From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 1 Dec 2015 08:46:45 +0100 Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use ntlmssp_state->allow_lm_key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- source3/libsmb/ntlmssp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index 1de6189..20a5987 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -530,7 +530,8 @@ noccache: DEBUG(3, ("Got challenge flags:\n")); debug_ntlmssp_flags(chal_flags); - ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth()); + ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, + ntlmssp_state->allow_lm_key); if (ntlmssp_state->unicode) { if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { @@ -769,6 +770,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, ntlmssp_state->unicode = True; ntlmssp_state->use_ntlmv2 = use_ntlmv2; + ntlmssp_state->allow_lm_key = lp_client_lanman_auth(); ntlmssp_state->expected_state = NTLMSSP_INITIAL; -- 2.8.1 From a701bc5f8a76584a2e0680b2c3dd9afb77f12430 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 11 Dec 2015 14:50:23 +0100 Subject: [PATCH 02/10] CVE-2016-2110: s3:ntlmssp: add ntlmssp3_handle_neg_flags() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a copy of ntlmssp_handle_neg_flags(), which will be changed in an incompatible way in the following commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- source3/libsmb/ntlmssp.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 56 insertions(+), 2 deletions(-) diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index 20a5987..ad09f9f 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -422,6 +422,60 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, return NT_STATUS_MORE_PROCESSING_REQUIRED; } +static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, + uint32_t neg_flags, bool allow_lm) +{ + if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM; + ntlmssp_state->unicode = true; + } else { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE; + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM; + ntlmssp_state->unicode = false; + } + + if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) { + /* other end forcing us to use LM */ + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; + ntlmssp_state->use_ntlmv2 = false; + } else { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; + } + + if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN; + } + + if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; + } + + if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128; + } + + if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56; + } + + if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH; + } + + if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; + } + + if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; + } + + if ((neg_flags & NTLMSSP_REQUEST_TARGET)) { + ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET; + } +} + /** * Next state function for the Challenge Packet. Generate an auth packet. * @@ -530,8 +584,8 @@ noccache: DEBUG(3, ("Got challenge flags:\n")); debug_ntlmssp_flags(chal_flags); - ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, - ntlmssp_state->allow_lm_key); + ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags, + ntlmssp_state->allow_lm_key); if (ntlmssp_state->unicode) { if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { -- 2.8.1 From 92b2f5315d135b7b83a3ae106b43d18181be2f02 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 31 Mar 2016 12:39:50 +0200 Subject: [PATCH 03/10] CVE-2016-2110: s3:ntlmssp: let ntlmssp3_handle_neg_flags() return NTSTATUS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In future we can do a more fine granted negotiation and assert specific security features. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- source3/libsmb/ntlmssp.c | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index ad09f9f..81a85ce 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -422,10 +422,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, return NT_STATUS_MORE_PROCESSING_REQUIRED; } -static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, - uint32_t neg_flags, bool allow_lm) +static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, + uint32_t flags) { - if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) { + if (flags & NTLMSSP_NEGOTIATE_UNICODE) { ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM; ntlmssp_state->unicode = true; @@ -435,7 +435,7 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, ntlmssp_state->unicode = false; } - if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) { + if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) { /* other end forcing us to use LM */ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; ntlmssp_state->use_ntlmv2 = false; @@ -443,37 +443,39 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; } - if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) { + if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) { ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN; } - if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) { + if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) { ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; } - if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) { + if (!