sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in netlogon_creds_server_init()

Browse Source 
This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:

 7. If none of the first 5 bytes of the client challenge is unique, the
    server MUST fail session-key negotiation without further processing of
    the following steps.

It lets ./zerologon_tester.py from
https://github.com/SecuraBV/CVE-2020-1472.git
report: "Attack failed. Target is probably patched."

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This commit is contained in:
Stefan Metzmacher 2020-09-16 16:17:29 +02:00
parent 53528c71ff
commit d3123858fb
2 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
libcli/auth/credentials.c
View File

@ -24,6 +24,7 @@
#include "system/time.h"
#include "libcli/auth/libcli_auth.h"
#include "../libcli/security/dom_sid.h"
#include "lib/util/util_str_escape.h"
#ifndef HAVE_GNUTLS_AES_CFB8
#include "lib/crypto/aes.h"
@ -704,7 +705,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
NTSTATUS status;
bool ok;
if (!creds) {
return NULL;
@ -717,6 +718,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
ok = netlogon_creds_is_random_challenge(client_challenge);
if (!ok) {
DBG_WARNING("CVE-2020-1472(ZeroLogon): "
"non-random client challenge rejected for "
"client_account[%s] client_computer_name[%s]\n",
log_escape(mem_ctx, client_account),
log_escape(mem_ctx, client_computer_name));
dump_data(DBGLVL_WARNING,
client_challenge->data,
sizeof(client_challenge->data));
talloc_free(creds);
return NULL;
}
creds->computer_name = talloc_strdup(creds, client_computer_name);
if (!creds->computer_name) {
talloc_free(creds);

2
libcli/auth/wscript_build
View File

@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('NTLM_CHECK',
bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
source='credentials.c session.c smbencrypt.c smbdes.c',
public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS',
public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS util_str_escape',
public_headers='credentials.h:domain_credentials.h'
)