From 9fb528332f48de59d70d48686e3af4df70206635 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Tue, 29 Aug 2017 17:06:21 +0200

Subject: [PATCH 1/7] CVE-2017-12150: s3:popt_common: don't turn a guessed

 username into a specified one

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>

---

 source3/include/auth_info.h |  1 +

 source3/lib/popt_common.c   |  6 +-----

 source3/lib/util_cmdline.c  | 29 +++++++++++++++++++++++++++++

 3 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h

index c6f71ad..8212c27 100644

--- a/source3/include/auth_info.h

+++ b/source3/include/auth_info.h

@@ -29,6 +29,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,

 const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info);

 void set_cmdline_auth_info_username(struct user_auth_info *auth_info,

 				    const char *username);

+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info);

 const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info);

 void set_cmdline_auth_info_domain(struct user_auth_info *auth_info,

 				  const char *domain);

diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c

index 9928c70..36b5e92 100644

--- a/source3/lib/popt_common.c

+++ b/source3/lib/popt_common.c

@@ -238,7 +238,6 @@ void popt_common_credentials_set_delay_post(void)

 void popt_common_credentials_post(void)

 {

 	struct user_auth_info *auth_info = cmdline_auth_info;

-	const char *username = NULL;

 	if (get_cmdline_auth_info_use_machine_account(auth_info) &&

 	    !set_cmdline_auth_info_machine_account_creds(auth_info))

@@ -259,10 +258,7 @@ void popt_common_credentials_post(void)

 	 * correctly parsed yet. If we have a username we need to set it again

 	 * to run the string parser for the username correctly.

 	 */

-	username = get_cmdline_auth_info_username(auth_info);

-	if (username != NULL && username[0] != '\0') {

-		set_cmdline_auth_info_username(auth_info, username);

-	}

+	reset_cmdline_auth_info_username(auth_info);

 }

 static void popt_common_credentials_callback(poptContext con,

diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c

index ad51a4f..80142e2 100644

--- a/source3/lib/util_cmdline.c

+++ b/source3/lib/util_cmdline.c

@@ -37,6 +37,7 @@

 struct user_auth_info {

 	struct cli_credentials *creds;

 	struct loadparm_context *lp_ctx;

+	bool got_username;

 	bool got_pass;

 	int signing_state;

 	bool smb_encrypt;

@@ -93,6 +94,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,

 	if (!ok) {

 		exit(EIO);

 	}

+	auth_info->got_username = true;

 }

 const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info)

@@ -123,11 +125,38 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info,

 		exit(ENOMEM);

 	}

+	auth_info->got_username = true;

 	if (strchr_m(username, '%') != NULL) {

 		auth_info->got_pass = true;

 	}

 }

+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info)

+{

+	const char *username = NULL;

+	const char *new_val = NULL;

+

+	if (!auth_info->got_username) {

+		return;

+	}

+

+	username = cli_credentials_get_username(auth_info->creds);

+	if (username == NULL) {

+		return;

+	}

+	if (username[0] == '\0') {

+		return;

+	}

+

+	cli_credentials_parse_string(auth_info->creds,

+				     username,

+				     CRED_SPECIFIED);

+	new_val = cli_credentials_get_username(auth_info->creds);

+	if (new_val == NULL) {

+		exit(ENOMEM);

+	}

+}

+

 const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info)

 {

 	const char *domain = NULL;

-- 

1.9.1

From 97a7ddff5d327bf5bcc27c8a88b000b3a187a827 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Thu, 3 Nov 2016 17:16:43 +0100

Subject: [PATCH 2/7] CVE-2017-12150: s3:lib:

 get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED

This is an addition to the fixes for CVE-2015-5296.

It applies to smb2mount -e, smbcacls -e and smbcquotas -e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>

---

 source3/lib/util_cmdline.c | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c

index 80142e2..90ee67c 100644

--- a/source3/lib/util_cmdline.c

+++ b/source3/lib/util_cmdline.c

@@ -265,6 +265,9 @@ void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,

 int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)

 {

+	if (auth_info->smb_encrypt) {

+		return SMB_SIGNING_REQUIRED;

+	}

 	return auth_info->signing_state;

 }

-- 

1.9.1

From b760a464ee3d94edeff6eb10a0b08359d6e98099 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Fri, 9 Dec 2016 09:26:32 +0100

Subject: [PATCH 3/7] CVE-2017-12150: s3:pylibsmb: make use of

 SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>

---

 source3/libsmb/pylibsmb.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c

index 59c0998..350c6d4 100644

--- a/source3/libsmb/pylibsmb.c

+++ b/source3/libsmb/pylibsmb.c

@@ -444,7 +444,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,

 	req = cli_full_connection_creds_send(

 		NULL, self->ev, "myname", host, NULL, 0, share, "?????",

-		cli_creds, 0, 0);

+		cli_creds, 0, SMB_SIGNING_DEFAULT);

 	if (!py_tevent_req_wait_exc(self->ev, req)) {

 		return -1;

 	}

-- 

1.9.1

From f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Mon, 12 Dec 2016 05:49:46 +0100

Subject: [PATCH 4/7] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED

 in gpo_connect_server()

It's important that we use a signed connection to get the GPOs!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>

---

 libgpo/gpo_fetch.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c

index 836bc23..3740d4e 100644

--- a/libgpo/gpo_fetch.c

+++ b/libgpo/gpo_fetch.c

@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads,

 			ads->auth.password,

 			CLI_FULL_CONNECTION_USE_KERBEROS |

 			CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,

-			Undefined);

+			SMB_SIGNING_REQUIRED);

 	if (!NT_STATUS_IS_OK(result)) {

 		DEBUG(10,("check_refresh_gpo: "

 				"failed to connect: %s\n",

-- 

1.9.1

From d8c6aceb94ab72991eb538ab5dc388686a177052 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Tue, 29 Aug 2017 15:24:14 +0200

Subject: [PATCH 5/7] CVE-2017-12150: auth/credentials:

 cli_credentials_authentication_requested() should check for

 NTLM_CCACHE/SIGN/SEAL

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>

---

 auth/credentials/credentials.c | 16 ++++++++++++++++

 1 file changed, 16 insertions(+)

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c

index 06648c7..5e3b5e8 100644

--- a/auth/credentials/credentials.c

+++ b/auth/credentials/credentials.c

@@ -25,6 +25,7 @@

 #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */

 #include "auth/credentials/credentials.h"

 #include "auth/credentials/credentials_internal.h"

+#include "auth/gensec/gensec.h"

 #include "libcli/auth/libcli_auth.h"

 #include "tevent.h"

 #include "param/param.h"

@@ -300,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre

 _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred) 

 {

+	uint32_t gensec_features = 0;

+

 	if (cred->bind_dn) {

 		return true;

 	}

@@ -327,6 +330,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c

 		return true;

 	}

+	gensec_features = cli_credentials_get_gensec_features(cred);

+	if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {

+		return true;

+	}

+

+	if (gensec_features & GENSEC_FEATURE_SIGN) {

+		return true;

+	}

+

+	if (gensec_features & GENSEC_FEATURE_SEAL) {

+		return true;

+	}

+

 	return false;

 }

-- 

1.9.1

From 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Tue, 29 Aug 2017 15:35:49 +0200

Subject: [PATCH 6/7] CVE-2017-12150: libcli/smb: add

 smbXcli_conn_signing_mandatory()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>

---

 libcli/smb/smbXcli_base.c | 5 +++++

 libcli/smb/smbXcli_base.h | 1 +

 2 files changed, 6 insertions(+)

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c

index b21d796..239e5eb 100644

--- a/libcli/smb/smbXcli_base.c

+++ b/libcli/smb/smbXcli_base.c

@@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)

 	return false;

 }

+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn)

+{

+	return conn->mandatory_signing;

+}

+

 void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)

 {

 	set_socket_options(conn->sock_fd, options);

diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h

index e48fc35..2594f07 100644

--- a/libcli/smb/smbXcli_base.h

+++ b/libcli/smb/smbXcli_base.h

@@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn);

 enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn);

 bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn);

+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn);

 void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options);

 const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn);

-- 

1.9.1

From 28506663282a1457708c38c58437e9eb9c0002bf Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Mon, 12 Dec 2016 06:07:56 +0100

Subject: [PATCH 7/7] CVE-2017-12150: s3:libsmb: only fallback to anonymous if

 authentication was not requested

With forced encryption or required signing we should also don't fallback.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>

---

 source3/libsmb/clidfs.c | 16 ++++------------

 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c

index 75012b2..fdcd665 100644

--- a/source3/libsmb/clidfs.c

+++ b/source3/libsmb/clidfs.c

@@ -26,6 +26,7 @@

 #include "trans2.h"

 #include "libsmb/nmblib.h"

 #include "../libcli/smb/smbXcli_base.h"

+#include "auth/credentials/credentials.h"

 /********************************************************************

  Important point.

@@ -145,9 +146,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,

 	char *servicename;

 	char *sharename;

 	char *newserver, *newshare;

-	const char *username;

-	const char *password;

-	const char *domain;

 	NTSTATUS status;

 	int flags = 0;

 	int signing_state = get_cmdline_auth_info_signing_state(auth_info);

@@ -225,21 +223,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,

 		smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS);

 	}

-	username = get_cmdline_auth_info_username(auth_info);

-	password = get_cmdline_auth_info_password(auth_info);

-	domain = get_cmdline_auth_info_domain(auth_info);

-	if ((domain == NULL) || (domain[0] == '\0')) {

-		domain = lp_workgroup();

-	}

-

 	creds = get_cmdline_auth_info_creds(auth_info);

 	status = cli_session_setup_creds(c, creds);

 	if (!NT_STATUS_IS_OK(status)) {

 		/* If a password was not supplied then

 		 * try again with a null username. */

-		if (password[0] || !username[0] ||

-			get_cmdline_auth_info_use_kerberos(auth_info) ||

+		if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||

+			cli_credentials_authentication_requested(creds) ||

+			cli_credentials_is_anonymous(creds) ||

 			!NT_STATUS_IS_OK(status = cli_session_setup_anon(c)))

 		{

 			d_printf("session setup failed: %s\n",

-- 

1.9.1