From 4b61092459b403b2945daa9082052366f3508b69 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 10 Jun 2022 19:18:07 +1200 Subject: CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info This field may be used to convey whether we were provided with a TGT or a non-TGT. We ensure both structures are zeroed out to avoid incorrect results being produced by an uninitialised field. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider --- auth/auth_sam_reply.c | 2 +- auth/auth_util.c | 2 +- librpc/idl/auth.idl | 23 +++++++++++++++++++++++ source4/auth/ntlm/auth_developer.c | 2 +- source4/auth/sam.c | 2 +- source4/auth/session.c | 2 ++ source4/auth/system_session.c | 6 +++--- 7 files changed, 32 insertions(+), 7 deletions(-) diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index b5b6362dc93..2e27e5715d1 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -416,7 +416,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_LEVEL; } - user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); NT_STATUS_HAVE_NO_MEMORY(user_info_dc); /* diff --git a/auth/auth_util.c b/auth/auth_util.c index fe01babd107..ec9094d0f15 100644 --- a/auth/auth_util.c +++ b/auth/auth_util.c @@ -44,7 +44,7 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx, return NULL; } - dst = talloc(mem_ctx, struct auth_session_info); + dst = talloc_zero(mem_ctx, struct auth_session_info); if (dst == NULL) { DBG_ERR("talloc failed\n"); TALLOC_FREE(frame); diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl index 1092935b971..f7658cdde28 100644 --- a/librpc/idl/auth.idl +++ b/librpc/idl/auth.idl @@ -75,6 +75,26 @@ interface auth [unique,charset(UTF8),string] char *sanitized_username; } auth_user_info_unix; + /* + * If the user was authenticated with a Kerberos ticket, this indicates + * the type of the ticket; TGT, or non-TGT (i.e. service ticket). If + * unset, the type is unknown. This indicator is useful for the KDC and + * the kpasswd service, which share the same account and keys. By + * ensuring it is provided with the appopriate ticket type, each service + * avoids accepting a ticket meant for the other. + * + * The heuristic used to determine the type is the presence or absence + * of a REQUESTER_SID buffer in the PAC; we use its presence to assume + * we have a TGT. This heuristic will fail for older Samba versions and + * Windows prior to Nov. 2021 updates, which lack support for this + * buffer. + */ + typedef enum { + TICKET_TYPE_UNKNOWN = 0, + TICKET_TYPE_TGT = 1, + TICKET_TYPE_NON_TGT = 2 + } ticket_type; + /* This is the interim product of the auth subsystem, before * privileges and local groups are handled */ typedef [public] struct { @@ -83,6 +103,7 @@ interface auth auth_user_info *info; [noprint] DATA_BLOB user_session_key; [noprint] DATA_BLOB lm_session_key; + ticket_type ticket_type; } auth_user_info_dc; typedef [public] struct { @@ -112,6 +133,8 @@ interface auth * We generate this in auth_generate_session_info() */ GUID unique_session_token; + + ticket_type ticket_type; } auth_session_info; typedef [public] struct { diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c index 1823989c68d..6e92252d5c5 100644 --- a/source4/auth/ntlm/auth_developer.c +++ b/source4/auth/ntlm/auth_developer.c @@ -76,7 +76,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx, } NT_STATUS_NOT_OK_RETURN(nt_status); - user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); NT_STATUS_HAVE_NO_MEMORY(user_info_dc); /* This returns a pointer to a struct dom_sid, which is the diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 8b233bab3ad..7c609655fcb 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -363,7 +363,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, TALLOC_CTX *tmp_ctx; struct ldb_message_element *el; - user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); NT_STATUS_HAVE_NO_MEMORY(user_info_dc); tmp_ctx = talloc_new(user_info_dc); diff --git a/source4/auth/session.c b/source4/auth/session.c index 8e44dcd24f1..d6e936dd1f1 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -222,6 +222,8 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, session_info->credentials = NULL; + session_info->ticket_type = user_info_dc->ticket_type; + talloc_steal(mem_ctx, session_info); *_session_info = session_info; talloc_free(tmp_ctx); diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index 85b8f1c4edb..2518d654e8b 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -115,7 +115,7 @@ NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name, struct auth_user_info_dc *user_info_dc; struct auth_user_info *info; - user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); NT_STATUS_HAVE_NO_MEMORY(user_info_dc); /* This returns a pointer to a struct dom_sid, which is the @@ -191,7 +191,7 @@ static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx, struct auth_user_info_dc *user_info_dc; struct auth_user_info *info; - user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); NT_STATUS_HAVE_NO_MEMORY(user_info_dc); user_info_dc->num_sids = 7; @@ -356,7 +356,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx, { struct auth_user_info_dc *user_info_dc; struct auth_user_info *info; - user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); NT_STATUS_HAVE_NO_MEMORY(user_info_dc); /* This returns a pointer to a struct dom_sid, which is the -- cgit v1.2.1