[cifs-protocol] [MS-APDS] NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
Jo Sutton
jsutton at samba.org
Fri Jul 19 04:31:58 UTC 2024
Hi Sreekanth,
Thank you for your helpful response! It seems I still haven’t got it
quite right, as Windows responds with RPC_NT_BAD_STUB_DATA when I send
the NetlogonTicketLogonInformation message. May I upload more traces
next week so I can find out where I’ve gone wrong?
Cheers,
Jo (she/her)
On 19/07/24 6:40 am, Sreekanth Nadendla wrote:
> Hello Jo, please review the latest copy of [MS-NRPC]. It has the
> updated IDL definitions as well. As of now, [MS-APDS] is still being
> updated. The following information should be helpful in the meantime.
>
> MS-APDS Section 3.2.5.1 shows messagetype field should be set to
> 0x00000026. The actual design did not introduce such message type. We
> are using a new logonlevel i.e. NETLOGON_LEVEL of
> NetlogonTicketLogonInformation and a new validationLevel i.e.
> NETLOGON_VALIDATION of NetlogonValidationTicketLogon.
>
> 1.
> From MS-APDS Section 3.2.5.1, we see the
> NETLOGON_TICKET_LOGON_INFO is layered on top of generic pass
> through structure however MS-NRPC section 2.2.1.4.6 defines
> TicketLogon as a new NETLOGON_LEVEL struct which refers
> to NETLOGON_TICKET_LOGON_INFO.
> The NETLOGON_TICKET_LOGON_INFO message does not utilize
> Generic Passthrough as described in MS-APDS 3.2.5.1. Instead, you
> will be using /LogonLevel/ parameter 8
> (_NetlogonTicketLogonInformation
> <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/8c7808e5-4e5c-420e-9c90-47286da2218f>_)
> 1.
>
> 2.
> Generic Passthrough returns
> NETLOGON_VALIDATION_GENERIC_INFO2. But the new TicketLogon will
> return NETLOGON_VALIDATION_TICKET_LOGON.
> 1.
> As NETLOGON_TICKET_LOGON_INFO message does not actually utilize
> Generic Passthrough, you will use /ValidationLevel/ parameter is
> 7 (_NetLogonValidationTicketLogon
> <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/95154ae4-d305-43e5-82e4-d5353e0f117c>_),
> 1.
>
> 2.
>
> You can find a list of applicable Windows OS versions that have this
> security update from the following link (click the “More…” link below
> the title)
>
> 3.
> _https://support.microsoft.com/en-us/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1 <https://support.microsoft.com/en-us/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1>_
>
> This list does not include Server 2025, but it also contains this
> update.
>
>
> Please let me know if you have additional questions.
>
> Regards,
>
> Sreekanth Nadendla
>
> Microsoft Windows Open Specifications
>
>
> ------------------------------------------------------------------------
> *From:* Jo Sutton <jsutton at samba.org>
> *Sent:* Tuesday, July 16, 2024 12:33 AM
> *To:* Sreekanth Nadendla <srenaden at microsoft.com>;
> cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com>
> *Subject:* Re: [cifs-protocol] [EXTERNAL] Re: [MS-APDS]
> NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
> For completeness’ sake, I ran the same procedure against a Windows
> Server 2022 host, and got exactly the same STATUS_INVALID_PARAMETER
> error. For MessageType I tried both 0x00000003 and 0x00000026 (and many
> other values, for good measure).
>
> Cheers,
> Jo (she/her)
>
> On 10/07/24 2:08 pm, Jo Sutton via cifs-protocol wrote:
> > Hi Sreekanth,
> >
> > I’m afraid that using 0x03 for the message type still gets me
> > STATUS_INVALID_PARAMETER codes.
> >
> > 0x03 is the message type corresponding to KERB_VERIFY_PAC_REQUEST, which
> > is used for the older method of PAC verification. But the message I’m
> > attempting to send is NETLOGON_TICKET_LOGON_INFO ([MS-APDS] 2.2.2.1),
> > which includes the entire Kerberos ticket and is used in the newer
> > method of PAC verification.
