[SCM] Samba Shared Repository - branch v4-7-test updated

Karolin Seeger kseeger at samba.org
Tue Aug 14 10:19:17 UTC 2018


The branch, v4-7-test has been updated
       via  fe6886e VERSION: Bump version up to 4.7.10.
       via  764141d Merge tag 'samba-4.7.9' into v4-7-test
       via  3e5da7e VERSION: Disable GIT_SNAPSHOT for the 4.7.9 release.
       via  36ad973 WHATSNEW: Add release notes for Samba 4.7.9.
       via  9ff1d90 CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
       via  cd2e11d CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled.
       via  304ad86 CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check().
       via  29f2fe7 CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check()
       via  a5fe27c CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check()
       via  b2a68d6 selftest/tests.py: remove always-needed, never-set with_cmocka flag
       via  e0bb0b6 CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case
       via  9b17ce9 CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches
       via  717bde3 CVE-2018-10919 acl_read: Flip the logic in the dirsync check
       via  df6c1db CVE-2018-10919 acl_read: Small refactor to aclread_callback()
       via  e95c621 CVE-2018-10919 acl_read: Split access_mask logic out into helper function
       via  ddd6279 CVE-2018-10919 tests: test ldap searches for non-existent attributes.
       via  1594cad CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
       via  938a55c CVE-2018-10919 tests: Add test case for object visibility with limited rights
       via  49920e7 CVE-2018-10919 tests: Add tests for guessing confidential attributes
       via  81865e8 CVE-2018-10919 security: Add more comments to the object-specific access checks
       via  12f97f9 CVE-2018-10919 security: Move object-specific access checks into separate function
       via  49d940f CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user
       via  011d25d CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers.
       via  02db55b CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
       via  9cf4b08 VERSION: Bump version up to 4.7.9...
      from  a431bdf s3: smbd: Fix AIX sendfile() for SMB2. Ensure we don't spin on EAGAIN.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test


- Log -----------------------------------------------------------------
commit fe6886ee4d0ff66ddd21f777e176fdc6a323646b
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Aug 14 12:18:43 2018 +0200

    VERSION: Bump version up to 4.7.10.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 764141d4f4d1d253f6cbabf60e32a9e98d7a0f45
Merge: a431bdf 3e5da7e
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Aug 14 12:18:19 2018 +0200

    Merge tag 'samba-4.7.9' into v4-7-test
    
    samba: tag release samba-4.7.9

-----------------------------------------------------------------------

Summary of changes:
 VERSION                                        |    2 +-
 WHATSNEW.txt                                   |   83 +-
 libcli/auth/ntlm_check.c                       |   10 +-
 libcli/auth/tests/ntlm_check.c                 |  413 ++++++++++
 libcli/auth/wscript_build                      |   13 +
 libcli/security/access_check.c                 |  110 ++-
 selftest/knownfail                             |    3 +-
 selftest/tests.py                              |   20 +-
 source3/libsmb/libsmb_dir.c                    |   57 +-
 source3/libsmb/libsmb_path.c                   |    9 +-
 source3/selftest/tests.py                      |    2 +-
 source3/utils/ntlm_auth.c                      |    6 +-
 source4/dsdb/samdb/cracknames.c                |    8 +-
 source4/dsdb/samdb/ldb_modules/acl_read.c      |  331 +++++++-
 source4/dsdb/tests/python/acl.py               |   68 ++
 source4/dsdb/tests/python/confidential_attr.py | 1025 ++++++++++++++++++++++++
 source4/dsdb/tests/python/ldap.py              |    9 +
 source4/selftest/tests.py                      |    3 +
 source4/torture/drs/python/cracknames.py       |   38 +
 19 files changed, 2117 insertions(+), 93 deletions(-)
 create mode 100644 libcli/auth/tests/ntlm_check.c
 create mode 100755 source4/dsdb/tests/python/confidential_attr.py


