CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
authorStefan Metzmacher <metze@samba.org>
Tue, 1 Mar 2016 09:25:54 +0000 (10:25 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:24 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
source4/smb_server/smb/sesssetup.c

index 4ebc0c477181fdda472d877b296b1d8381a7024d..e06853afcd4fb67826c08b3fa57bf9620b3aab9b 100644 (file)
@@ -263,6 +263,7 @@ static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess)
        const char *remote_machine = NULL;
        struct tevent_req *subreq;
        struct sesssetup_context *state;
+       bool allow_raw = lpcfg_raw_ntlmv2_auth(req->smb_conn->lp_ctx);
 
        sess->nt1.out.vuid = 0;
        sess->nt1.out.action = 0;
@@ -338,6 +339,15 @@ static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess)
        user_info->password.response.nt = sess->nt1.in.password2;
        user_info->password.response.nt.data = talloc_steal(user_info, sess->nt1.in.password2.data);
 
+       if (!allow_raw && user_info->password.response.nt.length >= 48) {
+               /*
+                * NTLMv2_RESPONSE has at least 48 bytes
+                * and should only be supported via NTLMSSP.
+                */
+               status = NT_STATUS_INVALID_PARAMETER;
+               goto failed;
+       }
+
        subreq = auth_check_password_send(state,
                                          req->smb_conn->connection->event.ctx,
                                          state->auth_context,