1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life

For Heimdal, this now matches the behaviour of Windows. The object of
this requirement is to ensure we don't allow kpasswd tickets, not having
a lifetime of more than two minutes, to be passed off as TGTs.

An existing requirement for TGTs to contain a REQUESTER_SID PAC buffer
suffices to prevent kpasswd ticket misuse, so this is just an additional
precaution on top.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Joseph Sutton 2022-05-30 19:18:17 +12:00 committed by Jule Anger
parent 018bdbc29d
commit ffb599050a
2 changed files with 26 additions and 1 deletions

View File

@ -58,7 +58,6 @@
# Kpasswd tests
#
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc

View File

@ -415,6 +415,32 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
krbtgt = &signing_krbtgt_hdb;
}
}
} else if (!krbtgt_skdc_entry->is_trust) {
/*
* We expect to have received a TGT, so check that we haven't
* been given a kpasswd ticket instead. We don't need to do this
* check for an incoming trust, as they use a different secret
* and can't be confused with a normal TGT.
*/
krb5_ticket *tgt = kdc_request_get_ticket(r);
struct timeval now = krb5_kdc_get_time();
/*
* Check if the ticket is in the last two minutes of its
* life.
*/
KerberosTime lifetime = rk_time_sub(tgt->ticket.endtime, now.tv_sec);
if (lifetime <= CHANGEPW_LIFETIME) {
/*
* This ticket has at most two minutes left to live. It
* may be a kpasswd ticket rather than a TGT, so don't
* accept it.
*/
kdc_audit_addreason((kdc_request_t)r,
"Ticket is not a ticket-granting ticket");
return KRB5KRB_AP_ERR_TKT_EXPIRED;
}
}
ret = samba_wdc_reget_pac2(r,