> >
> > What do I need to do to get Windows Server 2019 to accept a
> > NETLOGON_TICKET_LOGON_INFO message? I don’t see any information
> > indicating that Windows Server 2019 doesn’t support such messages.
> >
> > Cheers,
> > Jo (she/her)
> >
> > On 10/07/24 7:12 am, Sreekanth Nadendla wrote:
> >> Hello Jo, can you change the message type from 0x00000026 ( byte
> >> sequence seen as 26 00 00 00 below) to 0x00000003 (to indicate
> >> message type of KerbVerifyPacMessage) and try this again ?
> >>
> >> 0:002> db ProtocolSubmitBuffer L0x5e0
> >>
> >> 00000218`69819c80 26 00 00 00 00 00 11 00-21 00 31 00 c0 05 00 00
> >> &.......!.1.....
> >> 00000218`69819c90 00 00 02 00 00 00 00 00-00 00 00 00 c0 05 00 00
> >> ................
> >> 00000218`69819ca0 61 82 05 bc 30 82 05 b8-a0 03 02 01 05 a1 0d 1b
> >> a...0...........
> >> .. ..... .. ..... .. .....
> >> .. ..... .. ..... .. .....
> >> .. ..... .. ..... .. .....
> >> 00000218`6981a250 85 1d 35 87 38 7d b1 5b-52 c0 c3 e4 30 c8 77 7d
> >> ..5.8}.[R...0.w}
> >>
> >> Regards,
> >>
> >> Sreekanth Nadendla
> >>
> >> Microsoft Windows Open Specifications
> >>
> >>
> >> ------------------------------------------------------------------------
> >> *From:* Jo Sutton <jsutton at samba.org>
> >> *Sent:* Tuesday, July 2, 2024 6:23 PM
> >> *To:* Sreekanth Nadendla <srenaden at microsoft.com>;
> >> cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
> >> *Cc:* Microsoft Support <supportmail at microsoft.com>
> >> *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
> >> NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
> >> Thank you, Sreekanth. I’ve uploaded a trace and network capture of a
> >> call to NetrLogonSamLogonEx() attempting to validate a service ticket.
> >>
> >> Cheers,
> >> Jo (she/her)
> >>
> >> On 3/07/24 2:02 am, Sreekanth Nadendla wrote:
> >> > Hello Jo, you may have gotten an invitation to upload files by now.
> >> > Please check your e-mail folders and let me know otherwise.
> >> >
> >> > Regards,
> >> >
> >> > Sreekanth Nadendla
> >> >
> >> > Microsoft Windows Open Specifications
> >> >
> >> >
> >> ------------------------------------------------------------------------
> >> > *From:* Jo Sutton <jsutton at samba.org>
> >> > *Sent:* Monday, July 1, 2024 10:01 PM
> >> > *To:* Sreekanth Nadendla <srenaden at microsoft.com>;
> >> > cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
> >> > *Cc:* Microsoft Support <supportmail at microsoft.com>
> >> > *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
> >> > NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
> >> > On second thoughts, I’d rather not send traces via unencrypted email.
> >> > Can you provide somewhere for me to upload them?
> >> >
> >> > Cheers,
> >> > Jo (she/her)
> >> >
> >> > On 2/07/24 1:57 pm, Jo Sutton via cifs-protocol wrote:
> >> >> [moving back to cifs-protocol]
> >> >>
> >> >> Hi Sreekanth,
> >> >>
> >> >> Call me Jo :)
> >> >>
> >> >> As I can’t seem to upload the traces via the link you sent me,
> >> I’ll try
> >> >> to email them to you directly.
> >> >>
> >> >> The reason for asking about NETLOGON_TICKET_LOGON_INFO is that we’re
> >> >> looking to address
> >>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452298587%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=gfTLS51n5vEi4j62G7YITtu3oiZ0KQ9yhOADSyVTo2w%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452307683%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=AarTYwC8gFcOXKCmrHukUiw8VMbUiDzmK744ND16vXE%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452310647%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ELl9%2Fl09tNXh27vMQg6Vr4epM2NKC%2FhlYuDG0lOKlYU%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452313475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=9ThDzJyYqoU7v8CC23wBYRyfvpZVTHc%2BYBg0D%2BcqjY0%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249>>>.
