rpms / samba

Clone
Source Code
GIT

Files

  1.   9cd16fb96394f5f260cf8605ff659e31fd8cbb89
  2.   SOURCES
  3.   CVE-2016-2119-v4-4.patch
Blob Blame History Raw 
From 3f8b6a3c56ec188d662767027703999faf14e71f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 20 Apr 2016 11:26:57 +0200
Subject: [PATCH 1/3] CVE-2016-2019: libcli/smb: don't allow guest sessions if
 we require signing

Note real anonymous sessions (with "" as username) don't hit this
as we don't even call smb2cli_session_set_session_key() in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 libcli/smb/smbXcli_base.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 4332374..691b8ff 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5312,6 +5312,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session)
 		return false;
 	}
 
+	if (session->conn->mandatory_signing) {
+		return false;
+	}
+
 	if (session->conn->protocol >= PROTOCOL_SMB2_02) {
 		if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
 			return true;
@@ -5571,7 +5575,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
 					 const struct iovec *recv_iov)
 {
 	struct smbXcli_conn *conn = session->conn;
-	uint16_t no_sign_flags;
+	uint16_t no_sign_flags = 0;
 	uint8_t session_key[16];
 	bool check_signature = true;
 	uint32_t hdr_flags;
@@ -5596,7 +5600,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
 		return NT_STATUS_INVALID_PARAMETER_MIX;
 	}
 
-	no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
+	if (!conn->mandatory_signing) {
+		/*
+		 * only allow guest sessions without
+		 * mandatory signing.
+		 *
+		 * If we try an authentication with username != ""
+		 * and the server let us in without verifying the
+		 * password we don't have a negotiated session key
+		 * for signing.
+		 */
+		no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST;
+	}
 
 	if (session->smb2->session_flags & no_sign_flags) {
 		session->smb2->should_sign = false;
-- 
1.9.1


From 11db8ea97ddb3cf9fde48dbe5df14a71ebc308db Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 28 Apr 2016 02:36:35 +0200
Subject: [PATCH 2/3] CVE-2016-2019: s3:libsmb: add comment regarding
 smbXcli_session_is_guest() with mandatory signing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/libsmb/cliconnect.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index ea92c8f..ebba8f2 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1588,6 +1588,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq)
 			 * have a negotiated session key.
 			 *
 			 * So just pretend we are completely done.
+			 *
+			 * Note that smbXcli_session_is_guest()
+			 * always returns false if we require signing.
 			 */
 			state->blob_in = data_blob_null;
 			state->local_ready = true;
-- 
1.9.1


From 28ed026b9486fb248daf713655ea307c478d2832 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 28 Apr 2016 02:24:52 +0200
Subject: [PATCH 3/3] CVE-2016-2019: s3:selftest: add regression tests for
 guest logins and mandatory signing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/script/tests/test_smbclient_ntlm.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh
index b8fc564..33a927f 100755
--- a/source3/script/tests/test_smbclient_ntlm.sh
+++ b/source3/script/tests/test_smbclient_ntlm.sh
@@ -37,4 +37,8 @@ else
 
 	testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS
 	testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS
+
+	testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS
+	testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS
+	testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS
 fi
-- 
1.9.1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation