CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
authorStefan Metzmacher <metze@samba.org>
Wed, 9 Dec 2015 12:12:43 +0000 (13:12 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:24 +0000 (19:25 +0200)
This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
source4/rpc_server/netlogon/dcerpc_netlogon.c

index bd7371d07c7450dea7a1385a81d6bf1190cf443b..a8a170b5350b0d2e66eb71926c71ab35bec4c260 100644 (file)
@@ -828,6 +828,8 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_check(const struct netr_LogonSamLogonE
 static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                                        struct netr_LogonSamLogonEx *r, struct netlogon_creds_CredentialState *creds)
 {
+       struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+       const char *workgroup = lpcfg_workgroup(lp_ctx);
        struct auth4_context *auth_context;
        struct auth_usersupplied_info *user_info;
        struct auth_user_info_dc *user_info_dc;
@@ -898,6 +900,13 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
                user_info->password.response.lanman = data_blob_talloc(mem_ctx, r->in.logon->network->lm.data, r->in.logon->network->lm.length);
                user_info->password.response.nt = data_blob_talloc(mem_ctx, r->in.logon->network->nt.data, r->in.logon->network->nt.length);
 
+               nt_status = NTLMv2_RESPONSE_verify_netlogon_creds(
+                                       user_info->client.account_name,
+                                       user_info->client.domain_name,
+                                       user_info->password.response.nt,
+                                       creds, workgroup);
+               NT_STATUS_NOT_OK_RETURN(nt_status);
+
                break;