mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-38023 s3:rpc_server/netlogon: make sure all _netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
Some checks are also required for _netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ca07f4340c
)
This commit is contained in:
parent
080ff2cd28
commit
7f4f9a3277
@ -1632,6 +1632,11 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
|
||||
struct auth_serversupplied_info *server_info = NULL;
|
||||
struct auth_context *auth_context = NULL;
|
||||
const char *fn;
|
||||
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
||||
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
|
||||
uint16_t opnum = dce_call->pkt.u.request.opnum;
|
||||
|
||||
dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
|
||||
|
||||
#ifdef DEBUG_PASSWORD
|
||||
logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
|
||||
@ -1642,15 +1647,37 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
|
||||
}
|
||||
#endif
|
||||
|
||||
switch (dce_call->pkt.u.request.opnum) {
|
||||
switch (opnum) {
|
||||
case NDR_NETR_LOGONSAMLOGON:
|
||||
fn = "_netr_LogonSamLogon";
|
||||
/*
|
||||
* Already called netr_check_schannel() via
|
||||
* netr_creds_server_step_check()
|
||||
*/
|
||||
break;
|
||||
case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
|
||||
fn = "_netr_LogonSamLogonWithFlags";
|
||||
/*
|
||||
* Already called netr_check_schannel() via
|
||||
* netr_creds_server_step_check()
|
||||
*/
|
||||
break;
|
||||
case NDR_NETR_LOGONSAMLOGONEX:
|
||||
fn = "_netr_LogonSamLogonEx";
|
||||
|
||||
if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
status = dcesrv_netr_check_schannel(p->dce_call,
|
||||
creds,
|
||||
auth_type,
|
||||
auth_level,
|
||||
opnum);
|
||||
if (NT_STATUS_IS_ERR(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
break;
|
||||
default:
|
||||
return NT_STATUS_INTERNAL_ERROR;
|
||||
@ -1881,10 +1908,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
|
||||
r->out.validation->sam3);
|
||||
break;
|
||||
case 6: {
|
||||
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
|
||||
|
||||
dcesrv_call_auth_info(dce_call, NULL, &auth_level);
|
||||
|
||||
/* Only allow this if the pipe is protected. */
|
||||
if (auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
|
||||
DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
|
||||
@ -1997,8 +2020,6 @@ NTSTATUS _netr_LogonSamLogon(struct pipes_struct *p,
|
||||
NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
|
||||
struct netr_LogonSamLogonEx *r)
|
||||
{
|
||||
struct dcesrv_call_state *dce_call = p->dce_call;
|
||||
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
||||
NTSTATUS status;
|
||||
struct netlogon_creds_CredentialState *creds = NULL;
|
||||
struct loadparm_context *lp_ctx;
|
||||
@ -2010,16 +2031,6 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
|
||||
return status;
|
||||
}
|
||||
|
||||
/* Only allow this if the pipe is protected. */
|
||||
|
||||
dcesrv_call_auth_info(dce_call, &auth_type, NULL);
|
||||
|
||||
if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
|
||||
DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
|
||||
get_remote_machine_name() ));
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
|
||||
if (lp_ctx == NULL) {
|
||||
DEBUG(0, ("loadparm_init_s3 failed\n"));
|
||||
|
Loading…
Reference in New Issue
Block a user