CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in netlogon_cred...

This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:

 7. If none of the first 5 bytes of the client challenge is unique, the
    server MUST fail session-key negotiation without further processing of
    the following steps.

It lets ./zerologon_tester.py from
https://github.com/SecuraBV/CVE-2020-1472.git
report: "Attack failed. Target is probably patched."

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 54a20100b511b0b846bec1eabec51ca2c5b52e8a..23339d98bfabb61a2cafda8b1f3f5cf53e204758 100644 (file)
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -24,6 +24,7 @@
 #include "system/time.h"
 #include "libcli/auth/libcli_auth.h"
 #include "../libcli/security/dom_sid.h"
+#include "lib/util/util_str_escape.h"
 
 #ifndef HAVE_GNUTLS_AES_CFB8
 #include "lib/crypto/aes.h"
@@ -704,7 +705,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
 
        struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
        NTSTATUS status;
-
+       bool ok;
 
        if (!creds) {
                return NULL;
@@ -717,6 +718,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
        dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
        dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
 
+       ok = netlogon_creds_is_random_challenge(client_challenge);
+       if (!ok) {
+               DBG_WARNING("CVE-2020-1472(ZeroLogon): "
+                           "non-random client challenge rejected for "
+                           "client_account[%s] client_computer_name[%s]\n",
+                           log_escape(mem_ctx, client_account),
+                           log_escape(mem_ctx, client_computer_name));
+               dump_data(DBGLVL_WARNING,
+                         client_challenge->data,
+                         sizeof(client_challenge->data));
+               talloc_free(creds);
+               return NULL;
+       }
+
        creds->computer_name = talloc_strdup(creds, client_computer_name);
        if (!creds->computer_name) {
                talloc_free(creds);

diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 0a3de9a1f7bde17b3577d1435ffed83c522169db..ffcabe5e14db1bdec42b37d6e0d7cb75ccb9425c 100644 (file)
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('NTLM_CHECK',
 
 bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
        source='credentials.c session.c smbencrypt.c smbdes.c',
-       public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS',
+       public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS util_str_escape',
        public_headers='credentials.h:domain_credentials.h'
        )