CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...

This requires transport encryption.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index c4ed1de525d09b41c80eff235c4581d5550477dd..69d48b8910e0211d3c4aa26901499e38060ffb79 100644 (file)
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -4321,11 +4321,20 @@ static NTSTATUS dcesrv_samr_ValidatePassword(struct dcesrv_call_state *dce_call,
        NTSTATUS status;
        enum dcerpc_transport_t transport =
                dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
+       enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
 
        if (transport != NCACN_IP_TCP && transport != NCALRPC) {
                DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
        }
 
+       if (dce_call->conn->auth_state.auth_info != NULL) {
+               auth_level = dce_call->conn->auth_state.auth_info->auth_level;
+       }
+
+       if (auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
+               DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
+       }
+
        (*r->out.rep) = talloc_zero(mem_ctx, union samr_ValidatePasswordRep);
 
        r2.in.domain_name = NULL;