(flags & NTLMSSP_NEGOTIATE_128)) { ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128; } - if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) { + if (!(flags & NTLMSSP_NEGOTIATE_56)) { ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56; } - if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { + if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH; } - if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { + if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) { ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; } - if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { + if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) { ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; } - if ((neg_flags & NTLMSSP_REQUEST_TARGET)) { + if ((flags & NTLMSSP_REQUEST_TARGET)) { ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET; } + + return NT_STATUS_OK; } /** @@ -584,8 +586,11 @@ noccache: DEBUG(3, ("Got challenge flags:\n")); debug_ntlmssp_flags(chal_flags); - ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags, - ntlmssp_state->allow_lm_key); + nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + if (ntlmssp_state->unicode) { if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { -- 2.8.1 From a239a337e3c0081af1a41aaac8957bb1aa0771f8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 1 Dec 2015 15:01:09 +0100 Subject: [PATCH 04/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit man smb.conf says "client ntlmv2 auth = yes" the default disables, "client lanman auth = yes": ... Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2 logins will be attempted. ... BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- source3/libsmb/ntlmssp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index 81a85ce..23a5e5d 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -841,6 +841,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, NTLMSSP_NEGOTIATE_KEY_EXCH | NTLMSSP_REQUEST_TARGET; + if (ntlmssp_state->use_ntlmv2) { + ntlmssp_state->allow_lm_key = false; + } + ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name); if (!ntlmssp_state->client.netbios_name) { talloc_free(ntlmssp_state); -- 2.8.1 From e11dc9aa90420947f9fc82365b55ecb08353451c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 31 Mar 2016 12:59:05 +0200 Subject: [PATCH 05/10] CVE-2016-2110: s3:ntlmssp: maintain a required_flags variable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We now give an error when required flags are missing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- libcli/auth/ntlmssp.h | 1 + source3/libsmb/ntlmssp.c | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/libcli/auth/ntlmssp.h b/libcli/auth/ntlmssp.h index 495d94f..88a049b 100644 --- a/libcli/auth/ntlmssp.h +++ b/libcli/auth/ntlmssp.h @@ -83,6 +83,7 @@ struct ntlmssp_state DATA_BLOB nt_resp; DATA_BLOB session_key; + uint32_t required_flags; uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */ /** diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index 23a5e5d..48d7d45 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -425,6 +425,8 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, uint32_t flags) { + uint32_t missing_flags = ntlmssp_state->required_flags; + if (flags & NTLMSSP_NEGOTIATE_UNICODE) { ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM; @@ -475,6 +477,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET; } + missing_flags &= ~ntlmssp_state->neg_flags; + if (missing_flags != 0) { + NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR; + DEBUG(1, ("%s: Got challenge flags[0x%08x] " + "- possible downgrade detected! " + "missing_flags[0x%08x] - %s\n", + __func__, + (unsigned)flags, + (unsigned)missing_flags, + nt_errstr(status))); + debug_ntlmssp_flags(missing_flags); + DEBUGADD(4, ("neg_flags[0x%08x]\n", + (unsigned)ntlmssp_state->neg_flags)); + debug_ntlmssp_flags(ntlmssp_state->neg_flags); + + return status; + } + return NT_STATUS_OK; } -- 2.8.1 From 06ca5b7655e577ff6e2d5817cf221c05f9bb5c86 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 31 Mar 2016 13:03:24 +0200 Subject: [PATCH 06/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit man smb.conf says "client ntlmv2 auth = yes" the default disables, "client lanman auth = yes": ... Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2 logins will be attempted. ... BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- source3/libsmb/ntlmssp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index 48d7d45..bf40404 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -388,6 +388,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, if (ntlmssp_state->use_ntlmv2) { ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; + ntlmssp_state->allow_lm_key = false; } /* generate the ntlmssp negotiate packet */ -- 2.8.1 From f99d4469a8b09dd93eb7124f2814e15869915671 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 11 Apr 2016 16:18:44 +0200 Subject: [PATCH 07/10] CVE-2016-2110: auth/ntlmssp: don't let ntlmssp3_handle_neg_flags() change ntlmssp_state->use_ntlmv2 ntlmssp_handle_neg_flags() can only disable flags, but not set them. All supported flags are set at start time. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner --- source3/libsmb/ntlmssp.