[SCM] Samba Shared Repository - branch master updated -
f53578daf4f5591f47fbe0e3effc50c5bdaffd3b
Jeremy Allison
jra at samba.org
Wed Oct 22 20:22:13 GMT 2008
The branch, master has been updated
via f53578daf4f5591f47fbe0e3effc50c5bdaffd3b (commit)
from 9994cbffa70464331dd7248c3a7e93e24acb0b62 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f53578daf4f5591f47fbe0e3effc50c5bdaffd3b
Author: Jeremy Allison <jra at samba.org>
Date: Wed Oct 22 13:21:23 2008 -0700
Fix net rpc vampire, based on an *amazing* piece of debugging work by "Cooper S. Blake" <the_analogkid at yahoo.com>.
"I believe I have found two bugs in the 3.2 code and one bug that
carried on to the 3.3 branch. In the 3.2 code, everything is
located in the utils/net_rpc_samsync.c file. What I believe is the
first problem is that fetch_database() is calling
samsync_fix_delta_array() with rid_crypt set to true, which means
the password hashes are unencrypted from the RID encryption.
However, I believe this call is redundant, and the corresponding
call for samdump has rid_crypt set to false. So I think the
rid_crypt param should be false in fetch_database().
If you follow the code, it makes its way to sam_account_from_delta()
where the password hashes are decrypted a second time by calling
sam_pwd_hash(). I believe this is what is scrambling my passwords.
These methods were refactored somewhere in the 3.3 branch. Now the
net_rpc_samsync.c class calls rpc_vampire_internals, which calls
libnet/libnet_samsync.c, which calls samsync_fix_delta_array() with
rid_crypt always set to false. I think that's correct. But the
second bug has carried through in the sam_account_from_delta()
function:
208 if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
209 sam_pwd_hash(r->rid, r->ntpassword.hash, lm_passwd, 0);
210 pdb_set_lanman_passwd(account, lm_passwd, PDB_CHANGED);
211 }
212
213 if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
214 sam_pwd_hash(r->rid, r->lmpassword.hash, nt_passwd, 0);
215 pdb_set_nt_passwd(account, nt_passwd, PDB_CHANGED);
If you look closely you'll see that the nt hash is going into the
lm_passwd variable and the decrypted value is being set in the lanman
hash, and the lanman hash is being decrypted and put into the nt hash
field. So the LanMan and NT hashes look like they're being put in
the opposite fields."
Fix this by removing the rid_crypt parameter.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source3/libnet/libnet_samsync.c | 53 ++++++++++++++++++------------
source3/libnet/libnet_samsync_display.c | 11 +++---
source3/libnet/libnet_samsync_keytab.c | 5 +--
source3/libnet/libnet_samsync_ldif.c | 11 +++---
source3/libnet/libnet_samsync_passdb.c | 15 ++++-----
5 files changed, 50 insertions(+), 45 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
index 64dcf6d..00caf2b 100644
--- a/source3/libnet/libnet_samsync.c
+++ b/source3/libnet/libnet_samsync.c
@@ -33,7 +33,6 @@
static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key,
- bool rid_crypt,
enum netr_SamDatabaseID database_id,
struct netr_DELTA_ENUM *delta)
{
@@ -42,17 +41,29 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
struct netr_DELTA_USER *user = delta->delta_union.user;
struct samr_Password lm_hash;
struct samr_Password nt_hash;
+ unsigned char zero_buf[16];
- if (rid_crypt) {
- if (user->lm_password_present) {
+ memset(zero_buf, '\0', sizeof(zero_buf));
+
+ /* Note that win2000 may send us all zeros
+ * for the hashes if it doesn't
+ * think this channel is secure enough. */
+ if (user->lm_password_present) {
+ if (memcmp(user->lmpassword.hash, zero_buf, 16) != 0) {
sam_pwd_hash(rid, user->lmpassword.hash, lm_hash.hash, 0);
- user->lmpassword = lm_hash;
+ } else {
+ memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
}
+ user->lmpassword = lm_hash;
+ }
- if (user->nt_password_present) {
