CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validati...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index d5fd745711a867d5bbfa1489bd9e06adc3a716d9..aec0d89f94e125c6ec53d202a6a54149de883411 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1719,6 +1719,14 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
                                                r->out.validation->sam3);
                break;
        case 6:
+               /* Only allow this if the pipe is protected. */
+               if (p->auth.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
+                       DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
+                               get_remote_machine_name()));
+                       status = NT_STATUS_INVALID_PARAMETER;
+                       break;
+               }
+
                status = serverinfo_to_SamInfo6(server_info,
                                                r->out.validation->sam6);
                break;