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index b3be468..96ac5db 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=7
-SAMBA_VERSION_RELEASE=9
+SAMBA_VERSION_RELEASE=10
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 54a9398..c812417 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,83 @@
                    =============================
+                   Release Notes for Samba 4.7.9
+                           August 14, 2018
+                   =============================
+
+
+This is a security release in order to address the following defects:
+
+o  CVE-2018-1139  (Weak authentication protocol allowed.)
+o  CVE-2018-10858 (Insufficient input validation on client directory
+		   listing in libsmbclient.)
+o  CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
+o  CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
+		   server.)
+
+
+=======
+Details
+=======
+
+o  CVE-2018-1139:
+   Vulnerability that allows authentication via NTLMv1 even if disabled.
+
+o  CVE-2018-10858:
+   A malicious server could return a directory entry that could corrupt
+   libsmbclient memory.
+
+o  CVE-2018-10918:
+   Missing null pointer checks may crash the Samba AD DC, over the
+   authenticated DRSUAPI RPC service.
+
+o  CVE-2018-10919:
+   Missing access control checks allow discovery of confidential attribute
+   values via authenticated LDAP search expressions.
+
+
+Changes since 4.7.8:
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 13453: CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against
+     returns from malicious servers.
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 13552: CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when
+     not servicePrincipalName is set on a user.
+
+o  Tim Beale <timbeale at catalyst.net.nz>
+   * BUG 13434: CVE-2018-10919: acl_read: Fix unauthorized attribute access via
+     searches.
+
+o  G√ľnther Deschner <gd at samba.org>
+   * BUG 13360: CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it
+     is disabled via "ntlm auth".
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.7.8
                            June 21, 2018
                    =============================
@@ -111,8 +190,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.7.7
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 3b02adc..b68e9c8 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 			     const struct samr_Password *stored_nt)
 {
 	if (stored_nt == NULL) {
-		DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", 
+		DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
 			 username));
 	}
 
@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 		if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
 			return NT_STATUS_OK;
 		} else {
-			DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
+			DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
 				 username));
 			return NT_STATUS_WRONG_PASSWORD;
 		}
 
 	} else if (client_lanman && stored_lanman) {
 		if (!lanman_auth) {
-			DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
+			DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
 				 username));
 			return NT_STATUS_WRONG_PASSWORD;
 		}
@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 		if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
 			return NT_STATUS_OK;
 		} else {
-			DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
+			DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n",
 				 username));
 			return NT_STATUS_WRONG_PASSWORD;
 		}
@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 	   - I think this is related to Win9X pass-though authentication
 	*/
 	DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
-	if (ntlm_auth) {
+	if (ntlm_auth == NTLM_AUTH_ON) {
 		if (smb_pwd_check_ntlmv1(mem_ctx, 
 					 lm_response, 
 					 stored_nt->hash, challenge,
diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c
new file mode 100644
index 0000000..e87a0a2
--- /dev/null
+++ b/libcli/auth/tests/ntlm_check.c
@@ -0,0 +1,413 @@
+/*
+ * Unit tests for the ntlm_check password hash check library.
+ *
+ *  Copyright (C) Andrew Bartlett <abartlet at samba.org> 2018
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * from cmocka.c:
+ * These headers or their equivalents should be included prior to
+ * including
+ * this header file.
+ *
+ * #include <stdarg.h>
+ * #include <stddef.h>
+ * #include <setjmp.h>
+ *
+ * This allows test applications to use custom definitions of C standard
+ * library functions and types.
+ *
+ */
+
+/*
+ * Note that the messaging routines (audit_message_send and get_event_server)
+ * are not tested by these unit tests.  Currently they are for integration
+ * test support, and as such are exercised by the integration tests.
+ */
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "includes.h"
+#include "../lib/crypto/crypto.h"
+#include "librpc/gen_ndr/netlogon.h"
+#include "libcli/auth/libcli_auth.h"
+#include "auth/credentials/credentials.h"
+
+struct ntlm_state {
+	const char *username;
+	const char *domain;
+	DATA_BLOB challenge;
+	DATA_BLOB ntlm;
+	DATA_BLOB lm;
+	DATA_BLOB ntlm_key;
+	DATA_BLOB lm_key;
+	const struct samr_Password *nt_hash;
+};
+
+static int test_ntlm_setup_with_options(void **state,
+					int flags, bool upn)
+{
+	NTSTATUS status;
+	DATA_BLOB challenge = {
+		.data = discard_const_p(uint8_t, "I am a teapot"),
+		.length = 8
+	};
+	struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state);
+	DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state,
+							   NULL,
+							   "serverdom");
+	struct cli_credentials *creds = cli_credentials_init(ntlm_state);
+	cli_credentials_set_username(creds,
+				     "testuser",
+				     CRED_SPECIFIED);
+	cli_credentials_set_domain(creds,
+				   "testdom",
+				   CRED_SPECIFIED);
+	cli_credentials_set_workstation(creds,
+					"testwksta",
+					CRED_SPECIFIED);
+	cli_credentials_set_password(creds,
+				     "testpass",
+				     CRED_SPECIFIED);
+
+	if (upn) {
+		cli_credentials_set_principal(creds,
+					      "testuser at samba.org",
+					      CRED_SPECIFIED);
+	}
+
+	cli_credentials_get_ntlm_username_domain(creds,
+						 ntlm_state,
+						 &ntlm_state->username,
+						 &ntlm_state->domain);
+
+	status = cli_credentials_get_ntlm_response(creds,
+						   ntlm_state,
+						   &flags,
+						   challenge,
+						   NULL,
+						   target_info,
+						   &ntlm_state->lm,
+						   &ntlm_state->ntlm,
+						   &ntlm_state->lm_key,
+						   &ntlm_state->ntlm_key);
+	ntlm_state->challenge = challenge;
+
+	ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds,
+							  ntlm_state);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		return -1;
+	}
+
+	*state = ntlm_state;
+	return 0;
+}
+
+static int test_ntlm_setup(void **state) {
+	return test_ntlm_setup_with_options(state, 0, false);
+}
+
+static int test_ntlm_and_lm_setup(void **state) {
+	return test_ntlm_setup_with_options(state,
+					    CLI_CRED_LANMAN_AUTH,
+					    false);
+}
+
+static int test_ntlm2_setup(void **state) {
+	return test_ntlm_setup_with_options(state,
+					    CLI_CRED_NTLM2,
+					    false);
+}
+
+static int test_ntlmv2_setup(void **state) {
+	return test_ntlm_setup_with_options(state,
+					    CLI_CRED_NTLMv2_AUTH,
+					    false);
+}
+
+static int test_ntlm_teardown(void **state)
+{
+	struct ntlm_state *ntlm_state
+		= talloc_get_type_abort(*state,
+					struct ntlm_state);
+	TALLOC_FREE(ntlm_state);
+	*state = NULL;
+	return 0;
+}
+
+static void test_ntlm_allowed(void **state)
+{
+	DATA_BLOB user_sess_key, lm_sess_key;
+	struct ntlm_state *ntlm_state
+		= talloc_get_type_abort(*state,
