From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 30 Mar 2016 16:55:44 +0200 Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing ntlmssp_have_feature() Signed-off-by: Andreas Schneider --- source3/include/proto.h | 1 + source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/source3/include/proto.h b/source3/include/proto.h index 32b4e3d..43008ea 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntlmssp_state *ntlmssp_state, const char *p NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ; void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list); void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature); +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature); NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state, const DATA_BLOB in, DATA_BLOB *out) ; NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx, diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index 045dc87..7e58990 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *dom return NT_STATUS_OK; } +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, + uint32_t feature) +{ + if (feature & NTLMSSP_FEATURE_SIGN) { + if (ntlmssp_state->session_key.length == 0) { + return false; + } + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { + return true; + } + } + + if (feature & NTLMSSP_FEATURE_SEAL) { + if (ntlmssp_state->session_key.length == 0) { + return false; + } + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { + return true; + } + } + + if (feature & NTLMSSP_FEATURE_SESSION_KEY) { + if (ntlmssp_state->session_key.length > 0) { + return true; + } + } + + return false; +} + /** * Request features for the NTLMSSP negotiation * -- 2.8.1 From 15338742e0c7304aeecce0e8368f0dad85e8075b Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 24 Mar 2016 16:22:36 +0100 Subject: [PATCH 2/3] CVE-2016-2112: s3:libads: make sure we detect downgrade BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Pair-programmed-with: Ralph Boehme Signed-off-by: Stefan Metzmacher Signed-off-by: Ralph Boehme --- source3/libads/sasl.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index e7daa8a..6690f83 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads) /* we have a reference conter on ntlmssp_state, if we are signing then the state will be kept by the signing engine */ + if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) { + bool ok; + + ok = ntlmssp_have_feature(ntlmssp_state, + NTLMSSP_FEATURE_SEAL); + if (!ok) { + DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n")); + TALLOC_FREE(ntlmssp_state); + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); + } + + ok = ntlmssp_have_feature(ntlmssp_state, + NTLMSSP_FEATURE_SIGN); + if (!ok) { + DEBUG(0,("The ntlmssp feature signing request, but unavailable\n")); + TALLOC_FREE(ntlmssp_state); + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); + } + + } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) { + bool ok; + + ok = ntlmssp_have_feature(ntlmssp_state, + NTLMSSP_FEATURE_SIGN); + if (!ok) { + DEBUG(0,("The gensec feature signing request, but unavailable\n")); + TALLOC_FREE(ntlmssp_state); + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); + } + } + if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) { ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE; ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE; -- 2.8.1 From b020ae88f9024bcc868ed2d85879d14901db32e5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 5 Sep 2014 17:38:38 +1200 Subject: [PATCH 3/3] CVE-2016-2112: winbindd: Change value of "ldap sasl wrapping" to sign This is to disrupt MITM attacks between us and our DC BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Pair-programmed-with: Garming Sam Signed-off-by: Garming Sam Signed-off-by: Andrew Bartlett (backported from commit afe02d12f444ad9a6abf31a61f578320520263a9) --- docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | 8 +++----- source3/param/loadparm.c | 2 ++ 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml index a926cec..a7c4395 100644 --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml @@ -34,11 +34,9 @@ - The default value is plain which is not irritable - to KRB5 clock skew errors. That implies synchronizing the time - with the KDC in the case of using sign or - seal. + The default value is sign. That implies synchronizing the time + with the KDC in the case of using Kerberos. -plain +sign diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 7065cf6..c5249b7 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_globals) Globals.ldap_debug_level = 0; Globals.ldap_debug_threshold = 10; + Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; + /* This is what we tell the afs client. in reality we set the token * to never expire, though, when this runs out the afs client will * forget the token. Set to 0 to get NEVERDATE.*/ -- 2.8.1