sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Code

CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info

Browse Source 
This field may be used to convey whether we were provided with a TGT or
a non-TGT. We ensure both structures are zeroed out to avoid incorrect
results being produced by an uninitialised field.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Joseph Sutton 2022-06-10 19:18:07 +12:00 committed by Jule Anger
parent fc03cf9f45
commit 6a10e890a0
7 changed files with 32 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
auth/auth_sam_reply.c
View File

@ -416,7 +416,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_LEVEL;
}
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
/*

2
auth/auth_util.c
View File

@ -44,7 +44,7 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
return NULL;
}
dst = talloc(mem_ctx, struct auth_session_info);
dst = talloc_zero(mem_ctx, struct auth_session_info);
if (dst == NULL) {
DBG_ERR("talloc failed\n");
TALLOC_FREE(frame);

23
librpc/idl/auth.idl
View File

@ -75,6 +75,26 @@ interface auth
[unique,charset(UTF8),string] char *sanitized_username;
} auth_user_info_unix;
/*
* If the user was authenticated with a Kerberos ticket, this indicates
* the type of the ticket; TGT, or non-TGT (i.e. service ticket). If
* unset, the type is unknown. This indicator is useful for the KDC and
* the kpasswd service, which share the same account and keys. By
* ensuring it is provided with the appopriate ticket type, each service
* avoids accepting a ticket meant for the other.
*
* The heuristic used to determine the type is the presence or absence
* of a REQUESTER_SID buffer in the PAC; we use its presence to assume
* we have a TGT. This heuristic will fail for older Samba versions and
* Windows prior to Nov. 2021 updates, which lack support for this
* buffer.
*/
typedef enum {
TICKET_TYPE_UNKNOWN = 0,
TICKET_TYPE_TGT = 1,
TICKET_TYPE_NON_TGT = 2
} ticket_type;
/* This is the interim product of the auth subsystem, before
* privileges and local groups are handled */
typedef [public] struct {
@ -83,6 +103,7 @@ interface auth
auth_user_info *info;
[noprint] DATA_BLOB user_session_key;
[noprint] DATA_BLOB lm_session_key;
ticket_type ticket_type;
} auth_user_info_dc;
typedef [public] struct {
@ -112,6 +133,8 @@ interface auth
* We generate this in auth_generate_session_info()
*/
GUID unique_session_token;
ticket_type ticket_type;
} auth_session_info;
typedef [public] struct {

2
source4/auth/ntlm/auth_developer.c
View File

@ -76,7 +76,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
}
NT_STATUS_NOT_OK_RETURN(nt_status);
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
/* This returns a pointer to a struct dom_sid, which is the

2
source4/auth/sam.c
View File

@ -363,7 +363,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
TALLOC_CTX *tmp_ctx;
struct ldb_message_element *el;
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
tmp_ctx = talloc_new(user_info_dc);

2
source4/auth/session.c
View File

@ -222,6 +222,8 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
session_info->credentials = NULL;
session_info->ticket_type = user_info_dc->ticket_type;
talloc_steal(mem_ctx, session_info);
*_session_info = session_info;
talloc_free(tmp_ctx);

6
source4/auth/system_session.c
View File

@ -119,7 +119,7 @@ NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
struct auth_user_info_dc *user_info_dc;
struct auth_user_info *info;
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
/* This returns a pointer to a struct dom_sid, which is the
@ -195,7 +195,7 @@ static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
struct auth_user_info_dc *user_info_dc;
struct auth_user_info *info;
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
user_info_dc->num_sids = 7;
@ -364,7 +364,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
{
struct auth_user_info_dc *user_info_dc;
struct auth_user_info *info;
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
/* This returns a pointer to a struct dom_sid, which is the