1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/source3/rpc_client/cli_samr.c
Jeremy Allison bde2bcc8ef Fix bug 8088 - rpccli_samr_chng_pswd_auth_crap segfaults if any input blobs are null.
Correct fix - ensure we have enough length, and correctly null out
passed in structs if not.

Jeremy.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Tue Apr 19 00:17:08 CEST 2011 on sn-devel-104
2011-04-19 00:17:08 +02:00

493 lines
13 KiB
C

/*
Unix SMB/CIFS implementation.
RPC pipe client
Copyright (C) Tim Potter 2000-2001,
Copyright (C) Andrew Tridgell 1992-1997,2000,
Copyright (C) Rafal Szczesniak 2002.
Copyright (C) Jeremy Allison 2005.
Copyright (C) Guenther Deschner 2008.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "rpc_client/rpc_client.h"
#include "../libcli/auth/libcli_auth.h"
#include "../librpc/gen_ndr/ndr_samr_c.h"
#include "rpc_client/cli_samr.h"
#include "../lib/crypto/arcfour.h"
#include "rpc_client/init_lsa.h"
/* User change password */
NTSTATUS dcerpc_samr_chgpasswd_user(struct dcerpc_binding_handle *h,
TALLOC_CTX *mem_ctx,
struct policy_handle *user_handle,
const char *newpassword,
const char *oldpassword,
NTSTATUS *presult)
{
NTSTATUS status;
struct samr_Password hash1, hash2, hash3, hash4, hash5, hash6;
uchar old_nt_hash[16];
uchar old_lm_hash[16];
uchar new_nt_hash[16];
uchar new_lm_hash[16];
ZERO_STRUCT(old_nt_hash);
ZERO_STRUCT(old_lm_hash);
ZERO_STRUCT(new_nt_hash);
ZERO_STRUCT(new_lm_hash);
DEBUG(10,("rpccli_samr_chgpasswd_user\n"));
E_md4hash(oldpassword, old_nt_hash);
E_md4hash(newpassword, new_nt_hash);
E_deshash(oldpassword, old_lm_hash);
E_deshash(newpassword, new_lm_hash);
E_old_pw_hash(new_lm_hash, old_lm_hash, hash1.hash);
E_old_pw_hash(old_lm_hash, new_lm_hash, hash2.hash);
E_old_pw_hash(new_nt_hash, old_nt_hash, hash3.hash);
E_old_pw_hash(old_nt_hash, new_nt_hash, hash4.hash);
E_old_pw_hash(old_lm_hash, new_nt_hash, hash5.hash);
E_old_pw_hash(old_nt_hash, new_lm_hash, hash6.hash);
status = dcerpc_samr_ChangePasswordUser(h,
mem_ctx,
user_handle,
true,
&hash1,
&hash2,
true,
&hash3,
&hash4,
true,
&hash5,
true,
&hash6,
presult);
return status;
}
NTSTATUS rpccli_samr_chgpasswd_user(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
struct policy_handle *user_handle,
const char *newpassword,
const char *oldpassword)
{
NTSTATUS status;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
status = dcerpc_samr_chgpasswd_user(cli->binding_handle,
mem_ctx,
user_handle,
newpassword,
oldpassword,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return result;
}
/* User change password */
NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h,
TALLOC_CTX *mem_ctx,
const char *srv_name_slash,
const char *username,
const char *newpassword,
const char *oldpassword,
NTSTATUS *presult)
{
NTSTATUS status;
struct samr_CryptPassword new_nt_password;
struct samr_CryptPassword new_lm_password;
struct samr_Password old_nt_hash_enc;
struct samr_Password old_lanman_hash_enc;
uint8_t old_nt_hash[16];
uint8_t old_lanman_hash[16];
uint8_t new_nt_hash[16];
uint8_t new_lanman_hash[16];
struct lsa_String server, account;
DEBUG(10,("rpccli_samr_chgpasswd_user2\n"));
init_lsa_String(&server, srv_name_slash);
init_lsa_String(&account, username);
/* Calculate the MD4 hash (NT compatible) of the password */
E_md4hash(oldpassword, old_nt_hash);
E_md4hash(newpassword, new_nt_hash);
if (lp_client_lanman_auth() &&
E_deshash(newpassword, new_lanman_hash) &&
E_deshash(oldpassword, old_lanman_hash)) {
/* E_deshash returns false for 'long' passwords (> 14
DOS chars). This allows us to match Win2k, which
does not store a LM hash for these passwords (which
would reduce the effective password length to 14) */
