[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Thu Mar 13 08:07:04 MDT 2014
The branch, master has been updated
via 48ffca0 CVE-2013-4496:Revert remainder of ce895609b04380bfc41e4f8fddc84bd2f9324340
via 9f53b61 CVE-2013-4496:samr: Remove ChangePasswordUser
via 76e5ea3 CVE-2013-4496:s3:auth: fix memory leak in the ACCOUNT_LOCKED_OUT case.
via 824add8 CVE-2013-4496:s3-samr: Block attempts to crack passwords via repeated password changes
from 29d779c smbreadline: switch to new-style readline typedef
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 48ffca0acac83bb31266390361ee77e1eaa2f2be
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 28 06:50:01 2013 +1300
CVE-2013-4496:Revert remainder of ce895609b04380bfc41e4f8fddc84bd2f9324340
Part of this was removed when ChangePasswordUser was unimplemented,
but remove the remainder of this flawed commit. Fully check the
password first, as extract_pw_from_buffer() already does a partial
check of the password because it needs a correct old password to
correctly decrypt the length.
Andrew Bartlett
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
Change-Id: Ibccc4ada400b5f89a942d79c1a269b493e0adda6
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-on: https://gerrit.samba.org/38
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Mar 13 15:06:35 CET 2014 on sn-devel-104
commit 9f53b61f0674f7855a42b8e0de66f343f4592589
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 7 16:23:12 2013 +1300
CVE-2013-4496:samr: Remove ChangePasswordUser
This old password change mechanism does not provide the plaintext to
validate against password complexity, and it is not used by modern
clients. It also has quite difficult semantics to handle regarding
password lockout.
The missing features in both implementations (by design) were:
- the password complexity checks (no plaintext)
- the minimum password length (no plaintext)
Additionally, the source3 version did not check:
- the minimum password age
- pdb_get_pass_can_change() which checks the security
descriptor for the 'user cannot change password' setting.
- the password history
- the output of the 'passwd program' if 'unix passwd sync = yes'.
Finally, the mechanism was almost useless, as it was incorrectly
only made available to administrative users with permission
to reset the password. It is removed here so that it is not
mistakenly reinstated in the future.
Andrew Bartlett
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
Change-Id: If2edd3183c177e5ff37c9511b0d0ad0dd9038c66
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-on: https://gerrit.samba.org/37
commit 76e5ea3a2c5f49cfc1026bd7c6b8baddb1e7dc16
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 5 14:04:20 2013 +0100
CVE-2013-4496:s3:auth: fix memory leak in the ACCOUNT_LOCKED_OUT case.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
Change-Id: Iabf22753effd80086d7956619a3dae830e487da8
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-on: https://gerrit.samba.org/161
commit 824add8aaffca4adfec652fb1f6565d038387f9d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Nov 1 14:55:44 2013 +1300
CVE-2013-4496:s3-samr: Block attempts to crack passwords via repeated password changes
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
Change-Id: Ic31774275f07e003e7c2682a856ccb2d5a7939de
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-on: https://gerrit.samba.org/162
-----------------------------------------------------------------------
Summary of changes:
source3/auth/check_samsec.c | 1 +
source3/rpc_server/samr/srv_samr_chgpasswd.c | 55 ++++++
source3/rpc_server/samr/srv_samr_nt.c | 111 +-----------
source3/smbd/lanman.c | 254 --------------------------
source4/rpc_server/samr/samr_password.c | 214 ++++-----------------
source4/torture/rpc/samr.c | 6 +
6 files changed, 111 insertions(+), 530 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index b6cac60..7c97170 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -408,6 +408,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
