From 4aa6b11d64a0a8133ef39a7e626f289f769e9415 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 5 Nov 2016 21:22:46 +0100 Subject: [PATCH 1/5] CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995 Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding this vulnerability with a PoC and a good analysis. Signed-off-by: Volker Lendecke Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409 --- librpc/ndr/ndr_dnsp.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c index 3cb96f9..0541261 100644 --- a/librpc/ndr/ndr_dnsp.c +++ b/librpc/ndr/ndr_dnsp.c @@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag uint8_t sublen, newlen; NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen)); newlen = total_len + sublen; + if (newlen < total_len) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, + "Failed to pull dnsp_name"); + } if (i != count-1) { + if (newlen == UINT8_MAX) { + return ndr_pull_error( + ndr, NDR_ERR_RANGE, + "Failed to pull dnsp_name"); + } newlen++; /* for the '.' */ } ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen); -- 1.9.1 From 0f1b36b7d5514f8d16c60ebcd5c59753113b4334 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Nov 2016 11:41:10 +0100 Subject: [PATCH 2/5] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss This is just an example script that's not directly used by samba, but we should avoid sending delegated credentials to dns servers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy Reviewed-by: Simo Sorce --- source4/scripting/bin/nsupdate-gss | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss index dec5916..509220d 100755 --- a/source4/scripting/bin/nsupdate-gss +++ b/source4/scripting/bin/nsupdate-gss @@ -178,7 +178,7 @@ sub negotiate_tkey($$$$) my $flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | - GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG; + GSS_C_INTEG_FLAG; $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE, -- 1.9.1 From 07ef0f6ce0fb9d9735710ab79c2ee91d7a72a974 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Nov 2016 11:42:59 +0100 Subject: [PATCH 3/5] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG We should only use GSS_C_DELEG_POLICY_FLAG in order to let the KDC decide if we should send delegated credentials to a remote server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy Reviewed-by: Simo Sorce --- source3/librpc/crypto/gse.c | 1 - 1 file changed, 1 deletion(-) diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 963c98a..c4c4bbc 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc)); gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG | - GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; -- 1.9.1 From 58586ceae7fe628453e6bffdc463d4309ced15fb Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Nov 2016 11:44:22 +0100 Subject: [PATCH 4/5] CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default This disabled the usage of GSS_C_DELEG_FLAG by default, as GSS_C_DELEG_POLICY_FLAG is still used by default we let the KDC decide if we should send delegated credentials to a remote server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy Reviewed-by: Simo Sorce --- source4/auth/gensec/gensec_gssapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index e0b2bf2..e2994f6 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) { gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG; } - if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) { gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG; } if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) { -- 1.9.1 From ce31a69a32d2bd6975006e428afe4584f6b7bc43 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 22 Nov 2016 17:08:46 +0100 Subject: [PATCH 5/5] CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum() aes based checksums can only be checked with the corresponding aes based keytype. Otherwise we may trigger an undefined code path deep in the kerberos libraries, which can leed to segmentation faults. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446 Signed-off-by: Stefan Metzmacher --- auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index 32d9d7f..7b6efdc 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, krb5_boolean checksum_valid = false; krb5_data input; + switch (sig->type) { + case CKSUMTYPE_HMAC_MD5: + /* ignores the key type */ + break; + case CKSUMTYPE_HMAC_SHA1_96_AES_256: + if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { + return EINVAL; + } + /* ok */ + break; + case CKSUMTYPE_HMAC_SHA1_96_AES_128: + if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { + return EINVAL; + } + /* ok */ + break; + default: + DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n", + (int)sig->type)); + return EINVAL; + } + #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */ cksum.cksumtype = (krb5_cksumtype)sig->type; cksum.checksum.length = sig->signature.length; -- 1.9.1