encode_pw_buffer(new_lm_password.data, newpassword, STR_UNICODE);
arcfour_crypt(new_lm_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
} else {
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_lanman_hash_enc);
}
encode_pw_buffer(new_nt_password.data, newpassword, STR_UNICODE);
arcfour_crypt(new_nt_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
status = dcerpc_samr_ChangePasswordUser2(h,
mem_ctx,
&server,
&account,
&new_nt_password,
&old_nt_hash_enc,
true,
&new_lm_password,
&old_lanman_hash_enc,
presult);
return status;
}
NTSTATUS rpccli_samr_chgpasswd_user2(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
const char *username,
const char *newpassword,
const char *oldpassword)
{
NTSTATUS status;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
status = dcerpc_samr_chgpasswd_user2(cli->binding_handle,
mem_ctx,
cli->srv_name_slash,
username,
newpassword,
oldpassword,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return result;
}
/* User change password given blobs */
NTSTATUS dcerpc_samr_chng_pswd_auth_crap(struct dcerpc_binding_handle *h,
TALLOC_CTX *mem_ctx,
const char *srv_name_slash,
const char *username,
DATA_BLOB new_nt_password_blob,
DATA_BLOB old_nt_hash_enc_blob,
DATA_BLOB new_lm_password_blob,
DATA_BLOB old_lm_hash_enc_blob,
NTSTATUS *presult)
{
NTSTATUS status;
struct samr_CryptPassword new_nt_password;
struct samr_CryptPassword new_lm_password;
struct samr_Password old_nt_hash_enc;
struct samr_Password old_lm_hash_enc;
struct lsa_String server, account;
DEBUG(10,("rpccli_samr_chng_pswd_auth_crap\n"));
ZERO_STRUCT(new_nt_password);
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_nt_hash_enc);
ZERO_STRUCT(old_lm_hash_enc);
init_lsa_String(&server, srv_name_slash);
init_lsa_String(&account, username);
if (new_nt_password_blob.data && new_nt_password_blob.length >= 516) {
memcpy(&new_nt_password.data, new_nt_password_blob.data, 516);
}
if (new_lm_password_blob.data && new_lm_password_blob.length >= 516) {
memcpy(&new_lm_password.data, new_lm_password_blob.data, 516);
}
if (old_nt_hash_enc_blob.data && old_nt_hash_enc_blob.length >= 16) {
memcpy(&old_nt_hash_enc.hash, old_nt_hash_enc_blob.data, 16);
}
if (old_lm_hash_enc_blob.data && old_lm_hash_enc_blob.length >= 16) {
memcpy(&old_lm_hash_enc.hash, old_lm_hash_enc_blob.data, 16);
}
status = dcerpc_samr_ChangePasswordUser2(h,
mem_ctx,
&server,
&account,
&new_nt_password,
&old_nt_hash_enc,
true,
&new_lm_password,
&old_lm_hash_enc,
presult);
return status;
}
NTSTATUS rpccli_samr_chng_pswd_auth_crap(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
const char *username,
DATA_BLOB new_nt_password_blob,
DATA_BLOB old_nt_hash_enc_blob,
DATA_BLOB new_lm_password_blob,
DATA_BLOB old_lm_hash_enc_blob)
{
NTSTATUS status;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
status = dcerpc_samr_chng_pswd_auth_crap(cli->binding_handle,
mem_ctx,
cli->srv_name_slash,
username,
new_nt_password_blob,
old_nt_hash_enc_blob,
new_lm_password_blob,
old_lm_hash_enc_blob,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return result;
}
/* change password 3 */
NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h,
TALLOC_CTX *mem_ctx,
const char *srv_name_slash,
const char *username,
const char *newpassword,
const char *oldpassword,
struct samr_DomInfo1 **dominfo1,
struct userPwdChangeFailureInformation **reject,
NTSTATUS *presult)
{
NTSTATUS status;
struct samr_CryptPassword new_nt_password;
struct samr_CryptPassword new_lm_password;
struct samr_Password old_nt_hash_enc;
struct samr_Password old_lanman_hash_enc;
uint8_t old_nt_hash[16];
uint8_t old_lanman_hash[16];
uint8_t new_nt_hash[16];
uint8_t new_lanman_hash[16];
struct lsa_String server, account;
DEBUG(10,("rpccli_samr_chgpasswd_user3\n"));
