1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-28 07:21:54 +03:00
samba-mirror/libcli/auth
Günther Deschner c25460ee1f CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
This fixes a regression that came in via 00db3aba6c.

Found by Vivek Das <vdas@redhat.com> (Red Hat QE).

In order to demonstrate simply run:

smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no

against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-14 13:57:15 +02:00
..
tests CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check() 2018-08-14 13:57:15 +02:00
credentials.c libcli: Apply some const 2017-09-16 08:36:18 +02:00
credentials.h
libcli_auth.h
msrpc_parse.c libcli/auth: remove unused variable in msrpc_parse() 2016-07-06 19:07:16 +02:00
msrpc_parse.h
netlogon_creds_cli.c dbwrap: Remove calls to loadparm 2018-04-24 01:53:19 +02:00
netlogon_creds_cli.h netlogon_creds_cli: Pass "capabilities" up from creds_cli_check 2017-09-25 09:43:13 +02:00
ntlm_check.c CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth". 2018-08-14 13:57:15 +02:00
ntlm_check.h param: Add new "disabled" value to "ntlm auth" to disable NTLM totally 2017-07-04 06:57:20 +02:00
pam_errors.c pam: map more NT password errors to PAM errors 2016-12-13 14:12:06 +01:00
pam_errors.h
proto.h libcli: Apply some const 2017-09-16 08:36:18 +02:00
schannel_proto.h auth/gensec: move libcli/auth/schannel_sign.c into schannel.c 2014-01-07 00:27:11 +01:00
schannel_state_tdb.c dbwrap: Remove calls to loadparm 2018-04-24 01:53:19 +02:00
schannel_state.h rpc_server:netlogon Move from memcache to a tdb cache 2016-12-14 20:12:13 +01:00
schannel.h libcli/auth/schannel: make struct schannel_state private 2013-08-10 09:19:02 +02:00
session.c
smbdes.c
smbencrypt.c libcli/auth: add const to set_pw_in_buffer() 2017-06-27 16:57:46 +02:00
spnego_parse.c CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t 2016-04-12 19:25:22 +02:00
spnego_proto.h libcli/auth: add more const to spnego_negTokenInit->mechTypes 2013-08-10 11:11:53 +02:00
spnego.h CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult 2016-04-12 19:25:22 +02:00
wscript_build CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check() 2018-08-14 13:57:15 +02:00