+ if (user->nt_password_present) {
+ if (memcmp(user->ntpassword.hash, zero_buf, 16) != 0) {
sam_pwd_hash(rid, user->ntpassword.hash, nt_hash.hash, 0);
- user->ntpassword = nt_hash;
+ } else {
+ memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
}
+ user->ntpassword = nt_hash;
}
if (user->user_private_info.SensitiveData) {
@@ -72,26 +83,31 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
return ndr_map_error2ntstatus(ndr_err);
}
+ /* Note that win2000 may send us all zeros
+ * for the hashes if it doesn't
+ * think this channel is secure enough. */
if (keys.keys.keys2.lmpassword.length == 16) {
- if (rid_crypt) {
+ if (memcmp(keys.keys.keys2.lmpassword.pwd.hash,
+ zero_buf, 16) != 0) {
sam_pwd_hash(rid,
- keys.keys.keys2.lmpassword.pwd.hash,
- lm_hash.hash, 0);
- user->lmpassword = lm_hash;
+ keys.keys.keys2.lmpassword.pwd.hash,
+ lm_hash.hash, 0);
} else {
- user->lmpassword = keys.keys.keys2.lmpassword.pwd;
+ memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
}
+ user->lmpassword = lm_hash;
user->lm_password_present = true;
}
if (keys.keys.keys2.ntpassword.length == 16) {
- if (rid_crypt) {
+ if (memcmp(keys.keys.keys2.ntpassword.pwd.hash,
+ zero_buf, 16) != 0) {
sam_pwd_hash(rid,
- keys.keys.keys2.ntpassword.pwd.hash,
- nt_hash.hash, 0);
- user->ntpassword = nt_hash;
+ keys.keys.keys2.ntpassword.pwd.hash,
+ nt_hash.hash, 0);
} else {
- user->ntpassword = keys.keys.keys2.ntpassword.pwd;
+ memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
}
+ user->ntpassword = nt_hash;
user->nt_password_present = true;
}
/* TODO: rid decrypt history fields */
@@ -129,7 +145,6 @@ static NTSTATUS fix_secret(TALLOC_CTX *mem_ctx,
static NTSTATUS samsync_fix_delta(TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key,
- bool rid_crypt,
enum netr_SamDatabaseID database_id,
struct netr_DELTA_ENUM *delta)
{
@@ -140,7 +155,6 @@ static NTSTATUS samsync_fix_delta(TALLOC_CTX *mem_ctx,
status = fix_user(mem_ctx,
session_key,
- rid_crypt,
database_id,
delta);
break;
@@ -165,7 +179,6 @@ static NTSTATUS samsync_fix_delta(TALLOC_CTX *mem_ctx,
static NTSTATUS samsync_fix_delta_array(TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key,
- bool rid_crypt,
enum netr_SamDatabaseID database_id,
struct netr_DELTA_ENUM_ARRAY *r)
{
@@ -176,7 +189,6 @@ static NTSTATUS samsync_fix_delta_array(TALLOC_CTX *mem_ctx,
status = samsync_fix_delta(mem_ctx,
session_key,
- rid_crypt,
database_id,
&r->delta_enum[i]);
if (!NT_STATUS_IS_OK(status)) {
@@ -330,7 +342,6 @@ NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id,
samsync_fix_delta_array(mem_ctx,
&session_key,
- false,
database_id,
delta_enum_array);
diff --git a/source3/libnet/libnet_samsync_display.c b/source3/libnet/libnet_samsync_display.c
index 6f7ae4e..47c032a 100644
--- a/source3/libnet/libnet_samsync_display.c
+++ b/source3/libnet/libnet_samsync_display.c
@@ -59,21 +59,20 @@ static void display_account_info(uint32_t rid,
struct netr_DELTA_USER *r)
{
fstring hex_nt_passwd, hex_lm_passwd;
- uchar lm_passwd[16], nt_passwd[16];
- static uchar zero_buf[16];
+ uchar zero_buf[16];
+
+ memset(zero_buf, '\0', sizeof(zero_buf));
/* Decode hashes from password hash (if they are not NULL) */
if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
- sam_pwd_hash(r->rid, r->lmpassword.hash, lm_passwd, 0);
- pdb_sethexpwd(hex_lm_passwd, lm_passwd, r->acct_flags);
+ pdb_sethexpwd(hex_lm_passwd, r->lmpassword.hash, r->acct_flags);
} else {
pdb_sethexpwd(hex_lm_passwd, NULL, 0);
}
if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
- sam_pwd_hash(r->rid, r->ntpassword.hash, nt_passwd, 0);
- pdb_sethexpwd(hex_nt_passwd, nt_passwd, r->acct_flags);
+ pdb_sethexpwd(hex_nt_passwd, r->ntpassword.hash, r->acct_flags);
} else {
pdb_sethexpwd(hex_nt_passwd, NULL, 0);
}
diff --git a/source3/libnet/libnet_samsync_keytab.c b/source3/libnet/libnet_samsync_keytab.c