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index bf40404..7b17a43 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -391,6 +391,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, ntlmssp_state->allow_lm_key = false; } + if (ntlmssp_state->allow_lm_key) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; + } + /* generate the ntlmssp negotiate packet */ status = msrpc_gen(ntlmssp_state, next_request, "CddAA", "NTLMSSP", @@ -438,20 +442,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, ntlmssp_state->unicode = false; } - if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) { - /* other end forcing us to use LM */ - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; - ntlmssp_state->use_ntlmv2 = false; - } else { + /* + * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) + * has priority over NTLMSSP_NEGOTIATE_LM_KEY + */ + if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; + } + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; } - if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) { - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN; + if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; } - if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) { - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; + if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN; } if (!(flags & NTLMSSP_NEGOTIATE_128)) { -- 2.8.1 From 71dda1c57c36a9816af7873f169306a766e0284a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 31 Mar 2016 14:21:12 +0200 Subject: [PATCH 08/10] CVE-2016-2110: s3:ntlmssp: let ntlmssp3_client_initial require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- source3/libsmb/ntlmssp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index 7b17a43..d5c83fd 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -387,7 +387,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, } if (ntlmssp_state->use_ntlmv2) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2; ntlmssp_state->allow_lm_key = false; } -- 2.8.1 From 911e171bd6fc66e2960cbcdf8c48f2f97d19313b Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 31 Mar 2016 14:30:05 +0200 Subject: [PATCH 09/10] CVE-2016-2110: s3:ntlmssp: Change want_fetures to require flags Pair-Programmed-With: Ralph Boehme Signed-off-by: Andreas Schneider Signed-off-by: Ralph Boehme --- source3/libsmb/ntlmssp.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index d5c83fd..309175b 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *featur * also add NTLMSSP_NEGOTIATE_SEAL here. JRA. */ if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; } if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; } if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; } if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) { ntlmssp_state->use_ccache = true; } + + ntlmssp_state->neg_flags |= ntlmssp_state->required_flags; } /** @@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature) { /* As per JRA's comment above */ if (feature & NTLMSSP_FEATURE_SESSION_KEY) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; } if (feature & NTLMSSP_FEATURE_SIGN) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; } if (feature & NTLMSSP_FEATURE_SEAL) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; } if (feature & NTLMSSP_FEATURE_CCACHE) { ntlmssp_state->use_ccache = true; } + + ntlmssp_state->neg_flags |= ntlmssp_state->required_flags; } /** -- 2.8.1 From a95a44eff90cdbd42d683567e0d511e9d52026ad Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 31 Mar 2016 15:02:11 +0200 Subject: [PATCH 10/10] CVE-2016-2110: s3:ntlmssp: Fix downgrade also for the ntlmssp creds cache case Pair-Programmed-With: Ralph Boehme Signed-off-by: Andreas Schneider Signed-off-by: Ralph Boehme --- source3/libsmb/ntlmssp.c | 42 ++++++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index 309175b..045dc87 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -538,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB encrypted_session_key = data_blob_null; NTSTATUS nt_status = NT_STATUS_OK; + if (!msrpc_parse(ntlmssp_state, &reply, "CdBd", + "NTLMSSP", + &ntlmssp_command, + &server_domain_blob, + &chal_flags)) { + DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n")); + dump_data(2, reply.data, reply.length); + + return NT_STATUS_INVALID_PARAMETER; + } + data_blob_free(&server_domain_blob); + + DEBUG(3, ("Got challenge flags:\n")); + debug_ntlmssp_flags(chal_flags); + + nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + if (ntlmssp_state->use_ccache) { struct wbcCredentialCacheParams params; struct wbcCredentialCacheInfo *info = NULL; @@ -588,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, noccache: - if (!msrpc_parse(ntlmssp_state, &reply, "CdBd", - "NTLMSSP", - &ntlmssp_command, - &server_domain_blob, - &chal_flags)) { - DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n")); - dump_data(2, reply.data, reply.length); - - return NT_STATUS_INVALID_PARAMETER; - } - if (DEBUGLEVEL >= 10) { struct CHALLENGE_MESSAGE *challenge = talloc( talloc_tos(), struct CHALLENGE_MESSAGE); @@ -615,17 +624,6 @@ noccache: } } - data_blob_free(&server_domain_blob); - - DEBUG(3, ("Got challenge flags:\n")); - debug_ntlmssp_flags(chal_flags); - - nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - - if (ntlmssp_state->unicode) { if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { chal_parse_string = "CdUdbddB"; -- 2.8.1