/* Quit if the account was locked out. */
if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username));
+ TALLOC_FREE(sampass);
return NT_STATUS_ACCOUNT_LOCKED_OUT;
}
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index db1f459..1c9c33a 100644
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -1106,6 +1106,8 @@ NTSTATUS pass_oem_change(char *user, const char *rhost,
struct samu *sampass = NULL;
NTSTATUS nt_status;
bool ret = false;
+ bool updated_badpw = false;
+ NTSTATUS update_login_attempts_status;
if (!(sampass = samu_new(NULL))) {
return NT_STATUS_NO_MEMORY;
@@ -1121,6 +1123,13 @@ NTSTATUS pass_oem_change(char *user, const char *rhost,
return NT_STATUS_NO_SUCH_USER;
}
+ /* Quit if the account was locked out. */
+ if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
+ DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", user));
+ TALLOC_FREE(sampass);
+ return NT_STATUS_ACCOUNT_LOCKED_OUT;
+ }
+
nt_status = check_oem_password(user,
password_encrypted_with_lm_hash,
old_lm_hash_encrypted,
@@ -1129,6 +1138,52 @@ NTSTATUS pass_oem_change(char *user, const char *rhost,
sampass,
&new_passwd);
+ /*
+ * Notify passdb backend of login success/failure. If not
+ * NT_STATUS_OK the backend doesn't like the login
+ */
+ update_login_attempts_status = pdb_update_login_attempts(sampass,
+ NT_STATUS_IS_OK(nt_status));
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ bool increment_bad_pw_count = false;
+
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) &&
+ (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) &&
+ NT_STATUS_IS_OK(update_login_attempts_status))
+ {
+ increment_bad_pw_count = true;
+ }
+
+ if (increment_bad_pw_count) {
+ pdb_increment_bad_password_count(sampass);
+ updated_badpw = true;
+ } else {
+ pdb_update_bad_password_count(sampass,
+ &updated_badpw);
+ }
+ } else {
+
+ if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) &&
+ (pdb_get_bad_password_count(sampass) > 0)){
+ pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
+ pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
+ updated_badpw = true;
+ }
+ }
+
+ if (updated_badpw) {
+ NTSTATUS update_status;
+ become_root();
+ update_status = pdb_update_sam_account(sampass);
+ unbecome_root();
+
+ if (!NT_STATUS_IS_OK(update_status)) {
+ DEBUG(1, ("Failed to modify entry: %s\n",
+ nt_errstr(update_status)));
+ }
+ }
+
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(sampass);
return nt_status;
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 0cb680d..48cfc7e 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -1713,114 +1713,19 @@ NTSTATUS _samr_LookupNames(struct pipes_struct *p,
}
/****************************************************************
- _samr_ChangePasswordUser
+ _samr_ChangePasswordUser.
+
+ So old it is just not worth implementing
+ because it does not supply a plaintext and so we can't do password
+ complexity checking and cannot update other services that use a
+ plaintext password via passwd chat/pam password change/ldap password
+ sync.
****************************************************************/
NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
struct samr_ChangePasswordUser *r)
{
- NTSTATUS status;
- bool ret = false;
- struct samr_user_info *uinfo;
- struct samu *pwd;
- struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
- struct samr_Password lm_pwd, nt_pwd;
-
- uinfo = policy_handle_find(p, r->in.user_handle,
- SAMR_USER_ACCESS_SET_PASSWORD, NULL,
- struct samr_user_info, &status);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
- sid_string_dbg(&uinfo->sid)));
-
- if (!(pwd = samu_new(NULL))) {
- return NT_STATUS_NO_MEMORY;
- }
-
- become_root();
- ret = pdb_getsampwsid(pwd, &uinfo->sid);
- unbecome_root();
-
- if (!ret) {
- TALLOC_FREE(pwd);
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- {
- const uint8_t *lm_pass, *nt_pass;
-
- lm_pass = pdb_get_lanman_passwd(pwd);
- nt_pass = pdb_get_nt_passwd(pwd);
-
- if (!lm_pass || !nt_pass) {
- status = NT_STATUS_WRONG_PASSWORD;
- goto out;
- }
-
- memcpy(&lm_pwd.hash, lm_pass, sizeof(lm_pwd.hash));
- memcpy(&nt_pwd.hash, nt_pass, sizeof(nt_pwd.hash));
- }
-
- /* basic sanity checking on parameters. Do this before any database ops */
- if (!r->in.lm_present || !r->in.nt_present ||
- !r->in.old_lm_crypted || !r->in.new_lm_crypted ||
- !r->in.old_nt_crypted || !r->in.new_nt_crypted) {
- /* we should really handle a change with lm not
- present */
- status = NT_STATUS_INVALID_PARAMETER_MIX;
- goto out;
- }
-
- /* decrypt and check the new lm hash */
- D_P16(lm_pwd.hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
- D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
- if (memcmp(checkHash.hash, lm_pwd.hash, 16) != 0) {
- status = NT_STATUS_WRONG_PASSWORD;
- goto out;
- }
-
- /* decrypt and check the new nt hash */
- D_P16(nt_pwd.hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
- D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
- if (memcmp(checkHash.hash, nt_pwd.hash, 16) != 0) {
- status = NT_STATUS_WRONG_PASSWORD;
- goto out;
- }
-
- /* The NT Cross is not required by Win2k3 R2, but if present
- check the nt cross hash */
- if (r->in.cross1_present && r->in.nt_cross) {
- D_P16(lm_pwd.hash, r->in.nt_cross->hash, checkHash.hash);
- if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
- status = NT_STATUS_WRONG_PASSWORD;
- goto out;
- }
- }
-
- /* The LM Cross is not required by Win2k3 R2, but if present
- check the lm cross hash */
- if (r->in.cross2_present && r->in.lm_cross) {
- D_P16(nt_pwd.hash, r->in.lm_cross->hash, checkHash.hash);
- if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
- status = NT_STATUS_WRONG_PASSWORD;
- goto out;
- }
- }
-
- if (!pdb_set_nt_passwd(pwd, new_ntPwdHash.hash, PDB_CHANGED) ||
- !pdb_set_lanman_passwd(pwd, new_lmPwdHash.hash, PDB_CHANGED)) {
- status = NT_STATUS_ACCESS_DENIED;
- goto out;
- }
-
- status = pdb_update_sam_account(pwd);
- out:
- TALLOC_FREE(pwd);
-
- return status;
+ return NT_STATUS_NOT_IMPLEMENTED;
}
/*******************************************************************
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index f7f7753..63c2ad7 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -2948,259 +2948,6 @@ static bool api_NetRemoteTOD(struct smbd_server_connection *sconn,
}
/****************************************************************************
- Set the user password.
-*****************************************************************************/
-
-static bool api_SetUserPassword(struct smbd_server_connection *sconn,
- connection_struct *conn,uint64_t vuid,
- char *param, int tpscnt,
- char *data, int tdscnt,
- int mdrcnt,int mprcnt,
- char **rdata,char **rparam,
- int *rdata_len,int *rparam_len)
-{
- char *np = get_safe_str_ptr(param,tpscnt,param,2);
- char *p = NULL;
- fstring user;
- fstring pass1,pass2;
- TALLOC_CTX *mem_ctx = talloc_tos();
- NTSTATUS status, result;
- struct rpc_pipe_client *cli = NULL;
- struct policy_handle connect_handle, domain_handle, user_handle;
- struct lsa_String domain_name;
- struct dom_sid2 *domain_sid;
- struct lsa_String names;
- struct samr_Ids rids;
- struct samr_Ids types;
- struct samr_Password old_lm_hash;
- struct samr_Password new_lm_hash;
- int errcode = NERR_badpass;
- uint32_t rid;
- int encrypted;
- int min_pwd_length;
- struct dcerpc_binding_handle *b = NULL;
-
- /* Skip 2 strings. */
- p = skip_string(param,tpscnt,np);
- p = skip_string(param,tpscnt,p);
-
- if (!np || !p) {
- return False;
- }
-
- /* Do we have a string ? */
- if (skip_string(param,tpscnt,p) == NULL) {
- return False;
- }
- pull_ascii_fstring(user,p);
-
- p = skip_string(param,tpscnt,p);
- if (!p) {
- return False;
- }
-
- memset(pass1,'\0',sizeof(pass1));
- memset(pass2,'\0',sizeof(pass2));
- /*
- * We use 31 here not 32 as we're checking
- * the last byte we want to access is safe.
- */
- if (!is_offset_safe(param,tpscnt,p,31)) {
- return False;
- }
- memcpy(pass1,p,16);
- memcpy(pass2,p+16,16);
-
- encrypted = get_safe_SVAL(param,tpscnt,p+32,0,-1);
- if (encrypted == -1) {
- errcode = W_ERROR_V(WERR_INVALID_PARAM);
- goto out;
- }
-
- min_pwd_length = get_safe_SVAL(param,tpscnt,p+34,0,-1);
- if (min_pwd_length == -1) {
- errcode = W_ERROR_V(WERR_INVALID_PARAM);
- goto out;
- }
-
- *rparam_len = 4;
- *rparam = smb_realloc_limit(*rparam,*rparam_len);
- if (!*rparam) {
- return False;
- }
-
- *rdata_len = 0;
-
- DEBUG(3,("Set password for <%s> (encrypted: %d, min_pwd_length: %d)\n",
- user, encrypted, min_pwd_length));
-
- ZERO_STRUCT(connect_handle);
- ZERO_STRUCT(domain_handle);
- ZERO_STRUCT(user_handle);
-
- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
- &cli);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("api_SetUserPassword: could not connect to samr: %s\n",
- nt_errstr(status)));
- errcode = W_ERROR_V(ntstatus_to_werror(status));
- goto out;
- }
-
- b = cli->binding_handle;
-
- status = dcerpc_samr_Connect2(b, mem_ctx,
- lp_netbios_name(),
- SAMR_ACCESS_CONNECT_TO_SERVER |
- SAMR_ACCESS_ENUM_DOMAINS |
- SAMR_ACCESS_LOOKUP_DOMAIN,
- &connect_handle,
- &result);
- if (!NT_STATUS_IS_OK(status)) {
- errcode = W_ERROR_V(ntstatus_to_werror(status));
- goto out;
- }
- if (!NT_STATUS_IS_OK(result)) {
- errcode = W_ERROR_V(ntstatus_to_werror(result));
- goto out;
- }
-
- init_lsa_String(&domain_name, get_global_sam_name());
-
- status = dcerpc_samr_LookupDomain(b, mem_ctx,
- &connect_handle,
- &domain_name,
- &domain_sid,
- &result);
- if (!NT_STATUS_IS_OK(status)) {
- errcode = W_ERROR_V(ntstatus_to_werror(status));
- goto out;
- }
- if (!NT_STATUS_IS_OK(result)) {
- errcode = W_ERROR_V(ntstatus_to_werror(result));
- goto out;
- }
-
- status = dcerpc_samr_OpenDomain(b, mem_ctx,
- &connect_handle,
- SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
- domain_sid,
- &domain_handle,
- &result);
- if (!NT_STATUS_IS_OK(status)) {
- errcode = W_ERROR_V(ntstatus_to_werror(status));
- goto out;
- }
- if (!NT_STATUS_IS_OK(result)) {
- errcode = W_ERROR_V(ntstatus_to_werror(result));
- goto out;
- }
-
- init_lsa_String(&names, user);
-
- status = dcerpc_samr_LookupNames(b, mem_ctx,
- &domain_handle,
- 1,
- &names,
- &rids,
- &types,
- &result);
- if (!NT_STATUS_IS_OK(status)) {
- errcode = W_ERROR_V(ntstatus_to_werror(status));
- goto out;
- }
- if (!NT_STATUS_IS_OK(result)) {
- errcode = W_ERROR_V(ntstatus_to_werror(result));
- goto out;
- }
-
- if (rids.count != 1) {
- errcode = W_ERROR_V(WERR_NO_SUCH_USER);
- goto out;
- }
- if (rids.count != types.count) {
- errcode = W_ERROR_V(WERR_INVALID_PARAM);
- goto out;
- }
- if (types.ids[0] != SID_NAME_USER) {
- errcode = W_ERROR_V(WERR_INVALID_PARAM);
- goto out;
- }
-
- rid = rids.ids[0];
-
- status = dcerpc_samr_OpenUser(b, mem_ctx,
- &domain_handle,
- SAMR_USER_ACCESS_CHANGE_PASSWORD,
- rid,
- &user_handle,
- &result);
- if (!NT_STATUS_IS_OK(status)) {
- errcode = W_ERROR_V(ntstatus_to_werror(status));
- goto out;
- }
- if (!NT_STATUS_IS_OK(result)) {
- errcode = W_ERROR_V(ntstatus_to_werror(result));
- goto out;
- }
-
- if (encrypted == 0) {
- E_deshash(pass1, old_lm_hash.hash);
- E_deshash(pass2, new_lm_hash.hash);
- } else {
- ZERO_STRUCT(old_lm_hash);
- ZERO_STRUCT(new_lm_hash);
- memcpy(old_lm_hash.hash, pass1, MIN(strlen(pass1), 16));
- memcpy(new_lm_hash.hash, pass2, MIN(strlen(pass2), 16));
- }
-
- status = dcerpc_samr_ChangePasswordUser(b, mem_ctx,
- &user_handle,
- true, /* lm_present */
- &old_lm_hash,
- &new_lm_hash,
- false, /* nt_present */
- NULL, /* old_nt_crypted */
- NULL, /* new_nt_crypted */
- false, /* cross1_present */
- NULL, /* nt_cross */
- false, /* cross2_present */
- NULL, /* lm_cross */
- &result);
- if (!NT_STATUS_IS_OK(status)) {
- errcode = W_ERROR_V(ntstatus_to_werror(status));
- goto out;
- }
- if (!NT_STATUS_IS_OK(result)) {
- errcode = W_ERROR_V(ntstatus_to_werror(result));
- goto out;
- }
-
- errcode = NERR_Success;
- out:
-
- if (b && is_valid_policy_hnd(&user_handle)) {
- dcerpc_samr_Close(b, mem_ctx, &user_handle, &result);
- }
- if (b && is_valid_policy_hnd(&domain_handle)) {
- dcerpc_samr_Close(b, mem_ctx, &domain_handle, &result);
- }
- if (b && is_valid_policy_hnd(&connect_handle)) {
- dcerpc_samr_Close(b, mem_ctx, &connect_handle, &result);
- }
-
- memset((char *)pass1,'\0',sizeof(fstring));
- memset((char *)pass2,'\0',sizeof(fstring));
-
- SSVAL(*rparam,0,errcode);
- SSVAL(*rparam,2,0); /* converter word */
- return(True);
-}
-
-/****************************************************************************
Set the user password (SamOEM version - gets plaintext).
****************************************************************************/
@@ -5797,7 +5544,6 @@ static const struct {
{"NetServerEnum2", RAP_NetServerEnum2, api_RNetServerEnum2}, /* anon OK */
{"NetServerEnum3", RAP_NetServerEnum3, api_RNetServerEnum3}, /* anon OK */
{"WAccessGetUserPerms",RAP_WAccessGetUserPerms,api_WAccessGetUserPerms},
- {"SetUserPassword", RAP_WUserPasswordSet2, api_SetUserPassword},
{"WWkstaUserLogon", RAP_WWkstaUserLogon, api_WWkstaUserLogon},
{"PrintJobInfo", RAP_WPrintJobSetInfo, api_PrintJobInfo},
{"WPrintDriverEnum", RAP_WPrintDriverEnum, api_WPrintDriverEnum},
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 2d9c48a..685a8e7 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -33,150 +33,17 @@
/*
samr_ChangePasswordUser
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list