git.samba.org - samba.git/commit - selftest/knownfail_mit

author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Fri, 10 Jun 2022 07:18:53 +0000 (19:18 +1200)
committer	Jule Anger <janger@samba.org>
	Wed, 27 Jul 2022 10:52:36 +0000 (10:52 +0000)
commit	958f2bce695c3721a23cd7e81575da181be83828
tree	d8ed874c61405c0773c73c541ce47873df8c5c6d	tree
parent	0d8995910f9846d38f705abcaa19dede98294f58	commit \| diff

CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets

If TGTs can be used as kpasswd tickets, the two-minute lifetime of a
authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets
are not supposed to be cached, but using this flaw, a stolen credentials
cache containing a TGT may be used to change that account's password,
and thus is made more valuable to an attacker.

Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and
service tickets without it, we assert the absence of this buffer to
ensure we're not accepting a TGT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest/knownfail_heimdal_kdc		diff \| blob \| history
selftest/knownfail_mit_kdc		diff \| blob \| history
source4/kdc/kpasswd-helper.c		diff \| blob \| history
source4/kdc/kpasswd-helper.h		diff \| blob \| history
source4/kdc/kpasswd-service-heimdal.c		diff \| blob \| history
source4/kdc/kpasswd-service-mit.c		diff \| blob \| history