sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-24 02:04:21 +03:00
Code

CVE-2022-32743 s4:rpc_server/netlogon: Connect to samdb as a user, rather than as system

Browse Source 
This allows us to perform validation on a client-specified dNSHostName
value, to ensure that it matches the sAMAccountName.

We might not have any rights to modify the account, so pass the control
FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE which allows us to perform
a validated write to dNSHostName and servicePrincipalName (and
unvalidated writes to other attributes, such as operatingSystem).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Joseph Sutton 2022-06-07 17:29:02 +12:00 committed by Douglas Bagnall
parent 02c2a8c7b0
commit f545142380
2 changed files with 5 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
selftest/knownfail.d/netlogon-dns-host-name
View File

@ -1,15 +1,2 @@
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_suffix\(
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_validated_write\(
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_write_property\(
^samba4.rpc.netlogon on ncacn_ip_tcp with bigendian.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncacn_ip_tcp with seal,padcheck.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncacn_ip_tcp with validate.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncacn_np with bigendian.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncacn_np with seal,padcheck.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncacn_np with validate.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncalrpc with bigendian.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncalrpc with seal,padcheck.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncalrpc with validate.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon with bigendian.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon with seal,padcheck.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon with validate.netlogon.GetDomainInfo\(
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_valid\(
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_valid_denied\(

5
source4/rpc_server/netlogon/dcerpc_netlogon.c
View File

@ -2450,7 +2450,8 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
}
NT_STATUS_NOT_OK_RETURN(status);
sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call);
/* We want to avoid connecting as system. */
sam_ctx = dcesrv_samdb_connect_as_user(mem_ctx, dce_call);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
@ -2607,7 +2608,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
}
}
if (dsdb_replace(sam_ctx, new_msg, 0) != LDB_SUCCESS) {
if (dsdb_replace(sam_ctx, new_msg, DSDB_FLAG_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE) != LDB_SUCCESS) {
DEBUG(3,("Impossible to update samdb: %s\n",
ldb_errstring(sam_ctx)));
}