samba/CVE-2018-1057-9.patch

From 8ea0dbcd35dc5c210569036e185c2a863b066709 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 22 Feb 2018 10:54:37 +0100
Subject: [PATCH 09/13] CVE-2018-1057: s4/dsdb: correctly detect password
 resets

This change ensures we correctly treat the following LDIF

  dn: cn=testuser,cn=users,...
  changetype: modify
  delete: userPassword
  add: userPassword
  userPassword: thatsAcomplPASS1

as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.

For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 selftest/knownfail.d/samba4.ldap.passwords.python |  2 --
 source4/dsdb/samdb/ldb_modules/acl.c              | 18 +++++++++++++++++-
 2 files changed, 17 insertions(+), 3 deletions(-)
 delete mode 100644 selftest/knownfail.d/samba4.ldap.passwords.python

Index: samba-4.3.11+dfsg/selftest/knownfail.d/samba4.ldap.passwords.python
===================================================================
--- samba-4.3.11+dfsg.orig/selftest/knownfail.d/samba4.ldap.passwords.python	2018-03-06 16:47:14.973560010 +0100
+++ /dev/null	1970-01-01 00:00:00.000000000 +0000
@@ -1,2 +0,0 @@
-samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_userPassword
-samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_unicodePwd
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
===================================================================
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:47:14.973560010 +0100
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:47:14.973560010 +0100
@@ -941,6 +941,7 @@ static int acl_check_password_rights(TAL
 {
 	int ret = LDB_SUCCESS;
 	unsigned int del_attr_cnt = 0, add_attr_cnt = 0, rep_attr_cnt = 0;
+	unsigned int del_val_cnt = 0, add_val_cnt = 0, rep_val_cnt = 0;
 	struct ldb_message_element *el;
 	struct ldb_message *msg;
 	struct ldb_control *c = NULL;
@@ -1006,12 +1007,15 @@ static int acl_check_password_rights(TAL
 		while ((el = ldb_msg_find_element(msg, *l)) != NULL) {
 			if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) {
 				++del_attr_cnt;
+				del_val_cnt += el->num_values;
 			}
 			if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_ADD) {
 				++add_attr_cnt;
+				add_val_cnt += el->num_values;
 			}
 			if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_REPLACE) {
 				++rep_attr_cnt;
+				rep_val_cnt += el->num_values;
 			}
 			ldb_msg_remove_element(msg, el);
 		}
@@ -1041,12 +1045,24 @@ static int acl_check_password_rights(TAL
 		goto checked;
 	}
 
-	if (add_attr_cnt == 1 && del_attr_cnt == 1) {
+	if (add_val_cnt == 1 && del_val_cnt == 1) {
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
 					       GUID_DRS_USER_CHANGE_PASSWORD,
 					       SEC_ADS_CONTROL_ACCESS,
 					       sid);
 		/* Very strange, but we get constraint violation in this case */
+		if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
+			ret = LDB_ERR_CONSTRAINT_VIOLATION;
+		}
+		goto checked;
+	}
+
+	if (add_val_cnt == 1 && del_val_cnt == 0) {
+		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+					       GUID_DRS_FORCE_CHANGE_PASSWORD,
+					       SEC_ADS_CONTROL_ACCESS,
+					       sid);
+		/* Very strange, but we get constraint violation in this case */
 		if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
 			ret = LDB_ERR_CONSTRAINT_VIOLATION;
 		}