1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal

Since this principal goes through the samba_kdc_fetch_server() path,
setting the canonicalisation flag would cause the principal to be
replaced with the sAMAccountName; this meant requests to
kadmin/changepw@REALM would result in a ticket to krbtgt@REALM. Now we
properly handle canonicalisation for the kadmin/changepw principal.

View with 'git show -b'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Joseph Sutton 2022-05-18 16:56:01 +12:00 committed by Jule Anger
parent 186f0c6e48
commit c0282bbbc1
4 changed files with 46 additions and 63 deletions

View File

@ -1 +0,0 @@
^samba4.blackbox.kpasswd.MIT kpasswd.change.user.password

View File

@ -57,8 +57,6 @@
#
# Kpasswd tests
#
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc

View File

@ -7,25 +7,3 @@
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self\(
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_none\(
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_true\(
#
# Kpasswd tests
#
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change_expired_password.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_expired_password.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_access.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_no_access.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_only.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_realm_only.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_lifetime_tgs.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_tgs.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_too_weak.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc

View File

@ -931,6 +931,7 @@ static krb5_error_code samba_kdc_get_entry_principal(
const char *samAccountName,
enum samba_kdc_ent_type ent_type,
unsigned flags,
bool is_kadmin_changepw,
krb5_const_principal in_princ,
krb5_principal *out_princ)
{
@ -950,46 +951,52 @@ static krb5_error_code samba_kdc_get_entry_principal(
* fixed UPPER case realm, but the as-sent username
*/
if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT && canon) {
/*
* When requested to do so, ensure that the
* both realm values in the principal are set
* to the upper case, canonical realm
*/
code = smb_krb5_make_principal(context,
out_princ,
lpcfg_realm(lp_ctx),
"krbtgt",
lpcfg_realm(lp_ctx),
NULL);
if (code != 0) {
/*
* We need to ensure that the kadmin/changepw principal isn't able to
* issue krbtgt tickets, even if canonicalization is turned on.
*/
if (!is_kadmin_changepw) {
if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT && canon) {
/*
* When requested to do so, ensure that the
* both realm values in the principal are set
* to the upper case, canonical realm
*/
code = smb_krb5_make_principal(context,
out_princ,
lpcfg_realm(lp_ctx),
"krbtgt",
lpcfg_realm(lp_ctx),
NULL);
if (code != 0) {
return code;
}
smb_krb5_principal_set_type(context,
*out_princ,
KRB5_NT_SRV_INST);
return 0;
}
if ((canon && flags & (SDB_F_FORCE_CANON|SDB_F_FOR_AS_REQ)) ||
(ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL)) {
/*
* SDB_F_CANON maps from the canonicalize flag in the
* packet, and has a different meaning between AS-REQ
* and TGS-REQ. We only change the principal in the
* AS-REQ case.
*
* The SDB_F_FORCE_CANON if for new MIT KDC code that
* wants the canonical name in all lookups, and takes
* care to canonicalize only when appropriate.
*/
code = smb_krb5_make_principal(context,
out_princ,
lpcfg_realm(lp_ctx),
samAccountName,
NULL);
return code;
}
smb_krb5_principal_set_type(context,
*out_princ,
KRB5_NT_SRV_INST);
return 0;
}
if ((canon && flags & (SDB_F_FORCE_CANON|SDB_F_FOR_AS_REQ)) ||
(ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL)) {
/*
* SDB_F_CANON maps from the canonicalize flag in the
* packet, and has a different meaning between AS-REQ
* and TGS-REQ. We only change the principal in the
* AS-REQ case.
*
* The SDB_F_FORCE_CANON if for new MIT KDC code that
* wants the canonical name in all lookups, and takes
* care to canonicalize only when appropriate.
*/
code = smb_krb5_make_principal(context,
out_princ,
lpcfg_realm(lp_ctx),
samAccountName,
NULL);
return code;
}
/*
@ -1305,6 +1312,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
samAccountName,
ent_type,
flags,
entry->flags.change_pw,
principal,
&entry->principal);
if (ret != 0) {