName" : "test4@test.com",
+            "displayName" : "test4"}
+
+        self.ldb_dc1.add(user_record)
+
+        (result, ctr) = self._do_cracknames(user,
+                                            drsuapi.DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
+                                            drsuapi.DRSUAPI_DS_NAME_FORMAT_GUID)
+
+        self.assertEquals(ctr.count, 1)
+        self.assertEquals(ctr.array[0].status,
+                          drsuapi.DRSUAPI_DS_NAME_STATUS_OK)
+
+        user_guid = ctr.array[0].result_name
+
+        (result, ctr) = self._do_cracknames(user_guid,
+                                            drsuapi.DRSUAPI_DS_NAME_FORMAT_GUID,
+                                            drsuapi.DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL)
+
+        self.assertEquals(ctr.count, 1)
+        self.assertEquals(ctr.array[0].status,
+                          drsuapi.DRSUAPI_DS_NAME_STATUS_NOT_FOUND)
+
+        self.ldb_dc1.delete(user)
+
     def _do_cracknames(self, name, format_offered, format_desired):
         req = drsuapi.DsNameRequest1()
         names = drsuapi.DsNameString()
author	Andrew Bartlett <abartlet@samba.org>	2018-07-30 14:00:18 +1200
committer	Karolin Seeger <kseeger@samba.org>	2018-08-11 08:16:01 +0200
commit	87aa836153e6fb48ea05d3fd98b8e05c527daf72 (patch)
tree	237e6e037e4ad9dc0a7f6ff84d7706bbee8ec9ef /source4/torture
parent	5923c3ccfc11462b841db9e015a33e5f96459e47 (diff)
download	samba-87aa836153e6fb48ea05d3fd98b8e05c527daf72.tar.gz