From c455677d43fbda512f0178a244c90591de481d51 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 5 Nov 2016 21:22:46 +0100 Subject: [PATCH 1/5] CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995 Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding this vulnerability with a PoC and a good analysis. Signed-off-by: Volker Lendecke Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409 --- librpc/ndr/ndr_dnsp.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c index ff77bc7..974ff5e 100644 --- a/librpc/ndr/ndr_dnsp.c +++ b/librpc/ndr/ndr_dnsp.c @@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag uint8_t sublen, newlen; NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen)); newlen = total_len + sublen; + if (newlen < total_len) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, + "Failed to pull dnsp_name"); + } if (i != count-1) { + if (newlen == UINT8_MAX) { + return ndr_pull_error( + ndr, NDR_ERR_RANGE, + "Failed to pull dnsp_name"); + } newlen++; /* for the '.' */ } ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen); -- 1.9.1 From f609b3cda4b6b349ec7090ff6aa1dafe31ba495d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Nov 2016 11:41:10 +0100 Subject: [PATCH 2/5] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss This is just an example script that's not directly used by samba, but we should avoid sending delegated credentials to dns servers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy Reviewed-by: Simo Sorce --- source4/scripting/bin/nsupdate-gss | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss index dec5916..509220d 100755 --- a/source4/scripting/bin/nsupdate-gss +++ b/source4/scripting/bin/nsupdate-gss @@ -178,7 +178,7 @@ sub negotiate_tkey($$$$) my $flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | - GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG; + GSS_C_INTEG_FLAG; $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE, -- 1.9.1 From ff8a94caab2b9705ef393791140380ad70291e12 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Nov 2016 11:42:59 +0100 Subject: [PATCH 3/5] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG We should only use GSS_C_DELEG_POLICY_FLAG in order to let the KDC decide if we should send delegated credentials to a remote server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy Reviewed-by: Simo Sorce --- source3/librpc/crypto/gse.c | 1 - 1 file changed, 1 deletion(-) diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 963c98a..c4c4bbc 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc)); gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG | - GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; -- 1.9.1 From 8c31d69461cb54cb7f5d7b04fda2e52718d9990d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Nov 2016 11:44:22 +0100 Subject: [PATCH 4/5] CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default This disabled the usage of GSS_C_DELEG_FLAG by default, as GSS_C_DELEG_POLICY_FLAG is still used by default we let the KDC decide if we should send delegated credentials to a remote server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy Reviewed-by: Simo Sorce --- source4/auth/gensec/gensec_gssapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index e0b2bf2..e2994f6 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) { gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG; } - if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) { gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG; } if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) { -- 1.9.1 From 913b5553bed688e9ae471de8b7d895c17f3ac6ab Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 22 Nov 2016 17:08:46 +0100 Subject: [PATCH 5/5] CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum() aes based checksums can only be checked with the corresponding aes based keytype. Otherwise we may trigger an undefined code path deep in the kerberos libraries, which can leed to segmentation faults. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446 Signed-off-by: Stefan Metzmacher --- auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index 32d9d7f..7b6efdc 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, krb5_boolean checksum_valid = false; krb5_data input; + switch (sig->type) { + case CKSUMTYPE_HMAC_MD5: + /* ignores the key type */ + break; + case CKSUMTYPE_HMAC_SHA1_96_AES_256: + if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { + return EINVAL; + } + /* ok */ + break; + case CKSUMTYPE_HMAC_SHA1_96_AES_128: + if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { + return EINVAL; + } + /* ok */ + break; + default: + DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n", + (int)sig->type)); + return EINVAL; + } + #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */ cksum.cksumtype = (krb5_cksumtype)sig->type; cksum.checksum.length = sig->signature.length; -- 1.9.1