[SCM] Samba Shared Repository - branch v4-0-stable updated

Karolin Seeger kseeger at samba.org
Tue Jan 15 01:23:25 MST 2013


The branch, v4-0-stable has been updated
       via  d2e9007 VERSION: Bump version number up to 4.0.1. (CVE-2013-0172)
       via  0c02492 WHATSNEW: Update release notes for Samba 4.0.1. (CVE-2013-0172)
       via  8bafe08 dsdb: Add test for modification of two attributes, one permitted, one denied (bug #9554 - CVE-2013-0172)
       via  d776fd8 dsdb-acl: Run sec_access_check_ds on each attribute proposed to modify (bug #9554 - CVE-2013-0172)
       via  a758054 libcli/security: Ensure to fill in remaining_access for the initial case (bug #9554 - CVE-2013-0172)
      from  df33344 VERSION: Bump version number up to 4.0.0.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-stable


- Log -----------------------------------------------------------------
commit d2e900757d8e8e2a82cb14e79814ed3cbc8d93c1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Jan 10 12:55:51 2013 +0100

    VERSION: Bump version number up to 4.0.1. (CVE-2013-0172)
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 0c02492c204eacecf2107ee0dd2060cfb53f4c37
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Jan 10 12:55:14 2013 +0100

    WHATSNEW: Update release notes for Samba 4.0.1. (CVE-2013-0172)
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 8bafe0871526cd5d5e7fdbe123ab661379f64cb1
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Jan 10 09:30:38 2013 +1100

    dsdb: Add test for modification of two attributes, one permitted, one denied (bug #9554 - CVE-2013-0172)
    
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit d776fd807e0c9a62f428ce666ff812655f98bc47
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jan 9 16:59:18 2013 +1100

    dsdb-acl: Run sec_access_check_ds on each attribute proposed to modify (bug #9554 - CVE-2013-0172)
    
    This seems inefficient, but is needed for correctness.  The
    alternative might be to have the sec_access_check_ds code confirm that
    *all* of the nodes in the object tree have been cleared to
    node->remaining_bits == 0.
    
    Otherwise, I fear that write access to one attribute will become write
    access to all attributes.
    
    Andrew Bartlett
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit a75805490d96a85786287f5d0522dd7671d6816e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Jan 3 20:39:23 2013 +1100

    libcli/security: Ensure to fill in remaining_access for the initial case (bug #9554 - CVE-2013-0172)
    
    It is critically important that we initialise this element as otherwise
    all access is permitted.
    
    Andrew Bartlett
    
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 VERSION                              |    2 +-
 WHATSNEW.txt                         |   56 ++++++++++++++++++++++++++++++++++
 libcli/security/object_tree.c        |    1 +
 source4/dsdb/samdb/ldb_modules/acl.c |   55 ++++++++++++++++-----------------
 source4/dsdb/tests/python/acl.py     |   15 +++++++++
 5 files changed, 100 insertions(+), 29 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 8aa0bfb..d7d5459 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 520075f..5c69ca9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,60 @@
                    =============================
+                   Release Notes for Samba 4.0.1
+                          January 15, 2013
+                   =============================
+
+
+This is a security release in order to address CVE-2013-0172.
+
+o  CVE-2013-0172:
+   Samba 4.0.0 as an AD DC may provide authenticated users with write access
+   to LDAP directory objects.
+
+   In AD, Access Control Entries can be assigned based on the objectClass
+   of the object.  If a user or a group the user is a member of has any
+   access based on the objectClass, then that user has write access to that
+   object.
+
+   Additionally, if a user has write access to any attribute on the object,
+   they may have access to write to all attributes.
+
+   An important mitigation is that anonymous access is totally disabled by
+   default.  The second important mitigation is that normal users are
+   typically only given the problematic per-objectClass right via the
+   "pre-windows 2000 compatible access" group, and Samba 4.0.0 incorrectly
+   does not make "authenticated users" part of this group.
+
+Changes since 4.0.0:
+====================
+
+o   Andrew Bartlett <abartlet at samba.org>
+    * Bug 9554 - CVE-2013-0172 - Samba 4.0 as an AD DC may provide authenticated
+      users with write access to LDAP directory objects.
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.0 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.0.0
                          December 11, 2012
                    =============================
diff --git a/libcli/security/object_tree.c b/libcli/security/object_tree.c
index 6809c8e..dcbd310 100644
--- a/libcli/security/object_tree.c
+++ b/libcli/security/object_tree.c
@@ -53,6 +53,7 @@ bool insert_in_object_tree(TALLOC_CTX *mem_ctx,
 			return false;
 		}
 		(*root)->guid = *guid;
+		(*root)->remaining_access = init_access;
 		*new_node = *root;
 		return true;
 	}
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 9bf2612..3f09760 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -977,8 +977,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 	unsigned int i;
 	const struct GUID *guid;
 	uint32_t access_granted;
-	struct object_tree *root = NULL;
-	struct object_tree *new_node = NULL;
 	NTSTATUS status;
 	struct ldb_result *acl_res;
 	struct security_descriptor *sd;
@@ -1043,12 +1041,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 				 "acl_modify: Error retrieving object class GUID.");
 	}
 	sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid");
-	if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
-				   &root, &new_node)) {
-		talloc_free(tmp_ctx);
-		return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
-				 "acl_modify: Error adding new node in object tree.");
-	}
 	for (i=0; i < req->op.mod.message->num_elements; i++){
 		const struct dsdb_attribute *attr;
 		attr = dsdb_attribute_by_lDAPDisplayName(schema,
@@ -1129,6 +1121,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 				goto fail;
 			}
 		} else {
+			struct object_tree *root = NULL;
+			struct object_tree *new_node = NULL;
 
