CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index b079d0460426a6da3ac30030b771a43a5f8e90b8..c23de7e2b764c61b80c2ecde930d76e8d258f6a9 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -34,6 +34,7 @@
 #include "../auth/auth_sam_reply.h"
 #include "../librpc/gen_ndr/idmap.h"
 #include "lib/param/loadparm.h"
+#include "../lib/tsocket/tsocket.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
@@ -353,6 +354,20 @@ NTSTATUS make_user_info_for_reply_enc(TALLOC_CTX *mem_ctx,
                                      const struct tsocket_address *remote_address,
                                       DATA_BLOB lm_resp, DATA_BLOB nt_resp)
 {
+       bool allow_raw = lp_raw_ntlmv2_auth();
+
+       if (!allow_raw && nt_resp.length >= 48) {
+               /*
+                * NTLMv2_RESPONSE has at least 48 bytes
+                * and should only be supported via NTLMSSP.
+                */
+               DEBUG(2,("Rejecting raw NTLMv2 authentication with "
+                        "user [%s\\%s] from[%s]\n",
+                        client_domain, smb_name,
+                        tsocket_address_string(remote_address, mem_ctx)));
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
        return make_user_info(mem_ctx,
                              user_info, smb_name, smb_name,
                              client_domain, client_domain,