mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
If TGTs can be used as kpasswd tickets, the two-minute lifetime of a authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets are not supposed to be cached, but using this flaw, a stolen credentials cache containing a TGT may be used to change that account's password, and thus is made more valuable to an attacker. Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and service tickets without it, we assert the absence of this buffer to ensure we're not accepting a TGT. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
parent
0d8995910f
commit
958f2bce69
@ -54,7 +54,3 @@
|
||||
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected.ad_dc
|
||||
#
|
||||
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc
|
||||
#
|
||||
# Kpasswd tests
|
||||
#
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc
|
||||
|
@ -439,7 +439,3 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
|
||||
#
|
||||
# Kpasswd tests
|
||||
#
|
||||
samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc
|
||||
|
@ -239,3 +239,23 @@ NTSTATUS kpasswd_samdb_set_password(TALLOC_CTX *mem_ctx,
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
krb5_error_code kpasswd_check_non_tgt(struct auth_session_info *session_info,
|
||||
const char **error_string)
|
||||
{
|
||||
switch(session_info->ticket_type) {
|
||||
case TICKET_TYPE_TGT:
|
||||
/* TGTs are disallowed here. */
|
||||
*error_string = "A TGT may not be used as a ticket to kpasswd";
|
||||
return KRB5_KPASSWD_AUTHERROR;
|
||||
case TICKET_TYPE_NON_TGT:
|
||||
/* Non-TGTs are permitted, and expected. */
|
||||
break;
|
||||
default:
|
||||
/* In case we forgot to set the type. */
|
||||
*error_string = "Failed to ascertain that ticket to kpasswd is not a TGT";
|
||||
return KRB5_KPASSWD_HARDERROR;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -43,4 +43,6 @@ NTSTATUS kpasswd_samdb_set_password(TALLOC_CTX *mem_ctx,
|
||||
enum samPwdChangeReason *reject_reason,
|
||||
struct samr_DomInfo1 **dominfo);
|
||||
|
||||
krb5_error_code kpasswd_check_non_tgt(struct auth_session_info *session_info,
|
||||
const char **error_string);
|
||||
#endif /* _KPASSWD_HELPER_H */
|
||||
|
@ -252,6 +252,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
|
||||
{
|
||||
struct auth_session_info *session_info;
|
||||
NTSTATUS status;
|
||||
krb5_error_code code;
|
||||
|
||||
status = gensec_session_info(gensec_security,
|
||||
mem_ctx,
|
||||
@ -263,6 +264,18 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
|
||||
return KRB5_KPASSWD_HARDERROR;
|
||||
}
|
||||
|
||||
/*
|
||||
* Since the kpasswd service shares its keys with the krbtgt, we might
|
||||
* have received a TGT rather than a kpasswd ticket. We need to check
|
||||
* the ticket type to ensure that TGTs cannot be misused in this manner.
|
||||
*/
|
||||
code = kpasswd_check_non_tgt(session_info,
|
||||
error_string);
|
||||
if (code != 0) {
|
||||
DBG_WARNING("%s\n", *error_string);
|
||||
return code;
|
||||
}
|
||||
|
||||
switch(verno) {
|
||||
case KRB5_KPASSWD_VERS_CHANGEPW: {
|
||||
DATA_BLOB password = data_blob_null;
|
||||
|
@ -331,6 +331,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
|
||||
{
|
||||
struct auth_session_info *session_info;
|
||||
NTSTATUS status;
|
||||
krb5_error_code code;
|
||||
|
||||
status = gensec_session_info(gensec_security,
|
||||
mem_ctx,
|
||||
@ -343,6 +344,18 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
|
||||
return KRB5_KPASSWD_HARDERROR;
|
||||
}
|
||||
|
||||
/*
|
||||
* Since the kpasswd service shares its keys with the krbtgt, we might
|
||||
* have received a TGT rather than a kpasswd ticket. We need to check
|
||||
* the ticket type to ensure that TGTs cannot be misused in this manner.
|
||||
*/
|
||||
code = kpasswd_check_non_tgt(session_info,
|
||||
error_string);
|
||||
if (code != 0) {
|
||||
DBG_WARNING("%s\n", *error_string);
|
||||
return code;
|
||||
}
|
||||
|
||||
switch(verno) {
|
||||
case 1: {
|
||||
DATA_BLOB password;
|
||||
|
Loading…
Reference in New Issue
Block a user