CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 all zero password

Check that an all zero password is rejected, Note this test user ARC4
encryption so that it passes the self encryption test.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 82 insertions, 0 deletions

diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 6ac550c7012..b0b0f5317ab 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -1431,6 +1431,7 @@ static bool test_SetPassword2_password_encrypts_to_zero(
 
 	return true;
 }
+
 /*
  * Check that an all zero confounder, that encrypts to all zeros is
  * rejected.
@@ -1507,6 +1508,83 @@ static bool test_SetPassword2_confounder(
 
 	return true;
 }
+/*
+ * try a change password for our machine account, using an all zero
+ *  request. This should fail on the zero length check.
+ *
+ * Note: This test uses ARC4 encryption to exercise the desired check.
+ */
+static bool test_SetPassword2_all_zeros(
+	struct torture_context *tctx,
+	struct dcerpc_pipe *p1,
+	struct cli_credentials *machine_credentials)
+{
+	struct netr_ServerPasswordSet2 r;
+	struct netlogon_creds_CredentialState *creds;
+	struct samr_CryptPassword password_buf;
+	struct netr_Authenticator credential, return_authenticator;
+	struct netr_CryptPassword new_password;
+	struct dcerpc_pipe *p = NULL;
+	struct dcerpc_binding_handle *b = NULL;
+	uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+
+	if (!test_SetupCredentials2(
+		p1,
+		tctx,
+		flags,
+		machine_credentials,
+		cli_credentials_get_secure_channel_type(machine_credentials),
+		&creds))
+	{
+		return false;
+	}
+	if (!test_SetupCredentialsPipe(
+		p1,
+		tctx,
+		machine_credentials,
+		creds,
+		DCERPC_SIGN | DCERPC_SEAL,
+		&p))
+	{
+		return false;
+	}
+	b = p->binding_handle;
+
+	r.in.server_name = talloc_asprintf(
+		tctx,
+		"\\\\%s", dcerpc_server_name(p));
+	r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
+	r.in.secure_channel_type =
+		cli_credentials_get_secure_channel_type(machine_credentials);
+	r.in.computer_name = TEST_MACHINE_NAME;
+	r.in.credential = &credential;
+	r.in.new_password = &new_password;
+	r.out.return_authenticator = &return_authenticator;
+
+	ZERO_STRUCT(password_buf.data);
+	if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+		torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES enabled\n");
+	}
+	netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+
+	memcpy(new_password.data, password_buf.data, 512);
+	new_password.length = IVAL(password_buf.data, 512);
+
+	torture_comment(
+		tctx,
+		"Testing ServerPasswordSet2 on machine account\n");
+
+	netlogon_creds_client_authenticator(creds, &credential);
+
+	torture_assert_ntstatus_ok(
+		tctx,
+		dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
+		"ServerPasswordSet2 zero length check failed");
+	torture_assert_ntstatus_equal(
+		tctx, r.out.result, NT_STATUS_WRONG_PASSWORD, "");
+
+	return true;
+}
 
 
 static bool test_SetPassword2(struct torture_context *tctx,
@@ -5679,6 +5757,10 @@ struct torture_suite *torture_rpc_netlogon_zerologon(TALLOC_CTX *mem_ctx)
 		tcase,
 		"test_SetPassword2_confounder",
 		test_SetPassword2_confounder);
+	torture_rpc_tcase_add_test_creds(
+		tcase,
+		"test_SetPassword2_all_zeros",
+		test_SetPassword2_all_zeros);
 
 	return suite;
 }