diff options
author | Gary Lockyer <gary@catalyst.net.nz> | 2020-09-28 09:54:41 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2020-10-16 04:45:40 +0000 |
commit | e790f9d20a123859ed687ae1d5af6159c0fed61a (patch) | |
tree | bb12f8586d2050ab77f5dc3ec3df9e3857c7b2f1 /source4 | |
parent | f47e3734158c108f2ea3e875f87085649dc0704e (diff) | |
download | samba-e790f9d20a123859ed687ae1d5af6159c0fed61a.tar.gz |
CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 all zero password
Check that a password buffer containing all zeros is rejected.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/torture/rpc/netlogon.c | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index f137d566e33..4f55887c571 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -1353,6 +1353,85 @@ static bool test_SetPassword2_encrypted_to_all_zeros( return true; } +/* + * Choose a session key that encrypts a password of all zeros to all zeros. + * Then try to set the password, using a zeroed buffer, with a non zero + * length. + * + * This exercises the password self encryption check. + * + * Note: The test does use sign and seal, it's purpose is to exercise + * the detection code in dcesrv_netr_ServerPasswordSet2 +*/ +static bool test_SetPassword2_password_encrypts_to_zero( + struct torture_context *tctx, + struct dcerpc_pipe *p1, + struct cli_credentials *machine_credentials) +{ + struct netr_ServerPasswordSet2 r; + struct netlogon_creds_CredentialState *creds; + struct samr_CryptPassword password_buf; + struct netr_Authenticator credential, return_authenticator; + struct netr_CryptPassword new_password; + struct dcerpc_pipe *p = NULL; + struct dcerpc_binding_handle *b = NULL; + + if (!test_ServerAuthenticate2_encrypts_to_zero( + tctx, + p1, + machine_credentials, + 0x00, + &creds)) { + + return false; + } + + if (!test_SetupCredentialsPipe( + p1, + tctx, + machine_credentials, + creds, + DCERPC_SIGN | DCERPC_SEAL, + &p)) + { + return false; + } + b = p->binding_handle; + + r.in.server_name = talloc_asprintf( + tctx, + "\\\\%s", dcerpc_server_name(p)); + r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME); + r.in.secure_channel_type = + cli_credentials_get_secure_channel_type(machine_credentials); + r.in.computer_name = TEST_MACHINE_NAME; + r.in.credential = &credential; + r.in.new_password = &new_password; + r.out.return_authenticator = &return_authenticator; + + ZERO_STRUCT(password_buf); + SIVAL(password_buf.data, 512, 512); + + if (!(creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) { + torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES not set"); + } + netlogon_creds_aes_encrypt(creds, password_buf.data, 516); + + memcpy(new_password.data, password_buf.data, 512); + new_password.length = IVAL(password_buf.data, 512); + + netlogon_creds_client_authenticator(creds, &credential); + + torture_assert_ntstatus_ok( + tctx, + dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r), + "ServerPasswordSet2 password encrypts to zero check failed"); + torture_assert_ntstatus_equal( + tctx, r.out.result, NT_STATUS_WRONG_PASSWORD, ""); + + return true; +} + static bool test_SetPassword2(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) @@ -5515,6 +5594,10 @@ struct torture_suite *torture_rpc_netlogon_zerologon(TALLOC_CTX *mem_ctx) tcase, "test_SetPassword2_encrypted_to_all_zeros", test_SetPassword2_encrypted_to_all_zeros); + torture_rpc_tcase_add_test_creds( + tcase, + "test_SetPassword2_password_encrypts_to_zero", + test_SetPassword2_password_encrypts_to_zero); return suite; } |