mirror of
https://abf.rosa.ru/djam/samba.git
synced 2025-02-23 17:12:48 +00:00
73 lines
2.9 KiB
Diff
73 lines
2.9 KiB
Diff
From 9b56a152b494f200f1cc2f84b8f9e421d467d1fd Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Thu, 15 Feb 2018 22:59:24 +0100
|
|
Subject: [PATCH 06/13] CVE-2018-1057: s4:dsdb/acl: check for internal controls
|
|
before other checks
|
|
|
|
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source4/dsdb/samdb/ldb_modules/acl.c | 37 ++++++++++++++++++++++--------------
|
|
1 file changed, 23 insertions(+), 14 deletions(-)
|
|
|
|
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
|
|
===================================================================
|
|
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c 2018-03-06 16:46:56.417406127 +0100
|
|
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c 2018-03-06 16:46:56.413406094 +0100
|
|
@@ -943,10 +943,33 @@ static int acl_check_password_rights(TAL
|
|
unsigned int del_attr_cnt = 0, add_attr_cnt = 0, rep_attr_cnt = 0;
|
|
struct ldb_message_element *el;
|
|
struct ldb_message *msg;
|
|
+ struct ldb_control *c = NULL;
|
|
const char *passwordAttrs[] = { "userPassword", "clearTextPassword",
|
|
"unicodePwd", "dBCSPwd", NULL }, **l;
|
|
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
|
|
|
+ c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OID);
|
|
+ if (c != NULL) {
|
|
+ /*
|
|
+ * The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
|
|
+ * have a user password change and not a set as the message
|
|
+ * looks like. In it's value blob it contains the NT and/or LM
|
|
+ * hash of the old password specified by the user. This control
|
|
+ * is used by the SAMR and "kpasswd" password change mechanisms.
|
|
+ *
|
|
+ * This control can't be used by real LDAP clients,
|
|
+ * the only caller is samdb_set_password_internal(),
|
|
+ * so we don't have to strict verification of the input.
|
|
+ */
|
|
+ ret = acl_check_extended_right(tmp_ctx,
|
|
+ sd,
|
|
+ acl_user_token(module),
|
|
+ GUID_DRS_USER_CHANGE_PASSWORD,
|
|
+ SEC_ADS_CONTROL_ACCESS,
|
|
+ sid);
|
|
+ goto checked;
|
|
+ }
|
|
+
|
|
msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message);
|
|
if (msg == NULL) {
|
|
return ldb_module_oom(module);
|
|
@@ -977,20 +1000,6 @@ static int acl_check_password_rights(TAL
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
- if (ldb_request_get_control(req,
|
|
- DSDB_CONTROL_PASSWORD_CHANGE_OID) != NULL) {
|
|
- /* The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
|
|
- * have a user password change and not a set as the message
|
|
- * looks like. In it's value blob it contains the NT and/or LM
|
|
- * hash of the old password specified by the user.
|
|
- * This control is used by the SAMR and "kpasswd" password
|
|
- * change mechanisms. */
|
|
- ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
|
|
- GUID_DRS_USER_CHANGE_PASSWORD,
|
|
- SEC_ADS_CONTROL_ACCESS,
|
|
- sid);
|
|
- goto checked;
|
|
- }
|
|
|
|
if (rep_attr_cnt > 0) {
|
|
ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
|