init_lsa_String(&server, srv_name_slash);
init_lsa_String(&account, username);
/* Calculate the MD4 hash (NT compatible) of the password */
E_md4hash(oldpassword, old_nt_hash);
E_md4hash(newpassword, new_nt_hash);
if (lp_client_lanman_auth() &&
E_deshash(newpassword, new_lanman_hash) &&
E_deshash(oldpassword, old_lanman_hash)) {
/* E_deshash returns false for 'long' passwords (> 14
DOS chars). This allows us to match Win2k, which
does not store a LM hash for these passwords (which
would reduce the effective password length to 14) */
encode_pw_buffer(new_lm_password.data, newpassword, STR_UNICODE);
arcfour_crypt(new_lm_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
} else {
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_lanman_hash_enc);
}
encode_pw_buffer(new_nt_password.data, newpassword, STR_UNICODE);
arcfour_crypt(new_nt_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
status = dcerpc_samr_ChangePasswordUser3(h,
mem_ctx,
&server,
&account,
&new_nt_password,
&old_nt_hash_enc,
true,
&new_lm_password,
&old_lanman_hash_enc,
NULL,
dominfo1,
reject,
presult);
return status;
}
NTSTATUS rpccli_samr_chgpasswd_user3(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
const char *username,
const char *newpassword,
const char *oldpassword,
struct samr_DomInfo1 **dominfo1,
struct userPwdChangeFailureInformation **reject)
{
NTSTATUS status;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
status = dcerpc_samr_chgpasswd_user3(cli->binding_handle,
mem_ctx,
cli->srv_name_slash,
username,
newpassword,
oldpassword,
dominfo1,
reject,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return result;
}
/* This function returns the bizzare set of (max_entries, max_size) required
for the QueryDisplayInfo RPC to actually work against a domain controller
with large (10k and higher) numbers of users. These values were
obtained by inspection using ethereal and NT4 running User Manager. */
void dcerpc_get_query_dispinfo_params(int loop_count,
uint32_t *max_entries,
uint32_t *max_size)
{
switch(loop_count) {
case 0:
*max_entries = 512;
*max_size = 16383;
break;
case 1:
*max_entries = 1024;
*max_size = 32766;
break;
case 2:
*max_entries = 2048;
*max_size = 65532;
break;
case 3:
*max_entries = 4096;
*max_size = 131064;
break;
default: /* loop_count >= 4 */
*max_entries = 4096;
*max_size = 131071;
break;
}
}
NTSTATUS dcerpc_try_samr_connects(struct dcerpc_binding_handle *h,
TALLOC_CTX *mem_ctx,
const char *srv_name_slash,
uint32_t access_mask,
struct policy_handle *connect_pol,
NTSTATUS *presult)
{
NTSTATUS status;
union samr_ConnectInfo info_in, info_out;
struct samr_ConnectInfo1 info1;
uint32_t lvl_out = 0;
ZERO_STRUCT(info1);
info1.client_version = SAMR_CONNECT_W2K;
info_in.info1 = info1;
status = dcerpc_samr_Connect5(h,
mem_ctx,
srv_name_slash,
access_mask,
1,
&info_in,
&lvl_out,
&info_out,
connect_pol,
presult);
if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(*presult)) {
return status;
}
status = dcerpc_samr_Connect4(h,
mem_ctx,
srv_name_slash,
SAMR_CONNECT_W2K,
access_mask,
connect_pol,
presult);
if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(*presult)) {
return status;
}
status = dcerpc_samr_Connect2(h,
mem_ctx,
srv_name_slash,
access_mask,
connect_pol,
presult);
return status;
}
NTSTATUS rpccli_try_samr_connects(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
uint32_t access_mask,
struct policy_handle *connect_pol)
{
NTSTATUS status;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
status = dcerpc_try_samr_connects(cli->binding_handle,
mem_ctx,
cli->srv_name_slash,
access_mask,
connect_pol,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return result;
}
/* vim: set ts=8 sw=8 noet cindent: */