CVE-2018-1057: s4:dsdb/acl: add check for DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index b2aa20f4157ad108adb2d5e5c57985d37672510b..4bf9779d507cd83530ddc46761426b88dd0c8597 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -995,6 +995,26 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
                goto checked;
        }
 
+       c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_HASH_VALUES_OID);
+       if (c != NULL) {
+               /*
+                * The "DSDB_CONTROL_PASSWORD_HASH_VALUES_OID" control, without
+                * "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
+                * have a force password set.
+                * This control is used by the SAMR/NETLOGON/LSA password
+                * reset mechanisms.
+                *
+                * This control can't be used by real LDAP clients,
+                * the only caller is samdb_set_password_internal(),
+                * so we don't have to strict verification of the input.
+                */
+               ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+                                              GUID_DRS_FORCE_CHANGE_PASSWORD,
+                                              SEC_ADS_CONTROL_ACCESS,
+                                              sid);
+               goto checked;
+       }
+
        msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message);
        if (msg == NULL) {
                return ldb_module_oom(module);