 		/* This basic attribute existence check with the right errorcode
 		 * is needed since this module is the first one which requests
@@ -1143,6 +1137,14 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 				ret =  LDB_ERR_NO_SUCH_ATTRIBUTE;
 				goto fail;
 			}
+
+			if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
+						   &root, &new_node)) {
+				talloc_free(tmp_ctx);
+				return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+						 "acl_modify: Error adding new node in object tree.");
+			}
+
 			if (!insert_in_object_tree(tmp_ctx,
 						   &attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
 						   &new_node, &new_node)) {
@@ -1159,27 +1161,24 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 				ret = LDB_ERR_OPERATIONS_ERROR;
 				goto fail;
 			}
-		}
-	}
-
-	if (root->num_of_children > 0) {
-		status = sec_access_check_ds(sd, acl_user_token(module),
-					     SEC_ADS_WRITE_PROP,
-					     &access_granted,
-					     root,
-					     sid);
 
-		if (!NT_STATUS_IS_OK(status)) {
-			ldb_asprintf_errstring(ldb_module_get_ctx(module),
-					       "Object %s has no write property access\n",
-					       ldb_dn_get_linearized(req->op.mod.message->dn));
-			dsdb_acl_debug(sd,
-				       acl_user_token(module),
-				       req->op.mod.message->dn,
-				       true,
-				       10);
-			ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
-			goto fail;
+			status = sec_access_check_ds(sd, acl_user_token(module),
+						     SEC_ADS_WRITE_PROP,
+						     &access_granted,
+						     root,
+						     sid);
+			if (!NT_STATUS_IS_OK(status)) {
+				ldb_asprintf_errstring(ldb_module_get_ctx(module),
+						       "Object %s has no write property access\n",
+						       ldb_dn_get_linearized(req->op.mod.message->dn));
+				dsdb_acl_debug(sd,
+					       acl_user_token(module),
+					       req->op.mod.message->dn,
+					       true,
+					       10);
+				ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+				goto fail;
+			}
 		}
 	}
 
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index 94bc504..ecda3c5 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -389,6 +389,21 @@ url: www.samba.org"""
         else:
             # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
             self.fail()
+        # Modify on attribute you do not have rights for granted while also modifying something you do have rights for
+        ldif = """
+dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
+changetype: modify
+replace: url
+url: www.samba.org
+replace: displayName
+displayName: test_changed"""
+        try:
+            self.ldb_user.modify_ldif(ldif)
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+        else:
+            # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
+            self.fail()
         # Second test object -- Organizational Unit
         print "Testing modify on OU object"
         self.ldb_admin.create_ou("OU=test_modify_ou1," + self.base_dn)


-- 
Samba Shared Repository


More information about the samba-cvs mailing list