[SCM] Samba Shared Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Mon Feb 23 12:02:02 MST 2015
The branch, master has been updated
via 6e5debf torture: Add netr_setPassword(2) schannel test.
via bb41484 s3-netlogon: Make sure we do not deference a NULL pointer.
via 28f10a8 CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer.
from a6008b2 s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6e5debf33bfb28ec0135a19f9cfb48b39d17fc83
Author: Andreas Schneider <asn at samba.org>
Date: Mon Feb 16 08:56:28 2015 +0100
torture: Add netr_setPassword(2) schannel test.
Thanks to Florian Weimer <fweimer at redhat.com> for the help to write
this torture test.
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(master): Mon Feb 23 20:01:01 CET 2015 on sn-devel-104
commit bb4148450941e4949a2ff1b053719082b0514d71
Author: Andreas Schneider <asn at samba.org>
Date: Mon Feb 16 10:59:23 2015 +0100
s3-netlogon: Make sure we do not deference a NULL pointer.
This is an additional patch for CVE-2015-0240.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32
Pair-Programmed-With: Michael Adam <obnox at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 28f10a89e6e9d605ba299b83f7244e8c11ddbc6e
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jan 28 14:47:31 2015 -0800
CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/target/Samba.pm | 1 +
selftest/target/Samba3.pm | 50 +++++++++++++
source3/rpc_server/netlogon/srv_netlog_nt.c | 13 +++-
source3/selftest/tests.py | 6 +-
source4/torture/rpc/rpc.c | 1 +
source4/torture/rpc/schannel.c | 109 ++++++++++++++++++++++++++++
6 files changed, 177 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 2b7343d..47bc131 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -164,6 +164,7 @@ sub get_interface($)
$interfaces{"localktest6"} = 7;
$interfaces{"maptoguest"} = 8;
+ $interfaces{"locals3dc9"} = 9;
# 11-16 used by selftest.pl for client interfaces
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 8926ae1..8209402 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -175,6 +175,8 @@ sub setup_env($$$)
if ($envname eq "s3dc") {
return $self->setup_s3dc("$path/s3dc");
+ } elsif ($envname eq "s3dc_schannel") {
+ return $self->setup_s3dc_schannel("$path/s3dc_schannel");
} elsif ($envname eq "simpleserver") {
return $self->setup_simpleserver("$path/simpleserver");
} elsif ($envname eq "maptoguest") {
@@ -239,6 +241,54 @@ sub setup_s3dc($$)
return $vars;
}
+sub setup_s3dc_schannel($$)
+{
+ my ($self, $path) = @_;
+
+ print "PROVISIONING S3DC WITH SERVER SCHANNEL ...";
+
+ my $pdc_options = "
+ domain master = yes
+ domain logons = yes
+ lanman auth = yes
+
+ rpc_server:epmapper = external
+ rpc_server:spoolss = external
+ rpc_server:lsarpc = external
+ rpc_server:samr = external
+ rpc_server:netlogon = external
+ rpc_server:register_embedded_np = yes
+
+ rpc_daemon:epmd = fork
+ rpc_daemon:spoolssd = fork
+ rpc_daemon:lsasd = fork
+
+ server schannel = yes
+";
+
+ my $vars = $self->provision($path,
+ "LOCALS3DC9",
+ "locals3dc9pass",
+ $pdc_options);
+
+ $vars or return undef;
+
+ if (not $self->check_or_start($vars, "yes", "yes", "yes")) {
+ return undef;
+ }
+
+ $vars->{DC_SERVER} = $vars->{SERVER};
+ $vars->{DC_SERVER_IP} = $vars->{SERVER_IP};
+ $vars->{DC_SERVER_IPV6} = $vars->{SERVER_IPV6};
+ $vars->{DC_NETBIOSNAME} = $vars->{NETBIOSNAME};
+ $vars->{DC_USERNAME} = $vars->{USERNAME};
+ $vars->{DC_PASSWORD} = $vars->{PASSWORD};
+
+ $self->{vars}->{s3dc_schannel} = $vars;
+
+ return $vars;
+}
+
sub setup_member($$$)
{
my ($self, $prefix, $s3dcvars) = @_;
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index fdcc847..b487c31 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1100,6 +1100,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
struct loadparm_context *lp_ctx;
+ if (creds_out != NULL) {
+ *creds_out = NULL;
+ }
+
if (schannel_global_required) {
status = schannel_check_required(&p->auth,
computer_name,
@@ -1257,7 +1261,7 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
{
NTSTATUS status = NT_STATUS_OK;
int i;
- struct netlogon_creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds = NULL;
DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
@@ -1270,9 +1274,14 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
+ const char *computer_name = "<unknown>";
+
+ if (creds != NULL && creds->computer_name != NULL) {
+ computer_name = creds->computer_name;
+ }
DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
"request from client %s machine account %s\n",
- r->in.computer_name, creds->computer_name));
+ r->in.computer_name, computer_name));
TALLOC_FREE(creds);
return status;
}
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index c60f531..0a59903 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -278,7 +278,7 @@ rpc = ["rpc.authcontext", "rpc.samba3.bind", "rpc.samba3.srvsvc", "rpc.samba3.sh
"rpc.samr.passwords.pwdlastset", "rpc.samr.passwords.lockout", "rpc.samr.passwords.badpwdcount", "rpc.samr.large-dc", "rpc.samr.machine.auth",
"rpc.samr.priv", "rpc.samr.passwords.validate",
"rpc.netlogon.admin",
- "rpc.schannel", "rpc.schannel2", "rpc.bench-schannel1", "rpc.join", "rpc.bind"]
+ "rpc.schannel", "rpc.schannel2", "rpc.bench-schannel1", "rpc.schannel_anon_setpw", "rpc.join", "rpc.bind"]
local = ["local.ndr"]
