Home Explore Help
Sign In
Mangix
/
libreCMC
forked from libreCMC/libreCMC
1
0
Fork 0
Files
Tree: 112a275540
Branches Tags
libreCMC
/
package
/
network
/
services
/
samba36
/
patches
/
024-CVE-2016-2111-v3-6.patch

024-CVE-2016-2111-v3-6.patch 24 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681 
  1. From ee105156fa151ebfd34b8febc2928e144b3b7b0e Mon Sep 17 00:00:00 2001
    2. 

  2. From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
    3. 

  3. Date: Sat, 26 Sep 2015 01:29:10 +0200
    4. 

  4. Subject: [PATCH 01/15] CVE-2016-2111: s3:rpc_server/netlogon: always go
    5. 

  5.  through netr_creds_server_step_check()
    6. 

  6. 

  7. The ensures we apply the "server schannel = yes" restrictions.
    8. 

  8. 

  9. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
    10. 

  10. 

  11. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
    12. 

  12. 

  13. Signed-off-by: Guenther Deschner <gd@samba.org>
    14. 

  14. Signed-off-by: Stefan Metzmacher <metze@samba.org>
    15. 

  15. ---
    16. 

  16.  source3/rpc_server/netlogon/srv_netlog_nt.c | 24 ++++++++++++++----------
    17. 

  17.  1 file changed, 14 insertions(+), 10 deletions(-)
    18. 

  18. 

  19. --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
    20. 

  20. +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
    21. 

  21. @@ -1508,6 +1508,7 @@ static NTSTATUS _netr_LogonSamLogon_base
    22. 

  22.  	case NetlogonNetworkTransitiveInformation:
    23. 

  23.  	{
    24. 

  24.  		const char *wksname = nt_workstation;
    25. 

  25. +		const char *workgroup = lp_workgroup();
    26. 

  26.  
    27. 

  27.  		status = make_auth_context_fixed(talloc_tos(), &auth_context,
    28. 

  28.  						 logon->network->challenge);
    29. 

  29. @@ -1532,6 +1533,14 @@ static NTSTATUS _netr_LogonSamLogon_base
    30. 

  30.  						     logon->network->nt.length)) {
    31. 

  31.  			status = NT_STATUS_NO_MEMORY;
    32. 

  32.  		}
    33. 

  33. +
    34. 

  34. +		if (NT_STATUS_IS_OK(status)) {
    35. 

  35. +			status = NTLMv2_RESPONSE_verify_netlogon_creds(
    36. 

  36. +						user_info->client.account_name,
    37. 

  37. +						user_info->client.domain_name,
    38. 

  38. +						user_info->password.response.nt,
    39. 

  39. +						creds, workgroup);
    40. 

  40. +		}
    41. 

  41.  		break;
    42. 

  42.  	}
    43. 

  43.  	case NetlogonInteractiveInformation:
    44. 

  44. @@ -1636,6 +1645,14 @@ static NTSTATUS _netr_LogonSamLogon_base
    45. 

  45.  						r->out.validation->sam3);
    46. 

  46.  		break;
    47. 

  47.  	case 6:
    48. 

  48. +		/* Only allow this if the pipe is protected. */
    49. 

  49. +		if (p->auth.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
    50. 

  50. +			DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
    51. 

  51. +				get_remote_machine_name()));
    52. 

  52. +			status = NT_STATUS_INVALID_PARAMETER;
    53. 

  53. +			break;
    54. 

  54. +		}
    55. 

  55. +
    56. 

  56.  		status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
    57. 

  57.  						r->out.validation->sam6);
    58. 

  58.  		break;
    59. 

  59. @@ -2271,11 +2288,13 @@ NTSTATUS _netr_GetForestTrustInformation
    60. 

  60.  
    61. 

  61.  	/* TODO: check server name */
    62. 

  62.  
    63. 

  63. -	status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
    64. 

  64. -					    r->in.computer_name,
    65. 

  65. -					    r->in.credential,
    66. 

  66. -					    r->out.return_authenticator,
    67. 

  67. -					    &creds);
    68. 

  68. +	become_root();
    69. 

  69. +	status = netr_creds_server_step_check(p, p->mem_ctx,
    70. 

  70. +					      r->in.computer_name,
    71. 

  71. +					      r->in.credential,
    72. 

  72. +					      r->out.return_authenticator,
    73. 

  73. +					      &creds);
    74. 

  74. +	unbecome_root();
    75. 

  75.  	if (!NT_STATUS_IS_OK(status)) {
    76. 

  76.  		return status;
    77. 

  77.  	}
    78. 

  78. @@ -2371,11 +2390,13 @@ NTSTATUS _netr_ServerGetTrustInfo(struct
    79. 

  79.  
    80. 

  80.  	/* TODO: check server name */
    81. 

  81.  
    82. 

  82. -	status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
    83. 

  83. -					    r->in.computer_name,
    84. 

  84. -					    r->in.credential,
    85. 

  85. -					    r->out.return_authenticator,
    86. 

  86. -					    &creds);
    87. 

  87. +	become_root();
    88. 

  88. +	status = netr_creds_server_step_check(p, p->mem_ctx,
    89. 

  89. +					      r->in.computer_name,
    90. 

  90. +					      r->in.credential,
    91. 

  91. +					      r->out.return_authenticator,
    92. 

  92. +					      &creds);
    93. 

  93. +	unbecome_root();
    94. 

  94.  	if (!NT_STATUS_IS_OK(status)) {
    95. 

  95.  		return status;
    96. 

  96.  	}
    97. 

  97. --- a/source4/torture/rpc/samba3rpc.c
    98. 

  98. +++ b/source4/torture/rpc/samba3rpc.c
    99. 

  99. @@ -1122,8 +1122,8 @@ static bool schan(struct torture_context
    100. 

  100.  		generate_random_buffer(chal.data, chal.length);
    101. 

  101.  		names_blob = NTLMv2_generate_names_blob(
    102. 

  102.  			mem_ctx,
    103. 

  103. -			cli_credentials_get_workstation(user_creds),
    104. 

  104. -			cli_credentials_get_domain(user_creds));
    105. 

  105. +			cli_credentials_get_workstation(wks_creds),
    106. 

  106. +			cli_credentials_get_domain(wks_creds));
    107. 

  107.  		status = cli_credentials_get_ntlm_response(
    108. 

  108.  			user_creds, mem_ctx, &flags, chal, names_blob,
    109. 

  109.  			&lm_resp, &nt_resp, NULL, NULL);
    110. 

  110. --- a/libcli/auth/proto.h
    111. 

  111. +++ b/libcli/auth/proto.h
    112. 

  112. @@ -139,6 +139,11 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ct
    113. 

  113.  		      const DATA_BLOB *names_blob,
    114. 

  114.  		      DATA_BLOB *lm_response, DATA_BLOB *nt_response, 
    115. 

  115.  		      DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
    116. 

  116. +NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
    117. 

  117. +			const char *account_domain,
    118. 

  118. +			const DATA_BLOB response,
    119. 

  119. +			const struct netlogon_creds_CredentialState *creds,
    120. 

  120. +			const char *workgroup);
    121. 

  121.  
    122. 

  122.  /***********************************************************
    123. 

  123.   encode a password buffer with a unicode password.  The buffer
    124. 

  124. --- a/libcli/auth/smbencrypt.c
    125. 

  125. +++ b/libcli/auth/smbencrypt.c
    126. 

  126. @@ -26,7 +26,7 @@
    127. 

  127.  #include "../libcli/auth/msrpc_parse.h"
    128. 

  128.  #include "../lib/crypto/crypto.h"
    129. 

  129.  #include "../libcli/auth/libcli_auth.h"
    130. 

  130. -#include "../librpc/gen_ndr/ntlmssp.h"
    131. 

  131. +#include "../librpc/gen_ndr/ndr_ntlmssp.h"
    132. 

  132.  
    133. 

  133.  void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24])
    134. 

  134.  {
    135. 

  135. @@ -522,6 +522,146 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ct
    136. 

  136.  				     lm_response, nt_response, lm_session_key, user_session_key);
    137. 

  137.  }
    138. 

  138.  
    139. 

  139. +NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
    140. 

  140. +			const char *account_domain,
    141. 

  141. +			const DATA_BLOB response,
    142. 

  142. +			const struct netlogon_creds_CredentialState *creds,
    143. 

  143. +			const char *workgroup)
    144. 

  144. +{
    145. 

  145. +	TALLOC_CTX *frame = NULL;
    146. 

  146. +	/* RespType + HiRespType */
    147. 

  147. +	static const char *magic = "\x01\x01";
    148. 

  148. +	int cmp;
    149. 

  149. +	struct NTLMv2_RESPONSE v2_resp;
    150. 

  150. +	enum ndr_err_code err;
    151. 

  151. +	const struct AV_PAIR *av_nb_cn = NULL;
    152. 

  152. +	const struct AV_PAIR *av_nb_dn = NULL;
    153. 

  153. +
    154. 

  154. +	if (response.length < 48) {
    155. 

  155. +		/*
    156. 

  156. +		 * NTLMv2_RESPONSE has at least 48 bytes.
    157. 

  157. +		 */
    158. 

  158. +		return NT_STATUS_OK;
    159. 

  159. +	}
    160. 

  160. +
    161. 

  161. +	cmp = memcmp(response.data + 16, magic, 2);
    162. 

  162. +	if (cmp != 0) {
    163. 

  163. +		/*
    164. 

  164. +		 * It doesn't look like a valid NTLMv2_RESPONSE
    165. 

  165. +		 */
    166. 

  166. +		return NT_STATUS_OK;
    167. 

  167. +	}
    168. 

  168. +
    169. 

  169. +	frame = talloc_stackframe();
    170. 

  170. +
    171. 

  171. +	err = ndr_pull_struct_blob(&response, frame, &v2_resp,
    172. 

  172. +		(ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
    173. 

  173. +	if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
    174. 

  174. +		NTSTATUS status;
    175. 

  175. +		status = ndr_map_error2ntstatus(err);
    176. 

  176. +		DEBUG(2,("Failed to parse NTLMv2_RESPONSE "
    177. 

  177. +			 "length %u - %s - %s\n",
    178. 

  178. +			 (unsigned)response.length,
    179. 

  179. +			 ndr_map_error2string(err),
    180. 

  180. +			 nt_errstr(status)));
    181. 

  181. +		dump_data(2, response.data, response.length);
    182. 

  182. +		TALLOC_FREE(frame);
    183. 

  183. +		return status;
    184. 

  184. +	}
    185. 

  185. +
    186. 

  186. +	if (DEBUGLVL(10)) {
    187. 

  187. +		NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp);
    188. 

  188. +	}
    189. 

  189. +
    190. 

  190. +	/*
    191. 

  191. +	 * Make sure the netbios computer name in the
    192. 

  192. +	 * NTLMv2_RESPONSE matches the computer name
    193. 

  193. +	 * in the secure channel credentials for workstation
    194. 

  194. +	 * trusts.
    195. 

  195. +	 *
    196. 

  196. +	 * And the netbios domain name matches our
    197. 

  197. +	 * workgroup.
    198. 

  198. +	 *
    199. 

  199. +	 * This prevents workstations from requesting
    200. 

  200. +	 * the session key of NTLMSSP sessions of clients
    201. 

  201. +	 * to other hosts.
    202. 

  202. +	 */
    203. 

  203. +	if (creds->secure_channel_type == SEC_CHAN_WKSTA) {
    204. 

  204. +		av_nb_cn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
    205. 

  205. +					       MsvAvNbComputerName);
    206. 

  206. +		av_nb_dn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
    207. 

  207. +					       MsvAvNbDomainName);
    208. 

  208. +	}
    209. 

  209. +
    210. 

  210. +	if (av_nb_cn != NULL) {
    211. 

  211. +		const char *v = NULL;
    212. 

  212. +		char *a = NULL;
    213. 

  213. +		size_t len;
    214. 

  214. +
    215. 

  215. +		v = av_nb_cn->Value.AvNbComputerName;
    216. 

  216. +
    217. 

  217. +		a = talloc_strdup(frame, creds->account_name);
    218. 

  218. +		if (a == NULL) {
    219. 

  219. +			TALLOC_FREE(frame);
    220. 

  220. +			return NT_STATUS_NO_MEMORY;
    221. 

  221. +		}
    222. 

  222. +		len = strlen(a);
    223. 

  223. +		if (len > 0 && a[len - 1] == '$') {
    224. 

  224. +			a[len - 1] = '\0';
    225. 

  225. +		}
    226. 

  226. +
    227. 

  227. +#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
    228. 

  228. +		cmp = strcasecmp_m(a, v);
    229. 

  229. +#else /* smbd */
    230. 

  230. +		cmp = StrCaseCmp(a, v);
    231. 

  231. +#endif
    232. 

  232. +		if (cmp != 0) {
    233. 

  233. +			DEBUG(2,("%s: NTLMv2_RESPONSE with "
    234. 

  234. +				 "NbComputerName[%s] rejected "
    235. 

  235. +				 "for user[%s\\%s] "
    236. 

  236. +				 "against SEC_CHAN_WKSTA[%s/%s] "
    237. 

  237. +				 "in workgroup[%s]\n",
    238. 

  238. +				 __func__, v,
    239. 

  239. +				 account_domain,
    240. 

  240. +				 account_name,
    241. 

  241. +				 creds->computer_name,
    242. 

  242. +				 creds->account_name,
    243. 

  243. +				 workgroup));
    244. 

  244. +			TALLOC_FREE(frame);
    245. 

  245. +			return NT_STATUS_LOGON_FAILURE;
    246. 

  246. +		}
    247. 

  247. +	}
    248. 

  248. +	if (av_nb_dn != NULL) {
    249. 

  249. +		const char *v = NULL;
    250. 

  250. +
    251. 

  251. +		v = av_nb_dn->Value.AvNbDomainName;
    252. 

  252. +
    253. 

  253. +#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
    254. 

  254. +		cmp = strcasecmp_m(workgroup, v);
    255. 

  255. +#else /* smbd */
    256. 

  256. +		cmp = StrCaseCmp(workgroup, v);
    257. 

  257. +#endif
    258. 

  258. +		if (cmp != 0) {
    259. 

  259. +			DEBUG(2,("%s: NTLMv2_RESPONSE with "
    260. 

  260. +				 "NbDomainName[%s] rejected "
    261. 

  261. +				 "for user[%s\\%s] "
    262. 

  262. +				 "against SEC_CHAN_WKSTA[%s/%s] "
    263. 

  263. +				 "in workgroup[%s]\n",
    264. 

  264. +				 __func__, v,
    265. 

  265. +				 account_domain,
    266. 

  266. +				 account_name,
    267. 

  267. +				 creds->computer_name,
    268. 

  268. +				 creds->account_name,
    269. 

  269. +				 workgroup));
    270. 

  270. +			TALLOC_FREE(frame);
    271. 

  271. +			return NT_STATUS_LOGON_FAILURE;
    272. 

  272. +		}
    273. 

  273. +	}
    274. 

  274. +
    275. 

  275. +	TALLOC_FREE(frame);
    276. 

  276. +	return NT_STATUS_OK;
    277. 

  277. +}
    278. 

  278. +
    279. 

  279.  /***********************************************************
    280. 

  280.   encode a password buffer with a unicode password.  The buffer
    281. 

  281.   is filled with random data to make it harder to attack.
    282. 

  282. --- a/libcli/auth/wscript_build
    283. 

  283. +++ b/libcli/auth/wscript_build
    284. 

  284. @@ -19,7 +19,7 @@ bld.SAMBA_SUBSYSTEM('MSRPC_PARSE',
    285. 

  285.  
    286. 

  286.  bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
    287. 

  287.  	source='credentials.c session.c smbencrypt.c smbdes.c',
    288. 

  288. -	public_deps='MSRPC_PARSE',
    289. 

  289. +	public_deps='MSRPC_PARSE NDR_NTLMSSP',
    290. 

  290.  	public_headers='credentials.h:domain_credentials.h'
    291. 

  291.  	)
    292. 

  292.  
    293. 

  293. --- a/source3/Makefile.in
    294. 

  294. +++ b/source3/Makefile.in
    295. 

  295. @@ -783,6 +783,7 @@ GROUPDB_OBJ = groupdb/mapping.o groupdb/
    296. 

  296.  PROFILE_OBJ = profile/profile.o
    297. 

  297.  PROFILES_OBJ = utils/profiles.o \
    298. 

  298.  	       $(LIBSMB_ERR_OBJ) \
    299. 

  299. +	       $(LIBNDR_NTLMSSP_OBJ) \
    300. 

  300.  	       $(PARAM_OBJ) \
    301. 

  301.                 $(LIB_OBJ) $(LIB_DUMMY_OBJ) \
    302. 

  302.                 $(POPT_LIB_OBJ) \
    303. 

  303. @@ -995,10 +996,10 @@ SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(P
    304. 

  304.  STATUS_OBJ = utils/status.o utils/status_profile.o \
    305. 

  305.  	     $(LOCKING_OBJ) $(PARAM_OBJ) \
    306. 

  306.               $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
    307. 

  307. -	     $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
    308. 

  308. +	     $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
    309. 

  309.  
    310. 

  310.  SMBCONTROL_OBJ = utils/smbcontrol.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
    311. 

  311. -	$(LIBSMB_ERR_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
    312. 

  312. +	$(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
    313. 

  313.  
    314. 

  314.  SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \
    315. 

  315.               $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_OBJ) \
    316. 

  316. @@ -1012,11 +1013,11 @@ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OB
    317. 

  317.  
    318. 

  318.  TESTPARM_OBJ = utils/testparm.o \
    319. 

  319.                 $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
    320. 

  320. -	       $(LIBSMB_ERR_OBJ)
    321. 

  321. +	       $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
    322. 

  322.  
    323. 

  323.  SMBTA_UTIL_OBJ = utils/smbta-util.o $(PARAM_OBJ) $(POPT_LIB_OBJ) \
    324. 

  324.  	$(LIB_NONSMBD_OBJ) \
    325. 

  325. -	$(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
    326. 

  326. +	$(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
    327. 

