mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
ed9ec0b081
commit
59201d5424
@ -204,6 +204,7 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r
|
||||
struct ldb_message_element *nthe;
|
||||
struct ldb_message_element *lmhe;
|
||||
struct ldb_message_element *sce;
|
||||
int ret;
|
||||
|
||||
switch (request->operation) {
|
||||
case LDB_ADD:
|
||||
@ -217,17 +218,26 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r
|
||||
}
|
||||
|
||||
/* nobody must touch password histories and 'supplementalCredentials' */
|
||||
nte = dsdb_get_single_valued_attr(msg, "unicodePwd",
|
||||
request->operation);
|
||||
lme = dsdb_get_single_valued_attr(msg, "dBCSPwd",
|
||||
request->operation);
|
||||
nthe = dsdb_get_single_valued_attr(msg, "ntPwdHistory",
|
||||
request->operation);
|
||||
lmhe = dsdb_get_single_valued_attr(msg, "lmPwdHistory",
|
||||
request->operation);
|
||||
sce = dsdb_get_single_valued_attr(msg, "supplementalCredentials",
|
||||
request->operation);
|
||||
|
||||
#define GET_VALUES(el, attr) do { \
|
||||
ret = dsdb_get_expected_new_values(request, \
|
||||
msg, \
|
||||
attr, \
|
||||
&el, \
|
||||
request->operation); \
|
||||
\
|
||||
if (ret != LDB_SUCCESS) { \
|
||||
return ret; \
|
||||
} \
|
||||
} while(0)
|
||||
|
||||
GET_VALUES(nte, "unicodePwd");
|
||||
GET_VALUES(lme, "dBCSPwd");
|
||||
GET_VALUES(nthe, "ntPwdHistory");
|
||||
GET_VALUES(lmhe, "lmPwdHistory");
|
||||
GET_VALUES(sce, "supplementalCredentials");
|
||||
|
||||
#undef GET_VALUES
|
||||
#define CHECK_HASH_ELEMENT(e, min, max) do {\
|
||||
if (e && e->num_values) { \
|
||||
unsigned int _count; \
|
||||
|
Loading…
Reference in New Issue
Block a user