@@ -372,6 +372,10 @@ for t in tests:
elif t == "vfs.fruit":
plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=torture:share1=vfs_fruit --option=torture:share2=tmp --option=torture:localdir=$SELFTEST_PREFIX/s3dc/share')
plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=torture:share1=vfs_fruit --option=torture:share2=tmp --option=torture:localdir=$SELFTEST_PREFIX/plugin_s4_dc/share')
+ elif t == "rpc.schannel_anon_setpw":
+ plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/tmp -U$%', description="anonymous password set")
+ plansmbtorture4testsuite(t, "s3dc_schannel", '//$SERVER_IP/tmp -U$%', description="anonymous password set (schannel enforced server-side)")
+ plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER/tmp -U$%', description="anonymous password set")
else:
plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
diff --git a/source4/torture/rpc/rpc.c b/source4/torture/rpc/rpc.c
index 7557901..b7fd3bc 100644
--- a/source4/torture/rpc/rpc.c
+++ b/source4/torture/rpc/rpc.c
@@ -507,6 +507,7 @@ NTSTATUS torture_rpc_init(void)
torture_suite_add_simple_test(suite, "schannel", torture_rpc_schannel);
torture_suite_add_simple_test(suite, "schannel2", torture_rpc_schannel2);
torture_suite_add_simple_test(suite, "bench-schannel1", torture_rpc_schannel_bench1);
+ torture_suite_add_simple_test(suite, "schannel_anon_setpw", torture_rpc_schannel_anon_setpw);
torture_suite_add_suite(suite, torture_rpc_srvsvc(suite));
torture_suite_add_suite(suite, torture_rpc_svcctl(suite));
torture_suite_add_suite(suite, torture_rpc_samr_accessmask(suite));
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index de93fca..eff1c7a 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -543,6 +543,86 @@ static bool test_schannel(struct torture_context *tctx,
return true;
}
+/*
+ * Purpose of this test is to demonstrate that a netlogon server carefully deals
+ * with anonymous attempts to set passwords, in particular when the server
+ * enforces the use of schannel. This test makes most sense to be run in an
+ * environment where the netlogon server enforces use of schannel.
+ */
+
+static bool test_schannel_anonymous_setPassword(struct torture_context *tctx,
+ uint32_t dcerpc_flags,
+ bool use2)
+{
+ struct test_join *join_ctx;
+ NTSTATUS status, result;
+ const char *binding = torture_setting_string(tctx, "binding", NULL);
+ struct dcerpc_binding *b;
+ struct dcerpc_pipe *p = NULL;
+ struct cli_credentials *credentials;
+ bool ok = true;
+
+ credentials = cli_credentials_init(NULL);
+ torture_assert(tctx, credentials != NULL, "Bad credentials");
+ cli_credentials_set_anonymous(credentials);
+
+ status = dcerpc_parse_binding(tctx, binding, &b);
+ torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
+
+ status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
+ torture_assert_ntstatus_ok(tctx, status, "set flags");
+
+ status = dcerpc_pipe_connect_b(tctx,
+ &p,
+ b,
+ &ndr_table_netlogon,
+ credentials,
+ tctx->ev,
+ tctx->lp_ctx);
+ torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel");
+
+ if (use2) {
+ struct netr_ServerPasswordSet2 r = {};
+ struct netr_Authenticator credential = {};
+ struct netr_Authenticator return_authenticator = {};
+ struct netr_CryptPassword new_password = {};
+
+ r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
+ r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
+ r.in.secure_channel_type = 0;
+ r.in.computer_name = TEST_MACHINE_NAME;
+ r.in.credential = &credential;
+ r.in.new_password = &new_password;
+ r.out.return_authenticator = &return_authenticator;
+
+ status = dcerpc_netr_ServerPasswordSet2_r(p->binding_handle, tctx, &r);
+ result = r.out.result;
+ } else {
+ struct netr_ServerPasswordSet r = {};
+ struct netr_Authenticator credential = {};
+ struct netr_Authenticator return_authenticator = {};
+ struct samr_Password new_password = {};
+
+ r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
+ r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
+ r.in.secure_channel_type = 0;
+ r.in.computer_name = TEST_MACHINE_NAME;
+ r.in.credential = &credential;
+ r.in.new_password = &new_password;
+ r.out.return_authenticator = &return_authenticator;
+
+ status = dcerpc_netr_ServerPasswordSet_r(p->binding_handle, tctx, &r);
+ result = r.out.result;
+ }
+
+ torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet failed");
+
+ if (NT_STATUS_IS_OK(result)) {
+ torture_fail(tctx, "unexpectedly received NT_STATUS_OK");
+ }
+
+ return ok;
+}
/*
@@ -586,6 +666,35 @@ bool torture_rpc_schannel(struct torture_context *torture)
return ret;
}
+bool torture_rpc_schannel_anon_setpw(struct torture_context *torture)
+{
+ bool ret = true;
+ bool ok;
+ uint32_t dcerpc_flags = DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_AUTO;
+
+ ok = test_schannel_anonymous_setPassword(torture,
+ dcerpc_flags,
+ true);
+ if (!ok) {
+ torture_comment(torture,
+ "Failed with dcerpc_flags=0x%x\n",
+ dcerpc_flags);
+ ret = false;
+ }
+
+ ok = test_schannel_anonymous_setPassword(torture,
+ dcerpc_flags,
+ false);
+ if (!ok) {
+ torture_comment(torture,
+ "Failed with dcerpc_flags=0x%x\n",
+ dcerpc_flags);
+ ret = false;
+ }
+
+ return ret;
+}
+
/*
test two schannel connections
*/
--
Samba Shared Repository
More information about the samba-cvs
mailing list