From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 22 Feb 2018 11:54:45 +1300
Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set
with_cmocka flag
We have cmocka in third_party, so we are never without it.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6
by Andrew Bartlett)
---
selftest/tests.py | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/selftest/tests.py b/selftest/tests.py
index 126e1184230..3f5097b680c 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -38,7 +38,6 @@ finally:
f.close()
have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
-with_cmocka = ("HAVE_CMOCKA" in config_hash)
with_pam = ("WITH_PAM" in config_hash)
pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"]
@@ -168,13 +167,12 @@ if with_pam:
valgrindify(python), pam_wrapper_so_path,
"$DOMAIN", "alice", "Secret007"])
-if with_cmocka:
- plantestsuite("samba.unittests.krb5samba", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
- plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
- plantestsuite("samba.unittests.lib_util_modules", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
+plantestsuite("samba.unittests.krb5samba", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
+plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
+plantestsuite("samba.unittests.lib_util_modules", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
- plantestsuite("samba.unittests.smb1cli_session", "none",
- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+plantestsuite("samba.unittests.smb1cli_session", "none",
+ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
--
2.14.4
From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 27 Jul 2018 08:44:24 +1200
Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for
ntlm_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++
libcli/auth/wscript_build | 13 ++
selftest/knownfail.d/ntlm | 2 +
selftest/tests.py | 2 +
4 files changed, 430 insertions(+)
create mode 100644 libcli/auth/tests/ntlm_check.c
create mode 100644 selftest/knownfail.d/ntlm
diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c
new file mode 100644
index 00000000000..e87a0a276d4
--- /dev/null
+++ b/libcli/auth/tests/ntlm_check.c
@@ -0,0 +1,413 @@
+/*
+ * Unit tests for the ntlm_check password hash check library.
+ *
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * from cmocka.c:
+ * These headers or their equivalents should be included prior to
+ * including
+ * this header file.
+ *
+ * #include <stdarg.h>
+ * #include <stddef.h>
+ * #include <setjmp.h>
+ *
+ * This allows test applications to use custom definitions of C standard
+ * library functions and types.
+ *
+ */
+
+/*
+ * Note that the messaging routines (audit_message_send and get_event_server)
+ * are not tested by these unit tests. Currently they are for integration
+ * test support, and as such are exercised by the integration tests.
+ */
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "includes.h"
+#include "../lib/crypto/crypto.h"
+#include "librpc/gen_ndr/netlogon.h"
+#include "libcli/auth/libcli_auth.h"
+#include "auth/credentials/credentials.h"
+
+struct ntlm_state {
+ const char *username;
+ const char *domain;
+ DATA_BLOB challenge;
+ DATA_BLOB ntlm;
+ DATA_BLOB lm;
+ DATA_BLOB ntlm_key;
+ DATA_BLOB lm_key;
+ const struct samr_Password *nt_hash;
+};
+
+static int test_ntlm_setup_with_options(void **state,
+ int flags, bool upn)
+{
+ NTSTATUS status;
+ DATA_BLOB challenge = {
+ .data = discard_const_p(uint8_t, "I am a teapot"),
+ .length = 8
+ };
+ struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state);
+ DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state,
+ NULL,
+ "serverdom");
+ struct cli_credentials *creds = cli_credentials_init(ntlm_state);
+ cli_credentials_set_username(creds,
+ "testuser",
+ CRED_SPECIFIED);
+ cli_credentials_set_domain(creds,
+ "testdom",
+ CRED_SPECIFIED);
+ cli_credentials_set_workstation(creds,
+ "testwksta",
+ CRED_SPECIFIED);
+ cli_credentials_set_password(creds,
+ "testpass",
+ CRED_SPECIFIED);
+
+ if (upn) {
+ cli_credentials_set_principal(creds,
+ "testuser@samba.org",
+ CRED_SPECIFIED);
+ }
+
+ cli_credentials_get_ntlm_username_domain(creds,
+ ntlm_state,
+ &ntlm_state->username,
+ &ntlm_state->domain);
+
+ status = cli_credentials_get_ntlm_response(creds,
+ ntlm_state,
+ &flags,
+ challenge,
+ NULL,
+ target_info,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ &ntlm_state->lm_key,
+ &ntlm_state->ntlm_key);
+ ntlm_state->challenge = challenge;
+
+ ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds,
+ ntlm_state);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return -1;
+ }
+
+ *state = ntlm_state;
+ return 0;
+}
+
+static int test_ntlm_setup(void **state) {
+ return test_ntlm_setup_with_options(state, 0, false);
+}
+
+static int test_ntlm_and_lm_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_LANMAN_AUTH,
+ false);
+}
+
+static int test_ntlm2_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_NTLM2,
+ false);
+}
+
+static int test_ntlmv2_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_NTLMv2_AUTH,
+ false);
+}
+
+static int test_ntlm_teardown(void **state)
+{
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ TALLOC_FREE(ntlm_state);
+ *state = NULL;
+ return 0;
+}
+
+static void test_ntlm_allowed(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_ON,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlm_allowed_lm_supplied(void **state)
+{
+ return test_ntlm_allowed(state);
+}
+
+static void test_ntlm_disabled(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_DISABLED,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED));
+}
+
+static void test_ntlm2(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_ON,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ /*
+ * NTLM2 session security (where the real challenge is the
+ * MD5(challenge, client-challenge) (in the first 8 bytes of
+ * the lm) isn't decoded by ntlm_password_check(), it must
+ * first be converted back into normal NTLM by the NTLMSSP
+ * layer
+ */
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlm_mschapv2_only_allowed(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
+ MSV1_0_ALLOW_MSVCHAPV2,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlm_mschapv2_only_denied(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlmv2_only_ntlmv2(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlmv2_only_ntlm(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlmv2_only_ntlm_and_lanman(void **state)
