CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_re...
authorStefan Metzmacher <metze@samba.org>
Fri, 20 Nov 2015 08:29:11 +0000 (09:29 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:23 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
auth/credentials/credentials.h
auth/credentials/credentials_ntlm.c
auth/ntlmssp/ntlmssp_client.c
source4/libcli/smb_composite/sesssetup.c
source4/torture/rpc/netlogon.c
source4/torture/rpc/remote_pac.c
source4/torture/rpc/samba3rpc.c
source4/torture/rpc/samr.c
source4/torture/rpc/schannel.c

index fdedd6300482ea38a2fd13f813e4b006d9d92706..78dd59d0158a1c777bed1e1bb349d16243573587 100644 (file)
@@ -80,7 +80,9 @@ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALL
                                              const char **domain);
 NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, 
                                           int *flags,
-                                          DATA_BLOB challenge, DATA_BLOB target_info, 
+                                          DATA_BLOB challenge,
+                                          const NTTIME *server_timestamp,
+                                          DATA_BLOB target_info,
                                           DATA_BLOB *_lm_response, DATA_BLOB *_nt_response, 
                                           DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
 const char *cli_credentials_get_realm(struct cli_credentials *cred);
index 3711b1eda418e302ff7ee4a0ed4a0944bd273977..a69add02f5387dc033b9390f30560c5d745e51ff 100644 (file)
@@ -30,7 +30,9 @@
 
 _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, 
                                           int *flags,
-                                          DATA_BLOB challenge, DATA_BLOB target_info, 
+                                          DATA_BLOB challenge,
+                                          const NTTIME *server_timestamp,
+                                          DATA_BLOB target_info,
                                           DATA_BLOB *_lm_response, DATA_BLOB *_nt_response, 
                                           DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key) 
 {
index e91692bb0cd2ba88606838584cf6f7f9fba58d8c..af4d2498e187f2cf684adf545eaf76f2dc1030b4 100644 (file)
@@ -228,6 +228,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
        const char *user = NULL, *domain = NULL, *workstation = NULL;
        bool is_anonymous = false;
        const DATA_BLOB version_blob = ntlmssp_version_blob();
+       const NTTIME *server_timestamp = NULL;
 
        TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
        if (!mem_ctx) {
@@ -454,10 +455,10 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
        }
 
        nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx,
-                                                     &flags, challenge_blob, target_info,
+                                                     &flags, challenge_blob,
+                                                     server_timestamp, target_info,
                                                      &lm_response, &nt_response,
                                                      &lm_session_key, &session_key);
-
        if (!NT_STATUS_IS_OK(nt_status)) {
                return nt_status;
        }
index e4964c19b5db84319f69225f3e888e3adf5ea13a..903055f1eda33732bae470aa8d97e9ac0cbc923b 100644 (file)
@@ -332,6 +332,7 @@ static NTSTATUS session_setup_nt1(struct composite_context *c,
                nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, 
                                                              &flags, 
                                                              session->transport->negotiate.secblob, 
+                                                             NULL, /* server_timestamp */
                                                              names_blob,
                                                              &state->setup.nt1.in.password1,
                                                              &state->setup.nt1.in.password2,
@@ -426,6 +427,7 @@ static NTSTATUS session_setup_old(struct composite_context *c,
                nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, 
                                                              &flags, 
                                                              session->transport->negotiate.secblob, 
+                                                             NULL, /* server_timestamp */
                                                              names_blob,
                                                              &state->setup.old.in.password,
                                                              NULL,
index 01bba97843049f51308de4abadca9ae080948f1f..c8e864d00a78e569ec5ea3a73434e75e0a941a69 100644 (file)
@@ -882,6 +882,7 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context
        status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
                                                   &flags,
                                                   chal,
+                                                  NULL, /* server_timestamp */
                                                   names_blob,
                                                   &lm_resp, &nt_resp,
                                                   NULL, NULL);
index dd44796f0d1efc23b661c294055cd48f36bb98b6..2b72f38ab3b24448d247948a1ca83d0aff36fb16 100644 (file)
@@ -735,6 +735,7 @@ static bool test_S2U4Self(struct torture_context *tctx,
        status = cli_credentials_get_ntlm_response(client_creds, tctx,
                                                   &flags,
                                                   chal,
+                                                  NULL, /* server_timestamp */
                                                   names_blob,
                                                   &lm_resp, &nt_resp,
                                                   NULL, NULL);
index 5f3f3d5a1f5d36b35b1d3b131283777d4d741ad3..c454257874af2a72f6e458e087b4b98e9d1ea7d9 100644 (file)
@@ -1192,7 +1192,7 @@ static bool schan(struct torture_context *tctx,
                        cli_credentials_get_workstation(user_creds),
                        cli_credentials_get_domain(user_creds));
                status = cli_credentials_get_ntlm_response(
-                       user_creds, mem_ctx, &flags, chal, names_blob,
+                       user_creds, mem_ctx, &flags, chal, NULL, names_blob,
                        &lm_resp, &nt_resp, NULL, NULL);
                if (!NT_STATUS_IS_OK(status)) {
                        torture_comment(tctx, "cli_credentials_get_ntlm_response failed:"
index 0c786c1efe15a8b618e53f21c033352276c09401..dcdbb8ad5503fabba9fabd87543482615cede694 100644 (file)
@@ -3096,6 +3096,7 @@ static bool test_SamLogon(struct torture_context *tctx,
                status = cli_credentials_get_ntlm_response(test_credentials, tctx,
                                                           &flags,
                                                           chal,
+                                                          NULL, /* server_timestamp */
                                                           names_blob,
                                                           &lm_resp, &nt_resp,
                                                           NULL, NULL);
index 57a97f3e1b22d3d90628b9c48bfd630a9982b1a3..829c969ecf567a2931a3ec801aabf2be8fb04375 100644 (file)
@@ -87,6 +87,7 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
        status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
                                                   &flags,
                                                   chal,
+                                                  NULL, /* server_timestamp */
                                                   names_blob,
                                                   &lm_resp, &nt_resp,
                                                   NULL, NULL);
@@ -853,6 +854,7 @@ static bool torture_schannel_bench_start(struct torture_schannel_bench_conn *con
        status = cli_credentials_get_ntlm_response(user_creds, conn->tmp,
                                                   &flags,
                                                   chal,
+                                                  NULL, /* server_timestamp */
                                                   names_blob,
                                                   &lm_resp, &nt_resp,
                                                   NULL, NULL);