CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
authorStefan Metzmacher <metze@samba.org>
Tue, 14 Jul 2015 14:18:45 +0000 (16:18 +0200)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:30 +0000 (19:25 +0200)
Following requests will generate a fault with ACCESS_DENIED.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
source4/rpc_server/dcerpc_server.c
source4/rpc_server/dcerpc_server.h
source4/rpc_server/dcesrv_auth.c

index 5c5aca635f828f6d427e4697a7446b6e017e9e78..bd73061333c0aedb3c0e99d0ddd86f4c31ee89ed 100644 (file)
@@ -940,7 +940,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
 
        /* handle the auth3 in the auth code */
        if (!dcesrv_auth_auth3(call)) {
-               return dcesrv_fault(call, DCERPC_FAULT_OTHER);
+               call->conn->auth_state.auth_invalid = true;
        }
 
        talloc_free(call);
index b7ae113c2b25b10a2d84136b713e3428670cfe20..cb600cd3a81d71983cc9bf4c42ed3a64c3644f2f 100644 (file)
@@ -168,6 +168,7 @@ struct dcesrv_auth {
        bool client_hdr_signing;
        bool hdr_signing;
        bool auth_finished;
+       bool auth_invalid;
 };
 
 struct dcesrv_connection_context {
index afa584b164bc9328eb3d78cce7440de73f098b5c..f3de2c33f964457e2e3d700f436cdfc48f940a19 100644 (file)
@@ -275,6 +275,13 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
 
                /* Now that we are authenticated, go back to the generic session key... */
                dce_conn->auth_state.session_key = dcesrv_generic_session_key;
+
+               if (call->out_auth_info->credentials.length != 0) {
+
+                       DEBUG(4, ("GENSEC produced output token (len=%u) at bind_auth3\n",
+                                 (unsigned)call->out_auth_info->credentials.length));
+                       return false;
+               }
                return true;
        } else {
                DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_auth3: %s\n",
@@ -402,6 +409,10 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
                return false;
        }
 
+       if (dce_conn->auth_state.auth_invalid) {
+               return false;
+       }
+
        if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
                hdr_size += 16;
        }