CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT...

This prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Pair-Programmed-With: Günther Deschner <gd@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>

diff --git a/selftest/knownfail b/selftest/knownfail
index 3e33682c067be855fbc65491da5573e36e747d11..e17bceedfaa3113c3ea2a54730321d711682110b 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -321,3 +321,7 @@
 ^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=ca_and_name\(
 ^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=as_strict_as_possible\(
 ^samba4.ldb.simple.ldaps.*SERVER.REALM.*tlsverifypeer=as_strict_as_possible.*fl2008r2dc
+#
+# we don't allow auth_level_connect anymore...
+#
+^samba3.blackbox.rpcclient.*ncacn_np.*with.*connect.*rpcclient # we don't allow auth_level_connect anymore

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 49026765a1495682dd7aa2820a2c444d24387f86..57043231b97886382b43eee39c236102e77f9972 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -45,6 +45,9 @@
 #include "auth/gensec/gensec.h"
 #include "librpc/ndr/ndr_dcerpc.h"
 #include "lib/tsocket/tsocket.h"
+#include "../librpc/gen_ndr/ndr_samr.h"
+#include "../librpc/gen_ndr/ndr_lsa.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -378,6 +381,22 @@ static bool check_bind_req(struct pipes_struct *p,
        context_fns->syntax = *abstract;
 
        context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
+       /*
+        * for the samr, lsarpc and netlogon interfaces we don't allow "connect"
+        * auth_level by default.
+        */
+       ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id);
+       if (ok) {
+               context_fns->allow_connect = false;
+       }
+       ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
+       if (ok) {
+               context_fns->allow_connect = false;
+       }
+       ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
+       if (ok) {
+               context_fns->allow_connect = false;
+       }
        /*
         * every interface can be modified to allow "connect" auth_level by
         * using a parametric option like: