From 54db478fccac0ac3b0cc63f5eacfeae23bc26d4a Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <ab@samba.org>

Date: Tue, 7 Jan 2020 19:25:53 +0200

Subject: [PATCH 1/2] s3-rpcserver: fix security level check for

 DsRGetForestTrustInformation

Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which

didn't change since DCE RPC channel refactoring.

With the current code we return RPC faul as can be seen in the logs:

2019/12/11 17:12:55.463081,  1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)

       netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation

          in: struct netr_DsRGetForestTrustInformation

              server_name              : *

                  server_name              : '\\some-dc.example.com'

              trusted_domain_name      : NULL

              flags                    : 0x00000000 (0)

[2019/12/11 17:12:55.463122,  4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)

  api_rpcTNP: fault(5) return.

This is due to this check in processing a request:

        if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)

                       && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {

                p->fault_state = DCERPC_FAULT_ACCESS_DENIED;

                return WERR_ACCESS_DENIED;

        }

and since we get AuthZ response,

  Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]

  Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]

[2019/12/11 17:12:55.461584,  4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)

  JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",

   "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},

   "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",

   "serviceDescription": "netlogon", "authType": "ncacn_np",

   "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",

   "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",

   "transportProtection": "SMB", "accountFlags": "0x00000010"}}

this means we are actually getting anonymous DCE/RPC access to netlogon

on top of authenticated SMB connection. In such case we have exactly

auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to

DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.

Update the code to follow the same security level check as in s4 variant

of the call.

Signed-off-by: Alexander Bokovoy <ab@samba.org>

---

 source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++---

 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c

index cbbf9feedc7..52b17c10e61 100644

--- a/source3/rpc_server/netlogon/srv_netlog_nt.c

+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c

@@ -2451,10 +2451,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,

 {

 	NTSTATUS status;

 	struct lsa_ForestTrustInformation *info, **info_ptr;

+	enum security_user_level security_level;

-	if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)

-		       && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {

-		p->fault_state = DCERPC_FAULT_ACCESS_DENIED;

+	security_level = security_session_user_level(p->session_info, NULL);

+	if (security_level < SECURITY_USER) {

 		return WERR_ACCESS_DENIED;

 	}

-- 

2.24.1