index 9e666ce..4b0cc06 100644
--- a/source3/libnet/libnet_samsync_keytab.c
+++ b/source3/libnet/libnet_samsync_keytab.c
@@ -78,20 +78,17 @@ static NTSTATUS fetch_sam_entry_keytab(TALLOC_CTX *mem_ctx,
bool last_query,
struct libnet_keytab_context *ctx)
{
- uchar nt_passwd[16];
struct libnet_keytab_entry entry;
if (memcmp(r->ntpassword.hash, ctx->zero_buf, 16) == 0) {
return NT_STATUS_OK;
}
- sam_pwd_hash(rid, r->ntpassword.hash, nt_passwd, 0);
-
entry.name = talloc_strdup(mem_ctx, r->account_name.string);
entry.principal = talloc_asprintf(mem_ctx, "%s@%s",
r->account_name.string,
ctx->dns_domain_name);
- entry.password = data_blob_talloc(mem_ctx, nt_passwd, 16);
+ entry.password = data_blob_talloc(mem_ctx, r->ntpassword.hash, 16);
entry.kvno = ads_get_kvno(ctx->ads, entry.name);
entry.enctype = ENCTYPE_NULL;
diff --git a/source3/libnet/libnet_samsync_ldif.c b/source3/libnet/libnet_samsync_ldif.c
index cbae22a..dd5380b 100644
--- a/source3/libnet/libnet_samsync_ldif.c
+++ b/source3/libnet/libnet_samsync_ldif.c
@@ -576,15 +576,16 @@ static NTSTATUS fetch_account_info_to_ldif(TALLOC_CTX *mem_ctx,
fstring username, logonscript, homedrive, homepath = "", homedir = "";
fstring hex_nt_passwd, hex_lm_passwd;
fstring description, profilepath, fullname, sambaSID;
- uchar lm_passwd[16], nt_passwd[16];
char *flags, *user_rdn;
const char *ou;
const char* nopasswd = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
- static uchar zero_buf[16];
+ uchar zero_buf[16];
uint32 rid = 0, group_rid = 0, gidNumber = 0;
time_t unix_time;
int i;
+ memset(zero_buf, '\0', sizeof(zero_buf));
+
/* Get the username */
fstrcpy(username, r->account_name.string);
@@ -630,14 +631,12 @@ static NTSTATUS fetch_account_info_to_ldif(TALLOC_CTX *mem_ctx,
/* Get lm and nt password data */
if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
- sam_pwd_hash(r->rid, r->lmpassword.hash, lm_passwd, 0);
- pdb_sethexpwd(hex_lm_passwd, lm_passwd, r->acct_flags);
+ pdb_sethexpwd(hex_lm_passwd, r->lmpassword.hash, r->acct_flags);
} else {
pdb_sethexpwd(hex_lm_passwd, NULL, 0);
}
if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
- sam_pwd_hash(r->rid, r->ntpassword.hash, nt_passwd, 0);
- pdb_sethexpwd(hex_nt_passwd, nt_passwd, r->acct_flags);
+ pdb_sethexpwd(hex_nt_passwd, r->ntpassword.hash, r->acct_flags);
} else {
pdb_sethexpwd(hex_nt_passwd, NULL, 0);
}
diff --git a/source3/libnet/libnet_samsync_passdb.c b/source3/libnet/libnet_samsync_passdb.c
index 7d07bcb..1faef7b 100644
--- a/source3/libnet/libnet_samsync_passdb.c
+++ b/source3/libnet/libnet_samsync_passdb.c
@@ -40,8 +40,9 @@ static NTSTATUS sam_account_from_delta(struct samu *account,
{
const char *old_string, *new_string;
time_t unix_time, stored_time;
- uchar lm_passwd[16], nt_passwd[16];
- static uchar zero_buf[16];
+ uchar zero_buf[16];
+
+ memset(zero_buf, '\0', sizeof(zero_buf));
/* Username, fullname, home dir, dir drive, logon script, acct
desc, workstations, profile. */
@@ -205,14 +206,12 @@ static NTSTATUS sam_account_from_delta(struct samu *account,
think this channel is secure enough - don't set the passwords at all
in that case
*/
- if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
- sam_pwd_hash(r->rid, r->ntpassword.hash, lm_passwd, 0);
- pdb_set_lanman_passwd(account, lm_passwd, PDB_CHANGED);
+ if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
+ pdb_set_lanman_passwd(account, r->lmpassword.hash, PDB_CHANGED);
}
- if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
- sam_pwd_hash(r->rid, r->lmpassword.hash, nt_passwd, 0);
- pdb_set_nt_passwd(account, nt_passwd, PDB_CHANGED);
+ if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
+ pdb_set_nt_passwd(account, r->ntpassword.hash, PDB_CHANGED);
}
/* TODO: account expiry time */
--
Samba Shared Repository
More information about the samba-cvs
mailing list