1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00

CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Douglas Bagnall 2021-10-20 17:19:42 +13:00 committed by Jule Anger
parent ed9ec0b081
commit 59201d5424

View File

@ -204,6 +204,7 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r
struct ldb_message_element *nthe;
struct ldb_message_element *lmhe;
struct ldb_message_element *sce;
int ret;
switch (request->operation) {
case LDB_ADD:
@ -217,17 +218,26 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r
}
/* nobody must touch password histories and 'supplementalCredentials' */
nte = dsdb_get_single_valued_attr(msg, "unicodePwd",
request->operation);
lme = dsdb_get_single_valued_attr(msg, "dBCSPwd",
request->operation);
nthe = dsdb_get_single_valued_attr(msg, "ntPwdHistory",
request->operation);
lmhe = dsdb_get_single_valued_attr(msg, "lmPwdHistory",
request->operation);
sce = dsdb_get_single_valued_attr(msg, "supplementalCredentials",
request->operation);
#define GET_VALUES(el, attr) do { \
ret = dsdb_get_expected_new_values(request, \
msg, \
attr, \
&el, \
request->operation); \
\
if (ret != LDB_SUCCESS) { \
return ret; \
} \
} while(0)
GET_VALUES(nte, "unicodePwd");
GET_VALUES(lme, "dBCSPwd");
GET_VALUES(nthe, "ntPwdHistory");
GET_VALUES(lmhe, "lmPwdHistory");
GET_VALUES(sce, "supplementalCredentials");
#undef GET_VALUES
#define CHECK_HASH_ELEMENT(e, min, max) do {\
if (e && e->num_values) { \
unsigned int _count; \