sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-07 17:18:11 +03:00
Code

CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2021-10-01 12:01:12 +13:00 committed by Jule Anger
parent 91415e7b52
commit 0619d4eb4f
3 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
source4/rpc_server/common/sid_helper.c
View File

@ -141,6 +141,7 @@ WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ct
struct dom_sid *never_reveal_sids, *reveal_sids; struct dom_sid *never_reveal_sids, *reveal_sids;
TALLOC_CTX *frame = talloc_stackframe(); TALLOC_CTX *frame = talloc_stackframe();
WERROR werr; WERROR werr;
uint32_t rodc_uac;
/* /*
* We are not allowed to get anyone elses krbtgt secrets (and * We are not allowed to get anyone elses krbtgt secrets (and
@ -160,6 +161,18 @@ WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ct
return WERR_DS_DRA_SECRETS_DENIED; return WERR_DS_DRA_SECRETS_DENIED;
} }
/* Be very sure the RODC is really an RODC */
rodc_uac = ldb_msg_find_attr_as_uint(rodc_msg,
"userAccountControl",
0);
if ((rodc_uac & UF_PARTIAL_SECRETS_ACCOUNT)
!= UF_PARTIAL_SECRETS_ACCOUNT) {
TALLOC_FREE(frame);
DBG_ERR("Attempt to use an RODC account that is not an RODC: %s\n",
ldb_dn_get_linearized(rodc_msg->dn));
return WERR_DS_DRA_SECRETS_DENIED;
}
werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg, werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg,
frame, "msDS-NeverRevealGroup", frame, "msDS-NeverRevealGroup",
&num_never_reveal_sids, &num_never_reveal_sids,

7
source4/rpc_server/drsuapi/getncchanges.c
View File

@ -1168,7 +1168,12 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
struct ldb_dn *ntds_dn = NULL, *server_dn = NULL; struct ldb_dn *ntds_dn = NULL, *server_dn = NULL;
struct ldb_dn *rodc_dn, *krbtgt_link_dn; struct ldb_dn *rodc_dn, *krbtgt_link_dn;
int ret; int ret;
const char *rodc_attrs[] = { "msDS-KrbTgtLink", "msDS-NeverRevealGroup", "msDS-RevealOnDemandGroup", "objectGUID", NULL }; const char *rodc_attrs[] = { "msDS-KrbTgtLink",
"msDS-NeverRevealGroup",
"msDS-RevealOnDemandGroup",
"objectGUID",
"userAccountControl",
NULL };
const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL }; const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL };
struct ldb_result *rodc_res = NULL, *obj_res = NULL; struct ldb_result *rodc_res = NULL, *obj_res = NULL;
uint32_t num_token_sids; uint32_t num_token_sids;

7
source4/rpc_server/netlogon/dcerpc_netlogon.c
View File

@ -2847,7 +2847,12 @@ static bool sam_rodc_access_check(struct ldb_context *sam_ctx,
struct dom_sid *user_sid, struct dom_sid *user_sid,
struct ldb_dn *obj_dn) struct ldb_dn *obj_dn)
{ {
const char *rodc_attrs[] = { "msDS-KrbTgtLink", "msDS-NeverRevealGroup", "msDS-RevealOnDemandGroup", "objectGUID", NULL }; const char *rodc_attrs[] = { "msDS-KrbTgtLink",
"msDS-NeverRevealGroup",
"msDS-RevealOnDemandGroup",
"objectGUID",
"userAccountControl",
NULL };
const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL }; const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL };
struct ldb_dn *rodc_dn; struct ldb_dn *rodc_dn;
int ret; int ret;