CVE-2016-2115: why just not use "client use spnego" ?

Georgy Fedorov gfedorov at unimelb.edu.au
Fri Aug 26 11:26:30 UTC 2016 

Dear All,

First of all -- I am very new to the whole Samba galaxy, so please be kind )

Regarding the subject -- I'm just curious why "client use spnego = no" 
does not act as it says in 4.3.8+ : in my understanding, when it says 
"disable client spnego", it shall probably disable client spnego -- or 
at least be very specific about it at the manual page.

Please do not underestimate the number of people who can hardly guess 
what the heck "client spnego" means in regard to the server settings ; 
adding extra confusion would just make things even more complicated.

Speaking of the details -- from what I gather, 4.3.6/4.3.8 change (1) 
raises the default client ipc protocol version from NT1 to something 
bigger ( was 11 in my tests) and (2) launches client spnego for 
anonymous connections by default.

In our case ( which is not only my case, of course -- see e.g. Ubuntu 
launchpad bug 1572876 ) the server does not support this and we fail to 
connect:

===

[2016/08/24 23:09:38.470680,  3, pid=47857] ../source3/libsmb/cliconnect.c:1834(cli_session_setup_spnego_send)
   Doing spnego session setup (blob length=120)
[2016/08/24 23:09:38.470777,  3, pid=47857] ../source3/libsmb/cliconnect.c:1861(cli_session_setup_spnego_send)
   got OID=1.3.6.1.4.1.311.2.2.30
   got OID=1.2.840.48018.1.2.2
   got OID=1.2.840.113554.1.2.2
   got OID=1.2.840.113554.1.2.2.3
   got OID=1.3.6.1.4.1.311.2.2.10
[2016/08/24 23:09:38.470814,  3, pid=47857] ../source3/libsmb/cliconnect.c:1871(cli_session_setup_spnego_send)
   got principal=not_defined_in_RFC4178 at please_ignore
[2016/08/24 23:09:38.472328,  3, pid=47857] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
   Got challenge flags:
[2016/08/24 23:09:38.472372,  3, pid=47857] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
   Got NTLMSSP neg_flags=0x62898215
     NTLMSSP_NEGOTIATE_UNICODE
     NTLMSSP_REQUEST_TARGET
     NTLMSSP_NEGOTIATE_SIGN
     NTLMSSP_NEGOTIATE_NTLM
     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
     NTLMSSP_TARGET_TYPE_DOMAIN
     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
     NTLMSSP_NEGOTIATE_TARGET_INFO
     NTLMSSP_NEGOTIATE_VERSION
     NTLMSSP_NEGOTIATE_128
     NTLMSSP_NEGOTIATE_KEY_EXCH
[2016/08/24 23:09:38.472465,  3, pid=47857] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
   NTLMSSP: Set final flags:
[2016/08/24 23:09:38.472483,  3, pid=47857] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
   Got NTLMSSP neg_flags=0x62008a15
     NTLMSSP_NEGOTIATE_UNICODE
     NTLMSSP_REQUEST_TARGET
     NTLMSSP_NEGOTIATE_SIGN
     NTLMSSP_NEGOTIATE_NTLM
     NTLMSSP_ANONYMOUS
     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
     NTLMSSP_NEGOTIATE_VERSION
     NTLMSSP_NEGOTIATE_128
     NTLMSSP_NEGOTIATE_KEY_EXCH
[2016/08/24 23:09:38.472531,  3, pid=47857] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
   NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/24 23:09:38.472546,  3, pid=47857] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
   Got NTLMSSP neg_flags=0x62008a15
     NTLMSSP_NEGOTIATE_UNICODE
     NTLMSSP_REQUEST_TARGET
     NTLMSSP_NEGOTIATE_SIGN
     NTLMSSP_NEGOTIATE_NTLM
     NTLMSSP_ANONYMOUS
     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
     NTLMSSP_NEGOTIATE_VERSION
     NTLMSSP_NEGOTIATE_128
     NTLMSSP_NEGOTIATE_KEY_EXCH
[2016/08/24 23:09:38.473710,  3, pid=47857] ../source3/libsmb/cliconnect.c:2213(cli_session_setup_done_spnego)
   SPNEGO login failed: The request is not supported.
[2016/08/24 23:09:38.473831,  0, pid=47857, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_domain.c:184(domain_client_validate)
   domain_client_validate: Domain password server not available.

===

To my understanding, it all boils down to these two checks in 
cli_session_setup_send() ( source3/libsmb/cliconnect.c) :

===
         if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
                 subreq = cli_session_setup_spnego_send(
                         state, ev, cli, user, pass, workgroup);
                 if (tevent_req_nomem(subreq, req)) {
                         return tevent_req_post(req, ev);
                 }
                 tevent_req_set_callback(subreq, 
cli_session_setup_done_spnego,
                                         req);
                 return req;
         }

         /*
          * if the server supports extended security then use SPNEGO
          * even for anonymous connections.
          */
         if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) {
                 subreq = cli_session_setup_spnego_send(
                         state, ev, cli, user, pass, workgroup);
                 if (tevent_req_nomem(subreq, req)) {
                         return tevent_req_post(req, ev);
                 }
                 tevent_req_set_callback(subreq, 
cli_session_setup_done_spnego,
                                         req);
                 return req;
         }

===

Therefore, the suggested workaround
===
    client use spnego = no
    client ipc max protocol = NT1
===

bypasses the first check by "client ipc max protocol = NT1" and bypasses 
the second by "client use spnego = no" ( CAP_EXTENDED_SECURITY is 
exactly use_spnego, as it follows from clientgen.c ).

This is all nice and fine, but shouldn't it instead avoid starting 
cli_session_setup_spnego_send() at all if CAP_EXTENDED_SECURITY is not set?
Or at least somehow mention in the smb.conf manual that using "client 
use spnego = no" does not disable client negotiation?

Kind regards, George


-- 

George Fedorov
Senior Systems Specialist
Melbourne School of Engineering
The University of Melbourne, Victoria 3010, Australia
http://www.eng.unimelb.edu.au/

More information about the samba-technical mailing list