  327.  
    328. 

  328.  TEST_LP_LOAD_OBJ = param/test_lp_load.o \
    329. 

  329.  		   $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
    330. 

  330. @@ -1146,6 +1147,7 @@ SMBCONFTORT_OBJ = $(SMBCONFTORT_OBJ0) \
    331. 

  331.  		  $(LIB_NONSMBD_OBJ) \
    332. 

  332.  		  $(PARAM_OBJ) \
    333. 

  333.  		  $(LIBSMB_ERR_OBJ) \
    334. 

  334. +		  $(LIBNDR_NTLMSSP_OBJ) \
    335. 

  335.  		  $(POPT_LIB_OBJ)
    336. 

  336.  
    337. 

  337.  PTHREADPOOLTEST_OBJ = lib/pthreadpool/pthreadpool.o \
    338. 

  338. @@ -1229,7 +1231,7 @@ CUPS_OBJ = client/smbspool.o $(PARAM_OBJ
    339. 

  339.  	  $(LIBNDR_GEN_OBJ0)
    340. 

  340.  
    341. 

  341.  NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) \
    342. 

  342. -               $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
    343. 

  343. +               $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
    344. 

  344.  
    345. 

  345.  SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/utable.o \
    346. 

  346.  		torture/denytest.o torture/mangle_test.o \
    347. 

  347. @@ -1253,6 +1255,7 @@ MASKTEST_OBJ = torture/masktest.o $(PARA
    348. 

  348.  		 $(LIBNDR_GEN_OBJ0)
    349. 

  349.  
    350. 

  350.  MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_ERR_OBJ) \
    351. 

  351. +		 $(LIBNDR_NTLMSSP_OBJ) \
    352. 

  352.                   $(LIB_NONSMBD_OBJ) \
    353. 

  353.  		 $(LIBNDR_GEN_OBJ0)
    354. 

  354.  
    355. 

  355. @@ -1269,7 +1272,7 @@ PDBTEST_OBJ = torture/pdbtest.o $(PARAM_
    356. 

  356.  
    357. 

  357.  VFSTEST_OBJ = torture/cmd_vfs.o torture/vfstest.o $(SMBD_OBJ_BASE) $(READLINE_OBJ)
    358. 

  358.  
    359. 

  359. -SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
    360. 

  360. +SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
    361. 

  361.  
    362. 

  362.  LOG2PCAP_OBJ = utils/log2pcaphex.o
    363. 

  363.  
    364. 

  364. @@ -1297,17 +1300,17 @@ SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LI
    365. 

  365.  EVTLOGADM_OBJ0	= utils/eventlogadm.o
    366. 

  366.  
    367. 

  367.  EVTLOGADM_OBJ	= $(EVTLOGADM_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
    368. 

  368. -		$(LIBSMB_ERR_OBJ) $(LIB_EVENTLOG_OBJ) \
    369. 

  369. +		$(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIB_EVENTLOG_OBJ) \
    370. 

  370.  		librpc/gen_ndr/ndr_eventlog.o \
    371. 

  371.  		librpc/gen_ndr/ndr_lsa.o
    372. 

  372.  
    373. 

  373.  SHARESEC_OBJ0 = utils/sharesec.o
    374. 

  374.  SHARESEC_OBJ  = $(SHARESEC_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
    375. 

  375. -		$(LIBSMB_ERR_OBJ) \
    376. 

  376. +		$(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) \
    377. 

  377.                  $(POPT_LIB_OBJ)
    378. 

  378.  
    379. 

  379.  TALLOCTORT_OBJ = @tallocdir@/testsuite.o @tallocdir@/testsuite_main.o \
    380. 

  380. -		$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ)
    381. 

  381. +		$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
    382. 

  382.  
    383. 

  383.  REPLACETORT_OBJ = @libreplacedir@/test/testsuite.o \
    384. 

  384.  		@libreplacedir@/test/getifaddrs.o \
    385. 

  385. @@ -1323,7 +1326,7 @@ SMBFILTER_OBJ = utils/smbfilter.o $(PARA
    386. 

  386.  		 $(LIBNDR_GEN_OBJ0)
    387. 

  387.  
    388. 

  388.  WINBIND_WINS_NSS_OBJ = ../nsswitch/wins.o $(PARAM_OBJ) \
    389. 

  389. -	$(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNMB_OBJ)
    390. 

  390. +	$(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIBNMB_OBJ)
    391. 

  391.  
    392. 

  392.  PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
    393. 

  393.  		pam_smbpass/pam_smb_acct.o pam_smbpass/support.o ../lib/util/asn1.o
    394. 

  394. @@ -1531,12 +1534,14 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.
    395. 

  395.  DBWRAP_TOOL_OBJ = utils/dbwrap_tool.o \
    396. 

  396.  		  $(PARAM_OBJ) \
    397. 

  397.  		  $(LIB_NONSMBD_OBJ) \
    398. 

  398. -		  $(LIBSMB_ERR_OBJ)
    399. 

  399. +		  $(LIBSMB_ERR_OBJ) \
    400. 

  400. +		  $(LIBNDR_NTLMSSP_OBJ)
    401. 

  401.  
    402. 

  402.  DBWRAP_TORTURE_OBJ = utils/dbwrap_torture.o \
    403. 

  403.  		     $(PARAM_OBJ) \
    404. 

  404.  		     $(LIB_NONSMBD_OBJ) \
    405. 

  405.  		     $(LIBSMB_ERR_OBJ) \
    406. 

  406. +		     $(LIBNDR_NTLMSSP_OBJ) \
    407. 

  407.  		     $(POPT_LIB_OBJ)
    408. 

  408.  
    409. 

  409.  SPLIT_TOKENS_OBJ = utils/split_tokens.o \
    410. 

  410. --- a/source4/torture/raw/samba3misc.c
    411. 

  411. +++ b/source4/torture/raw/samba3misc.c
    412. 

  412. @@ -340,6 +340,7 @@ bool torture_samba3_badpath(struct tortu
    413. 

  413.  	bool ret = true;
    414. 

  414.  	TALLOC_CTX *mem_ctx;
    415. 

  415.  	bool nt_status_support;
    416. 

  416. +	bool client_ntlmv2_auth;
    417. 

  417.  
    418. 

  418.  	if (!(mem_ctx = talloc_init("torture_samba3_badpath"))) {
    419. 

  419.  		d_printf("talloc_init failed\n");
    420. 

  420. @@ -347,20 +348,17 @@ bool torture_samba3_badpath(struct tortu
    421. 

  421.  	}
    422. 

  422.  
    423. 

  423.  	nt_status_support = lpcfg_nt_status_support(torture->lp_ctx);
    424. 

  424. +	client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(torture->lp_ctx);
    425. 

  425.  
    426. 

  426. -	if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes")) {
    427. 

  427. -		printf("Could not set 'nt status support = yes'\n");
    428. 

  428. -		goto fail;
    429. 

  429. -	}
    430. 

  430. +	torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes"), ret, fail, "Could not set 'nt status support = yes'\n");
    431. 

  431. +	torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "yes"), ret, fail, "Could not set 'client ntlmv2 auth = yes'\n");
    432. 

  432.  
    433. 

  433.  	if (!torture_open_connection(&cli_nt, torture, 0)) {
    434. 

  434.  		goto fail;
    435. 

  435.  	}
    436. 

  436.  
    437. 

  437. -	if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no")) {
    438. 

  438. -		printf("Could not set 'nt status support = yes'\n");
    439. 

  439. -		goto fail;
    440. 

  440. -	}
    441. 

  441. +	torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no"), ret, fail, "Could not set 'nt status support = no'\n");
    442. 

  442. +	torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "no"), ret, fail, "Could not set 'client ntlmv2 auth = no'\n");
    443. 

  443.  
    444. 

  444.  	if (!torture_open_connection(&cli_dos, torture, 1)) {
    445. 

  445.  		goto fail;
    446. 

  446. @@ -373,6 +371,12 @@ bool torture_samba3_badpath(struct tortu
    447. 

  447.  	}
    448. 

  448.  
    449. 

  449.  	smbcli_deltree(cli_nt->tree, dirname);
    450. 

  450. +	torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support",
    451. 

  451. +						       nt_status_support ? "yes":"no"),
    452. 

  452. +			    ret, fail, "Could not set 'nt status support' back to where it was\n");
    453. 

  453. +	torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth",
    454. 

  454. +						       client_ntlmv2_auth ? "yes":"no"),
    455. 

  455. +			    ret, fail, "Could not set 'client ntlmv2 auth' back to where it was\n");
    456. 

  456.  
    457. 

  457.  	status = smbcli_mkdir(cli_nt->tree, dirname);
    458. 

  458.  	if (!NT_STATUS_IS_OK(status)) {
    459. 

  459. --- a/source4/torture/basic/base.c
    460. 

  460. +++ b/source4/torture/basic/base.c
    461. 

  461. @@ -1476,6 +1476,7 @@ static bool torture_chkpath_test(struct
    462. 

  462.  static bool torture_samba3_errorpaths(struct torture_context *tctx)
    463. 

  463.  {
    464. 

  464.  	bool nt_status_support;
    465. 