+{
+ return test_ntlmv2_only_ntlm(state);
+}
+
+static void test_ntlmv2_only_ntlm_once(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &data_blob_null,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+int main(int argc, const char **argv)
+{
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied,
+ test_ntlm_and_lm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_disabled,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm2,
+ test_ntlm2_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman,
+ test_ntlm_and_lm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2,
+ test_ntlmv2_setup,
+ test_ntlm_teardown)
+ };
+
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 475b7d69406..d319d9b879e 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE',
source='spnego_parse.c',
deps='asn1util')
+
+bld.SAMBA_BINARY(
+ 'test_ntlm_check',
+ source='tests/ntlm_check.c',
+ deps='''
+ NTLM_CHECK
+ CREDENTIALS_NTLM
+ samba-credentials
+ cmocka
+ talloc
+ ''',
+ install=False
+ )
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
new file mode 100644
index 00000000000..c6e6a3739ba
--- /dev/null
+++ b/selftest/knownfail.d/ntlm
@@ -0,0 +1,2 @@
+^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
+^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
diff --git a/selftest/tests.py b/selftest/tests.py
index 3f5097b680c..dc6486c13f8 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none",
plantestsuite("samba.unittests.smb1cli_session", "none",
[os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+plantestsuite("samba.unittests.ntlm_check", "none",
+ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
--
2.14.4
From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 14 Mar 2018 15:36:05 +0100
Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in
hash_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
libcli/auth/ntlm_check.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 3b02adc1d48..1c6499bd210 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
const struct samr_Password *stored_nt)
{
if (stored_nt == NULL) {
- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
+ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
username));
}
@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
return NT_STATUS_OK;
} else {
- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
+ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
} else if (client_lanman && stored_lanman) {
if (!lanman_auth) {
- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
+ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
return NT_STATUS_OK;
} else {
- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
+ DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
--
2.14.4
From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 14 Mar 2018 15:35:01 +0100
Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in
ntlm_password_check().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/utils/ntlm_auth.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 3f544902a24..8f77680416f 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
*pauthoritative = 1;
nt_status = ntlm_password_check(mem_ctx,
- true, true, 0,
+ true, NTLM_AUTH_ON, 0,
&auth4_context->challenge.data,
&user_info->password.response.lanman,
&user_info->password.response.nt,
@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
nt_status = ntlm_password_check(mem_ctx,
- true, true, 0,
+ true,
+ NTLM_AUTH_ON,
+ 0,
&challenge,
&lm_response,
&nt_response,
--
2.14.4
From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 16 Mar 2018 17:25:12 +0100
Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used
via SMB1 when it is disabled.
Right now, this test will succeed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/selftest/tests.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 9092c1776c8..034c014e5b8 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb
plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration])
plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration])
-for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]:
+for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]:
for env in ["nt4_member", "ad_member"]:
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
--
2.14.4
From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 13 Mar 2018 16:56:20 +0100
Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1
when it is disabled via "ntlm auth".
This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.
Found by Vivek Das <vdas@redhat.com> (Red Hat QE).
In order to demonstrate simply run:
smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no
against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
libcli/auth/ntlm_check.c | 2 +-
selftest/knownfail | 3 ++-
selftest/knownfail.d/ntlm | 2 --
3 files changed, 3 insertions(+), 4 deletions(-)
delete mode 100644 selftest/knownfail.d/ntlm
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 1c6499bd210..b68e9c87888 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- I think this is related to Win9X pass-though authentication
*/
DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
- if (ntlm_auth) {
+ if (ntlm_auth == NTLM_AUTH_ON) {
if (smb_pwd_check_ntlmv1(mem_ctx,
lm_response,
stored_nt->hash, challenge,
diff --git a/selftest/knownfail b/selftest/knownfail
index ba16fd72290..84776d4f35d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -303,8 +303,9 @@
^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\)
# fl2000dc doesn't support AES
^samba4.krb5.kdc.*as-req-aes.*fl2000dc
-# nt4_member and ad_member don't support ntlmv1
+# nt4_member and ad_member don't support ntlmv1 (not even over SMB1)
^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user
+^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user
#nt-vfs server blocks read with execute access
^samba4.smb2.read.access
#ntvfs server blocks copychunk with execute access on read handle
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
deleted file mode 100644
index c6e6a3739ba..00000000000
--- a/selftest/knownfail.d/ntlm
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
-^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
--
2.14.4