+					struct ntlm_state);
+	NTSTATUS status;
+	status = ntlm_password_check(ntlm_state,
+				     false,
+				     NTLM_AUTH_ON,
+				     0,
+				     &ntlm_state->challenge,
+				     &ntlm_state->lm,
+				     &ntlm_state->ntlm,
+				     ntlm_state->username,
+				     ntlm_state->username,
+				     ntlm_state->domain,
+				     NULL,
+				     ntlm_state->nt_hash,
+				     &user_sess_key,
+				     &lm_sess_key);
+
+	assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlm_allowed_lm_supplied(void **state)
+{
+	return test_ntlm_allowed(state);
+}
+
+static void test_ntlm_disabled(void **state)
+{
+	DATA_BLOB user_sess_key, lm_sess_key;
+	struct ntlm_state *ntlm_state
+		= talloc_get_type_abort(*state,
+					struct ntlm_state);
+	NTSTATUS status;
+	status = ntlm_password_check(ntlm_state,
+				     false,
+				     NTLM_AUTH_DISABLED,
+				     0,
+				     &ntlm_state->challenge,
+				     &ntlm_state->lm,
+				     &ntlm_state->ntlm,
+				     ntlm_state->username,
+				     ntlm_state->username,
+				     ntlm_state->domain,
+				     NULL,
+				     ntlm_state->nt_hash,
+				     &user_sess_key,
+				     &lm_sess_key);
+
+	assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED));
+}
+
+static void test_ntlm2(void **state)
+{
+	DATA_BLOB user_sess_key, lm_sess_key;
+	struct ntlm_state *ntlm_state
+		= talloc_get_type_abort(*state,
+					struct ntlm_state);
+	NTSTATUS status;
+	status = ntlm_password_check(ntlm_state,
+				     false,
+				     NTLM_AUTH_ON,
+				     0,
+				     &ntlm_state->challenge,
+				     &ntlm_state->lm,
+				     &ntlm_state->ntlm,
+				     ntlm_state->username,
+				     ntlm_state->username,
+				     ntlm_state->domain,
+				     NULL,
+				     ntlm_state->nt_hash,
+				     &user_sess_key,
+				     &lm_sess_key);
+
+	/*
+	 * NTLM2 session security (where the real challenge is the
+	 * MD5(challenge, client-challenge) (in the first 8 bytes of
+	 * the lm) isn't decoded by ntlm_password_check(), it must
+	 * first be converted back into normal NTLM by the NTLMSSP
+	 * layer
+	 */
+	assert_int_equal(NT_STATUS_V(status),
+			 NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlm_mschapv2_only_allowed(void **state)
+{
+	DATA_BLOB user_sess_key, lm_sess_key;
+	struct ntlm_state *ntlm_state
+		= talloc_get_type_abort(*state,
+					struct ntlm_state);
+	NTSTATUS status;
+	status = ntlm_password_check(ntlm_state,
+				     false,
+				     NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
+				     MSV1_0_ALLOW_MSVCHAPV2,
+				     &ntlm_state->challenge,
+				     &ntlm_state->lm,
+				     &ntlm_state->ntlm,
+				     ntlm_state->username,
+				     ntlm_state->username,
+				     ntlm_state->domain,
+				     NULL,
+				     ntlm_state->nt_hash,
+				     &user_sess_key,
+				     &lm_sess_key);
+
+	assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlm_mschapv2_only_denied(void **state)
+{
+	DATA_BLOB user_sess_key, lm_sess_key;
+	struct ntlm_state *ntlm_state
+		= talloc_get_type_abort(*state,
+					struct ntlm_state);
+	NTSTATUS status;
+	status = ntlm_password_check(ntlm_state,
+				     false,
+				     NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
+				     0,
+				     &ntlm_state->challenge,
+				     &ntlm_state->lm,
+				     &ntlm_state->ntlm,
+				     ntlm_state->username,
+				     ntlm_state->username,
+				     ntlm_state->domain,
+				     NULL,
+				     ntlm_state->nt_hash,
+				     &user_sess_key,
+				     &lm_sess_key);
+
+	assert_int_equal(NT_STATUS_V(status),
+			 NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlmv2_only_ntlmv2(void **state)
+{
+	DATA_BLOB user_sess_key, lm_sess_key;
+	struct ntlm_state *ntlm_state
+		= talloc_get_type_abort(*state,
+					struct ntlm_state);
+	NTSTATUS status;
+	status = ntlm_password_check(ntlm_state,
+				     false,
+				     NTLM_AUTH_NTLMV2_ONLY,
+				     0,
+				     &ntlm_state->challenge,
+				     &ntlm_state->lm,
+				     &ntlm_state->ntlm,
+				     ntlm_state->username,
+				     ntlm_state->username,
+				     ntlm_state->domain,
+				     NULL,
+				     ntlm_state->nt_hash,
+				     &user_sess_key,
+				     &lm_sess_key);
+
+	assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlmv2_only_ntlm(void **state)
+{
+	DATA_BLOB user_sess_key, lm_sess_key;
+	struct ntlm_state *ntlm_state
+		= talloc_get_type_abort(*state,
+					struct ntlm_state);
+	NTSTATUS status;
+	status = ntlm_password_check(ntlm_state,
+				     false,
+				     NTLM_AUTH_NTLMV2_ONLY,
+				     0,
+				     &ntlm_state->challenge,
+				     &ntlm_state->lm,
+				     &ntlm_state->ntlm,
+				     ntlm_state->username,
+				     ntlm_state->username,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list