From 9d65af0137f793530e3cb1786b22bd803fd6dd19 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 5 Nov 2016 21:22:46 +0100 Subject: [PATCH 1/5] CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995 Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding this vulnerability with a PoC and a good analysis. Signed-off-by: Volker Lendecke Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409 --- librpc/ndr/ndr_dnsp.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c index 3cb96f9..0541261 100644 --- a/librpc/ndr/ndr_dnsp.c +++ b/librpc/ndr/ndr_dnsp.c @@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag uint8_t sublen, newlen; NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen)); newlen = total_len + sublen; + if (newlen < total_len) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, + "Failed to pull dnsp_name"); + } if (i != count-1) { + if (newlen == UINT8_MAX) { + return ndr_pull_error( + ndr, NDR_ERR_RANGE, + "Failed to pull dnsp_name"); + } newlen++; /* for the '.' */ } ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen); -- 1.9.1 From b83897ae49fdee1fda73c10c7fe73362bfaba690 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Nov 2016 11:41:10 +0100 Subject: [PATCH 2/5] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss This is just an example script that's not directly used by samba, but we should avoid sending delegated credentials to dns servers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy Reviewed-by: Simo Sorce --- source4/scripting/bin/nsupdate-gss | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss index dec5916..509220d 100755 --- a/source4/scripting/bin/nsupdate-gss +++ b/source4/scripting/bin/nsupdate-gss @@ -178,7 +178,7 @@ sub negotiate_tkey($$$$) my $flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | - GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG; + GSS_C_INTEG_FLAG; $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE, -- 1.9.1 From b1a056f77e793efc45df34ab7bf78fbec1bf8a59 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Nov 2016 11:42:59 +0100 Subject: [PATCH 3/5] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG We should only use GSS_C_DELEG_POLICY_FLAG in order to let the KDC decide if we should send delegated credentials to a remote server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy Reviewed-by: Simo Sorce --- source3/librpc/crypto/gse.c | 1 - 1 file changed, 1 deletion(-) diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index f1ebe19..9c9f55d 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc)); gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG | - GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; -- 1.9.1 From 3106964a640ddf6a3c08c634ff586a814f94dff8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Nov 2016 11:44:22 +0100 Subject: [PATCH 4/5] CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default This disabled the usage of GSS_C_DELEG_FLAG by default, as GSS_C_DELEG_POLICY_FLAG is still used by default we let the KDC decide if we should send delegated credentials to a remote server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy Reviewed-by: Simo Sorce --- source4/auth/gensec/gensec_gssapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index a12447a..8823771 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -113,7 +113,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) { gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG; } - if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) { gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG; } if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) { -- 1.9.1 From 8512eed8e2fb7f16a884b659e381257745a669fd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 22 Nov 2016 17:08:46 +0100 Subject: [PATCH 5/5] CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum() aes based checksums can only be checked with the corresponding aes based keytype. Otherwise we may trigger an undefined code path deep in the kerberos libraries, which can leed to segmentation faults. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446 Signed-off-by: Stefan Metzmacher --- auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index 32d9d7f..7b6efdc 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, krb5_boolean checksum_valid = false; krb5_data input; + switch (sig->type) { + case CKSUMTYPE_HMAC_MD5: + /* ignores the key type */ + break; + case CKSUMTYPE_HMAC_SHA1_96_AES_256: + if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { + return EINVAL; + } + /* ok */ + break; + case CKSUMTYPE_HMAC_SHA1_96_AES_128: + if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { + return EINVAL; + } + /* ok */ + break; + default: + DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n", + (int)sig->type)); + return EINVAL; + } + #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */ cksum.cksumtype = (krb5_cksumtype)sig->type; cksum.checksum.length = sig->signature.length; -- 1.9.1