1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/libcli
Tim Beale ba46578f97 CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
An 'Object Access Allowed' ACE that assigned 'Control Access' (CR)
rights to a specific attribute would not actually grant access.

What was happening was the remaining_access mask for the object_tree
nodes would be Read Property (RP) + Control Access (CR). The ACE mapped
to the schemaIDGUID for a given attribute, which would end up being a
child node in the tree. So the CR bit was cleared for a child node, but
not the rest of the tree. We would then check the user had the RP access
right, which it did. However, the RP right was cleared for another node
in the tree, which still had the CR bit set in its remaining_access
bitmap, so Samba would not grant access.

Generally, the remaining_access only ever has one bit set, which means
this isn't a problem normally. However, in the Control Access case there
are 2 separate bits being checked, i.e. RP + CR.

One option to fix this problem would be to clear the remaining_access
for the tree instead of just the node. However, the Windows spec is
actually pretty clear on this: if the ACE has a CR right present, then
you can stop any further access checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-14 13:57:16 +02:00
..
auth CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth". 2018-08-14 13:57:15 +02:00
cldap tevent: Fix callers of tevent_req_set_endtime 2018-04-24 19:41:15 +02:00
dns tevent: Fix callers of tevent_req_set_endtime 2018-04-24 19:41:15 +02:00
drsuapi werror: replace WERR_SEC_E_DECRYPT_FAILURE with HRES_SEC_E_DECRYPT_FAILURE 2016-09-28 00:04:35 +02:00
echo s4: torture: Change torture_register_suite() to add a TALLOC_CTX *. 2017-05-05 15:52:11 +02:00
ldap typo: mplementation => implementation 2016-05-06 05:03:16 +02:00
lsarpc libcli/lsarpc: add struct trustAuthInOutBlob; forward declaration 2014-04-02 09:03:42 +02:00
named_pipe_auth Fix spelling s/conection/connection/ 2018-05-12 02:09:26 +02:00
nbt libcli/nbt: Additionally accept unicode as string param in Py2 2018-04-30 15:43:19 +02:00
netlogon libcli/netlogon: We need to handle a bug in FreeIPA (at least <= 4.1.2). 2015-01-05 17:01:08 +01:00
registry build: Make util_reg subsystem in libcli/registry a library 2011-05-18 16:12:08 +02:00
samsync libcli: Use "all_zero" where appropriate 2017-01-03 16:04:28 +01:00
security CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights 2018-08-14 13:57:16 +02:00
smb libcli: Fix coverity warning in smb2cli_notify_send() 2018-05-16 21:30:23 +02:00
smbreadline lib/smbreadline: detect picky compile issue with readline.h 2017-11-24 01:13:15 +01:00
util python: Make generated modules samba.ntstatus and samba.werror Python 3 compatible. 2017-08-22 17:38:17 +02:00