CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid

Following requests will generate a fault with ACCESS_DENIED.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 5c5aca635f828f6d427e4697a7446b6e017e9e78..bd73061333c0aedb3c0e99d0ddd86f4c31ee89ed 100644 (file)
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -940,7 +940,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
 
        /* handle the auth3 in the auth code */
        if (!dcesrv_auth_auth3(call)) {
 
        /* handle the auth3 in the auth code */
        if (!dcesrv_auth_auth3(call)) {

-               return dcesrv_fault(call, DCERPC_FAULT_OTHER);
+               call->conn->auth_state.auth_invalid = true;

        }
 
        talloc_free(call);
        }
 
        talloc_free(call);

diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h
index b7ae113c2b25b10a2d84136b713e3428670cfe20..cb600cd3a81d71983cc9bf4c42ed3a64c3644f2f 100644 (file)
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -168,6 +168,7 @@ struct dcesrv_auth {
        bool client_hdr_signing;
        bool hdr_signing;
        bool auth_finished;
        bool client_hdr_signing;
        bool hdr_signing;
        bool auth_finished;

+       bool auth_invalid;

 };
 
 struct dcesrv_connection_context {
 };
 
 struct dcesrv_connection_context {

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index afa584b164bc9328eb3d78cce7440de73f098b5c..f3de2c33f964457e2e3d700f436cdfc48f940a19 100644 (file)
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -275,6 +275,13 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
 
                /* Now that we are authenticated, go back to the generic session key... */
                dce_conn->auth_state.session_key = dcesrv_generic_session_key;
 
                /* Now that we are authenticated, go back to the generic session key... */
                dce_conn->auth_state.session_key = dcesrv_generic_session_key;

+
+               if (call->out_auth_info->credentials.length != 0) {
+
+                       DEBUG(4, ("GENSEC produced output token (len=%u) at bind_auth3\n",
+                                 (unsigned)call->out_auth_info->credentials.length));
+                       return false;
+               }

                return true;
        } else {
                DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_auth3: %s\n",
                return true;
        } else {
                DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_auth3: %s\n",


@@ -402,6 +409,10 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
                return false;
        }
 
                return false;
        }
 

+       if (dce_conn->auth_state.auth_invalid) {
+               return false;
+       }
+

        if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
                hdr_size += 16;
        }
        if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
                hdr_size += 16;
        }