CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid

Following requests will generate a fault with ACCESS_DENIED.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index d1d2d8c22558eb0c41b80fe64ce37acc35662e9b..9cf72498b35ffd75ff0988b3ded2c8de40f3809c 100644 (file)
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -940,7 +940,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
 
        /* handle the auth3 in the auth code */
        if (!dcesrv_auth_auth3(call)) {
-               return dcesrv_fault(call, DCERPC_FAULT_OTHER);
+               call->conn->auth_state.auth_invalid = true;
        }
 
        talloc_free(call);

diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h
index 79bc45873e48b7b49aa7d4c49f9b84a97a035b83..74f0841586b1f108726a2ca94444125874f41274 100644 (file)
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -163,6 +163,7 @@ struct dcesrv_auth {
        bool client_hdr_signing;
        bool hdr_signing;
        bool auth_finished;
+       bool auth_invalid;
 };
 
 struct dcesrv_connection_context {

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index afa584b164bc9328eb3d78cce7440de73f098b5c..f3de2c33f964457e2e3d700f436cdfc48f940a19 100644 (file)
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -275,6 +275,13 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
 
                /* Now that we are authenticated, go back to the generic session key... */
                dce_conn->auth_state.session_key = dcesrv_generic_session_key;
+
+               if (call->out_auth_info->credentials.length != 0) {
+
+                       DEBUG(4, ("GENSEC produced output token (len=%u) at bind_auth3\n",
+                                 (unsigned)call->out_auth_info->credentials.length));
+                       return false;
+               }
                return true;
        } else {
                DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_auth3: %s\n",
@@ -402,6 +409,10 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
                return false;
        }
 
+       if (dce_conn->auth_state.auth_invalid) {
+               return false;
+       }
+
        if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
                hdr_size += 16;
        }