CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA

This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index aec0d89f94e125c6ec53d202a6a54149de883411..176769f3bbef471e61bd08e63234c2f58101b8cf 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1585,6 +1585,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
        case NetlogonNetworkTransitiveInformation:
        {
                const char *wksname = nt_workstation;
+               const char *workgroup = lp_workgroup();
 
                status = make_auth_context_fixed(talloc_tos(), &auth_context,
                                                 logon->network->challenge);
@@ -1611,6 +1612,14 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
                                                     logon->network->nt.length)) {
                        status = NT_STATUS_NO_MEMORY;
                }
+
+               if (NT_STATUS_IS_OK(status)) {
+                       status = NTLMv2_RESPONSE_verify_netlogon_creds(
+                                               user_info->client.account_name,
+                                               user_info->client.domain_name,
+                                               user_info->password.response.nt,
+                                               creds, workgroup);
+               }
                break;
        }
        case NetlogonInteractiveInformation: