[Samba] Can login with a bogus username which ends with a "/" or a "\"
Tompkins, Michael
Michael.Tompkins at xerox.com
Mon Feb 2 09:19:03 MST 2015
We have noticed that if a username, that ends in a "\" or a "/", tries to login, then the workspace becomes the user name ( up to the "/" or "\" ) and then username is empty, allowing a bogus user to authenticate and calls cli_session_setup_guest() to log in anonymously. This is done in cli_session_setup():
/* allow for workgroups as part of the username */
if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) ||
(p=strchr_m(user2,*lp_winbind_separator()))) {
*p = 0;
user = p+1;
if (!strupper_m(user2)) {
return NT_STATUS_INVALID_PARAMETER;
}
workgroup = user2;
}
I'm guessing that this was intended for a "WORKSPACE/USERNAME" construct and not for just "USERNAME/". We use smbclient to authenticate users, for access to services on our machine, so letting bogus users logon, is not a good thing.
In popt_common_credentials_callback() I added the code:
case 'U':
{
char *lp;
char *puser = SMB_STRDUP(arg);
if ((lp=strchr_m(puser,'%'))) {
size_t len;
*lp = 0;
len = strlen(puser)-1; // +++ added code
if ( (*(puser+len) == '\\') || (*(puser+len) == '/') ) // +++ added code
*(puser+len) = 0; // +++ added code
set_cmdline_auth_info_username(auth_info,
puser);
set_cmdline_auth_info_password(auth_info,
lp+1);
len = strlen(lp+1);
memset(strchr_m(arg,'%')+1,'X',len);
} else {
set_cmdline_auth_info_username(auth_info,
puser);
}
SAFE_FREE(puser);
}
break;
Are there use cases which we aren't thinking of, or does this modification make sense. Please let us know.
Regards,
Mike
More information about the samba
mailing list