diff options
-rw-r--r-- | WHATSNEW.txt | 57 | ||||
-rw-r--r-- | python/samba/tests/dcerpc/dnsserver.py | 51 | ||||
-rw-r--r-- | source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 14 |
3 files changed, 118 insertions, 4 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b0191a14442..a053735f6e9 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,57 @@ ============================= + Release Notes for Samba 4.9.9 + June 19, 2019 + ============================= + + +This is a security release in order to address the following defect: + +o CVE-2019-12435 (Samba AD DC Denial of Service in DNS management server + (dnsserver)) + +======= +Details +======= + +o CVE-2019-12435: + An authenticated user can crash the Samba AD DC's RPC server process via a + NULL pointer dereference. + +For more details and workarounds, please refer to the security advisory. + + +Changes since 4.9.8: +-------------------- + +o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> + * BUG 13922: CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found + in DnssrvOperation2. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================= Release Notes for Samba 4.9.8 May 14, 2019 ============================= @@ -49,8 +102,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================= Release Notes for Samba 4.9.7 diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py index 53e1abde042..7264a290ef2 100644 --- a/python/samba/tests/dcerpc/dnsserver.py +++ b/python/samba/tests/dcerpc/dnsserver.py @@ -28,6 +28,7 @@ from samba.dcerpc import dnsp, dnsserver, security from samba.tests import RpcInterfaceTestCase, env_get_var_value from samba.netcmd.dns import ARecord, AAAARecord, PTRRecord, CNameRecord, NSRecord, MXRecord, SRVRecord, TXTRecord from samba import sd_utils, descriptor +from samba import WERRORError, werror class DnsserverTests(RpcInterfaceTestCase): @@ -707,6 +708,56 @@ class DnsserverTests(RpcInterfaceTestCase): 'ServerInfo') self.assertEquals(dnsserver.DNSSRV_TYPEID_SERVER_INFO, typeid) + + # This test is to confirm that we do not support multizone operations, + # which are designated by a non-zero dwContext value (the 3rd argument + # to DnssrvOperation). + def test_operation_invalid(self): + non_zone = 'a-zone-that-does-not-exist' + typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM + name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM() + name_and_param.pszNodeName = 'AllowUpdate' + name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE + try: + res = self.conn.DnssrvOperation(self.server, + non_zone, + 1, + 'ResetDwordProperty', + typeid, + name_and_param) + except WERRORError as e: + if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST: + return + + # We should always encounter a DOES_NOT_EXIST error. + self.fail() + + # This test is to confirm that we do not support multizone operations, + # which are designated by a non-zero dwContext value (the 5th argument + # to DnssrvOperation2). + def test_operation2_invalid(self): + client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN + non_zone = 'a-zone-that-does-not-exist' + typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM + name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM() + name_and_param.pszNodeName = 'AllowUpdate' + name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE + try: + res = self.conn.DnssrvOperation2(client_version, + 0, + self.server, + non_zone, + 1, + 'ResetDwordProperty', + typeid, + name_and_param) + except WERRORError as e: + if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST: + return + + # We should always encounter a DOES_NOT_EXIST error. + self.fail() + def test_operation2(self): client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN rev_zone = '1.168.192.in-addr.arpa' diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c index b42d7c549d1..353754f9261 100644 --- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c +++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c @@ -1955,7 +1955,12 @@ static WERROR dcesrv_DnssrvOperation(struct dcesrv_call_state *dce_call, TALLOC_ &r->in.pData); } else { z = dnsserver_find_zone(dsstate->zones, r->in.pszZone); - if (z == NULL && request_filter == 0) { + /* + * In the case that request_filter is not 0 and z is NULL, + * the request is for a multizone operation, which we do not + * yet support, so just error on NULL zone name. + */ + if (z == NULL) { return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST; } @@ -2162,7 +2167,12 @@ static WERROR dcesrv_DnssrvOperation2(struct dcesrv_call_state *dce_call, TALLOC &r->in.pData); } else { z = dnsserver_find_zone(dsstate->zones, r->in.pszZone); - if (z == NULL && request_filter == 0) { + /* + * In the case that request_filter is not 0 and z is NULL, + * the request is for a multizone operation, which we do not + * yet support, so just error on NULL zone name. + */ + if (z == NULL) { return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST; } |