diff options
author | Gary Lockyer <gary@catalyst.net.nz> | 2020-09-28 10:01:34 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2020-10-16 04:45:40 +0000 |
commit | 61f216dc89669be2641bba678cf6e1c69788364d (patch) | |
tree | b4399abe5fe7be0724b201c8abb33a357b6c6518 /source4/torture | |
parent | 56297c70890287d800e30cf057e4702314261d0b (diff) | |
download | samba-61f216dc89669be2641bba678cf6e1c69788364d.tar.gz |
CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 max len password
Ensure that a maximum length password (512) is still accepted
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/torture')
-rw-r--r-- | source4/torture/rpc/netlogon.c | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index b0b0f5317ab..10eba7e430f 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -1586,6 +1586,86 @@ static bool test_SetPassword2_all_zeros( return true; } +/* + try a change password for our machine account, using a maximum length + password +*/ +static bool test_SetPassword2_maximum_length_password( + struct torture_context *tctx, + struct dcerpc_pipe *p1, + struct cli_credentials *machine_credentials) +{ + struct netr_ServerPasswordSet2 r; + struct netlogon_creds_CredentialState *creds; + struct samr_CryptPassword password_buf; + struct netr_Authenticator credential, return_authenticator; + struct netr_CryptPassword new_password; + struct dcerpc_pipe *p = NULL; + struct dcerpc_binding_handle *b = NULL; + uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + DATA_BLOB new_random_pass = data_blob_null; + + if (!test_SetupCredentials2( + p1, + tctx, + flags, + machine_credentials, + cli_credentials_get_secure_channel_type(machine_credentials), + &creds)) + { + return false; + } + if (!test_SetupCredentialsPipe( + p1, + tctx, + machine_credentials, + creds, + DCERPC_SIGN | DCERPC_SEAL, + &p)) + { + return false; + } + b = p->binding_handle; + + r.in.server_name = talloc_asprintf( + tctx, + "\\\\%s", dcerpc_server_name(p)); + r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME); + r.in.secure_channel_type = + cli_credentials_get_secure_channel_type(machine_credentials); + r.in.computer_name = TEST_MACHINE_NAME; + r.in.credential = &credential; + r.in.new_password = &new_password; + r.out.return_authenticator = &return_authenticator; + + new_random_pass = netlogon_very_rand_pass(tctx, 256); + set_pw_in_buffer(password_buf.data, &new_random_pass); + SIVAL(password_buf.data, 512, 512); + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, password_buf.data, 516); + } else { + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + } + + memcpy(new_password.data, password_buf.data, 512); + new_password.length = IVAL(password_buf.data, 512); + + torture_comment( + tctx, + "Testing ServerPasswordSet2 on machine account\n"); + + netlogon_creds_client_authenticator(creds, &credential); + + torture_assert_ntstatus_ok( + tctx, + dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r), + "ServerPasswordSet2 zero length check failed"); + torture_assert_ntstatus_equal( + tctx, r.out.result, NT_STATUS_OK, ""); + + return true; +} + static bool test_SetPassword2(struct torture_context *tctx, struct dcerpc_pipe *p, @@ -5761,6 +5841,10 @@ struct torture_suite *torture_rpc_netlogon_zerologon(TALLOC_CTX *mem_ctx) tcase, "test_SetPassword2_all_zeros", test_SetPassword2_all_zeros); + torture_rpc_tcase_add_test_creds( + tcase, + "test_SetPassword2_maximum_length_password", + test_SetPassword2_maximum_length_password); return suite; } |