> >> >>
> >> >> Cheers,
> >> >> Jo (she/her)
> >> >>
> >> >> On 14/06/24 3:39 am, Sreekanth Nadendla wrote:
> >> >>> Hello Joseph, I've sent you instructions to download time travel
> >> trace
> >> >>> tool to collect traces for lass process earlier. But we were
> >> informed
> >> >>> by Andrew Bartlet that the reason why you've raised the login issue
> >> >>> with [MS-APDS] NETLOGON_TICKET_LOGON_INFO is that you are
> looking to
> >> >>> resolve a privilege escalation problem via enforcement of PAC
> >> >>> verification. I could not see how these two issues are connected
> >> >>> hence I'm unable to continue the investigation on my own (while you
> >> >>> are away dealing with a personal issue).
> >> >>> Please let us know whenever you are ready and we will gather the
> >> >>> details, data to investigate the issue you are experiencing.
> >> >>>
> >> >>> Regards,
> >> >>>
> >> >>> Sreekanth Nadendla
> >> >>>
> >> >>> Microsoft Windows Open Specifications
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> From: Jo Sutton <jsutton at samba.org>
> >> >>>
> >> >>> Sent: Monday, May 20, 2024 9:49 PM
> >> >>> To: cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>;
> >> >>> Interoperability Documentation Help <dochelp at microsoft.com>
> >> >>> Subject: [EXTERNAL] [MS-APDS] NETLOGON_TICKET_LOGON_INFO message
> >> >>> [Some people who received this message don't often get email from
> >> >>> jsutton at samba.org. Learn why this is important at
> >> >>> https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification>
> >> <https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification>>
> >> > <https://aka.ms/LearnAboutSenderIdentification
> >> <https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification>>> ]
> >> >>>
> >> >>> Hi dochelp,
> >> >>>
> >> >>> I’m trying to follow [MS-APDS] 2.2.2.1, “NETLOGON_TICKET_LOGON_INFO
> >> >>> Message”, in order to create a NETLOGON_TICKET_LOGON_INFO message
> >> that
> >> >>> will be accepted by Windows Server 2019. However, in my attempts
> >> so far,
> >> >>> all I’ve got is STATUS_INVALID_PARAMETER codes from
> >> NetrLogonSamLogonEx.
> >> >>>
> >> >>> Although [MS-APDS] doesn’t mention it, I assume
> >> >>> NETLOGON_TICKET_LOGON_INFO should contain an unsigned 32‐bit
> >> MessageType
> >> >>> field, set to 0x00000026, that indicates the message is a
> >> >>> NETLOGON_TICKET_LOGON_INFO message. Other than that, I’m not sure
> >> what
> >> >>> I’m doing wrong. Are the ticket fields arrays, are depicted in the
> >> >>> diagram, or pointers, as claimed in the documentation?
> >> >>>
> >> >>> I can provide traces showing the problem if you would like.
> >> >>>
> >> >>> Cheers,
> >> >>> Jo (she/her)
> >> >>
> >> >>
> >> >> _______________________________________________
> >> >> cifs-protocol mailing list
> >> >> cifs-protocol at lists.samba.org
> >> >>
> >>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452316262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bmgJJDYuZd3bGzlzBX7QnlH9wbNyYoqRZ3hH6t3cBUA%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452319086%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=wIxF7Mv4EEPRpDkZKAReemWJ5ciMvdTRuVzLSO06DAU%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452321842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=J2vrgrV1StI0%2BvgT7ZreEJ%2FI%2F4fKD8Jn%2B3iSrr7FowQ%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452324601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=MTZ%2F670nGiMD%2Fu83tsGGyERHbe7y93r%2B43qsybmjlfE%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>>>
> >
> >
> > _______________________________________________
> > cifs-protocol mailing list
> > cifs-protocol at lists.samba.org
> >
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452327359%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2BhCD7Q6i2P3hvlr2MKjxU63BsGe9RMYOkSURCiUE39w%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>
More information about the cifs-protocol
mailing list