  465. +	bool client_ntlmv2_auth;
    466. 

  466.  	struct smbcli_state *cli_nt = NULL, *cli_dos = NULL;
    467. 

  467.  	bool result = false;
    468. 

  468.  	int fnum;
    469. 

  469. @@ -1485,18 +1486,27 @@ static bool torture_samba3_errorpaths(st
    470. 

  470.  	NTSTATUS status;
    471. 

  471.  
    472. 

  472.  	nt_status_support = lpcfg_nt_status_support(tctx->lp_ctx);
    473. 

  473. +	client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(tctx->lp_ctx);
    474. 

  474.  
    475. 

  475.  	if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "yes")) {
    476. 

  476.  		torture_comment(tctx, "Could not set 'nt status support = yes'\n");
    477. 

  477.  		goto fail;
    478. 

  478.  	}
    479. 

  479. +	if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "yes")) {
    480. 

  480. +		torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = yes'\n");
    481. 

  481. +		goto fail;
    482. 

  482. +	}
    483. 

  483.  
    484. 

  484.  	if (!torture_open_connection(&cli_nt, tctx, 0)) {
    485. 

  485.  		goto fail;
    486. 

  486.  	}
    487. 

  487.  
    488. 

  488.  	if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "no")) {
    489. 

  489. -		torture_comment(tctx, "Could not set 'nt status support = yes'\n");
    490. 

  490. +		torture_result(tctx, TORTURE_FAIL, "Could not set 'nt status support = no'\n");
    491. 

  491. +		goto fail;
    492. 

  492. +	}
    493. 

  493. +	if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "no")) {
    494. 

  494. +		torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = no'\n");
    495. 

  495.  		goto fail;
    496. 

  496.  	}
    497. 

  497.  
    498. 

  498. @@ -1506,7 +1516,12 @@ static bool torture_samba3_errorpaths(st
    499. 

  499.  
    500. 

  500.  	if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support",
    501. 

  501.  			    nt_status_support ? "yes":"no")) {
    502. 

  502. -		torture_comment(tctx, "Could not reset 'nt status support = yes'");
    503. 

  503. +		torture_result(tctx, TORTURE_FAIL, "Could not reset 'nt status support'");
    504. 

  504. +		goto fail;
    505. 

  505. +	}
    506. 

  506. +	if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth",
    507. 

  507. +			       client_ntlmv2_auth ? "yes":"no")) {
    508. 

  508. +		torture_result(tctx, TORTURE_FAIL, "Could not reset 'client ntlmv2 auth'");
    509. 

  509.  		goto fail;
    510. 

  510.  	}
    511. 

  511.  
    512. 

  512. --- a/source3/libsmb/cliconnect.c
    513. 

  513. +++ b/source3/libsmb/cliconnect.c
    514. 

  514. @@ -2077,6 +2077,17 @@ NTSTATUS cli_session_setup(struct cli_st
    515. 

  515.  		NTSTATUS status;
    516. 

  516.  
    517. 

  517.  		/* otherwise do a NT1 style session setup */
    518. 

  518. +		if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) {
    519. 

  519. +			/*
    520. 

  520. +			 * Don't send an NTLMv2 response without NTLMSSP
    521. 

  521. +			 * if we want to use spnego support
    522. 

  522. +			 */
    523. 

  523. +			DEBUG(1, ("Server does not support EXTENDED_SECURITY "
    524. 

  524. +				  " but 'client use spnego = yes"
    525. 

  525. +				  " and 'client ntlmv2 auth = yes'\n"));
    526. 

  526. +			return NT_STATUS_ACCESS_DENIED;
    527. 

  527. +		}
    528. 

  528. +
    529. 

  529.  		status = cli_session_setup_nt1(cli, user, pass, passlen,
    530. 

  530.  					       ntpass, ntpasslen, workgroup);
    531. 

  531.  		if (!NT_STATUS_IS_OK(status)) {
    532. 

  532. --- a/docs-xml/smbdotconf/protocol/clientusespnego.xml
    533. 

  533. +++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml
    534. 

  534. @@ -9,6 +9,11 @@
    535. 

  535.      supporting servers (including WindowsXP, Windows2000 and Samba
    536. 

  536.      3.0) to agree upon an authentication
    537. 

  537.      mechanism.  This enables Kerberos authentication in particular.</para>
    538. 

  538. +
    539. 

  539. +    <para>When <smbconfoption name="client NTLMv2 auth"/> is also set to
    540. 

  540. +    <constant>yes</constant> extended security (SPNEGO) is required
    541. 

  541. +    in order to use NTLMv2 only within NTLMSSP. This behavior was
    542. 

  542. +    introduced with the patches for CVE-2016-2111.</para>
    543. 

  543.  </description>
    544. 

  544.  
    545. 

  545.  <value type="default">yes</value>
    546. 

  546. --- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml
    547. 

  547. +++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
    548. 

  548. @@ -28,6 +28,11 @@
    549. 

  549.      NTLMv2 by default, and some sites (particularly those following
    550. 

  550.      'best practice' security polices) only allow NTLMv2 responses, and
    551. 

  551.      not the weaker LM or NTLM.</para>
    552. 

  552. +
    553. 

  553. +    <para>When <smbconfoption name="client use spnego"/> is also set to
    554. 

  554. +    <constant>yes</constant> extended security (SPNEGO) is required
    555. 

  555. +    in order to use NTLMv2 only within NTLMSSP. This behavior was
    556. 

  556. +    introduced with the patches for CVE-2016-2111.</para>
    557. 

  557.  </description>
    558. 

  558.  <value type="default">yes</value>
    559. 

  559.  </samba:parameter>
    560. 

  560. --- /dev/null
    561. 

  561. +++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
    562. 

  562. @@ -0,0 +1,19 @@
    563. 

  563. +<samba:parameter name="raw NTLMv2 auth"
    564. 

  564. +                 context="G"
    565. 

  565. +                 type="boolean"
    566. 

  566. +                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
    567. 

  567. +<description>
    568. 

  568. +    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
    569. 

  569. +    <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without
    570. 

  570. +    extended security (without SPNEGO) to use NTLMv2 authentication.</para>
    571. 

  571. +
    572. 

  572. +    <para>If this option, <command moreinfo="none">lanman auth</command>
    573. 

  573. +    and <command moreinfo="none">ntlm auth</command> are all disabled,
    574. 

  574. +    then only clients with SPNEGO support will be permitted.
    575. 

  575. +    That means NTLMv2 is only supported within NTLMSSP.</para>
    576. 

  576. +</description>
    577. 

  577. +
    578. 

  578. +<related>lanman auth</related>
    579. 

  579. +<related>ntlm auth</related>
    580. 

  580. +<value type="default">no</value>
    581. 

  581. +</samba:parameter>
    582. 

  582. --- a/source3/include/proto.h
    583. 

  583. +++ b/source3/include/proto.h
    584. 

  584. @@ -1489,6 +1489,7 @@ bool lp_map_untrusted_to_domain(void);
    585. 

  585.  int lp_restrict_anonymous(void);
    586. 

  586.  bool lp_lanman_auth(void);
    587. 

  587.  bool lp_ntlm_auth(void);
    588. 

  588. +bool lp_raw_ntlmv2_auth(void);
    589. 

  589.  bool lp_client_plaintext_auth(void);
    590. 

  590.  bool lp_client_lanman_auth(void);
    591. 

  591.  bool lp_client_ntlmv2_auth(void);
    592. 

  592. --- a/source3/param/loadparm.c
    593. 

  593. +++ b/source3/param/loadparm.c
    594. 

  594. @@ -336,6 +336,7 @@ struct global {
    595. 

  595.  	bool bAllowTrustedDomains;
    596. 

  596.  	bool bLanmanAuth;
    597. 

  597.  	bool bNTLMAuth;
    598. 

  598. +	bool bRawNTLMv2Auth;
    599. 

  599.  	bool bUseSpnego;
    600. 

  600.  	bool bClientLanManAuth;
    601. 

  601.  	bool bClientNTLMv2Auth;
    602. 

  602. @@ -1383,6 +1384,15 @@ static struct parm_struct parm_table[] =
    603. 

  603.  		.flags		= FLAG_ADVANCED,
    604. 

  604.  	},
    605. 

  605.  	{
    606. 

  606. +		.label		= "raw NTLMv2 auth",
    607. 

  607. +		.type		= P_BOOL,
    608. 

  608. +		.p_class	= P_GLOBAL,
    609. 

  609. +		.ptr		= &Globals.bRawNTLMv2Auth,
    610. 

  610. +		.special	= NULL,
    611. 

  611. +		.enum_list	= NULL,
    612. 

  612. +		.flags		= FLAG_ADVANCED,
    613. 

  613. +	},
    614. 

  614. +	{
    615. 

  615.  		.label		= "client NTLMv2 auth",
    616. 

  616.  		.type		= P_BOOL,
    617. 

  617.  		.p_class	= P_GLOBAL,
    618. 

  618. @@ -5337,6 +5347,7 @@ static void init_globals(bool reinit_glo
    619. 

  619.  	Globals.bClientPlaintextAuth = False;	/* Do NOT use a plaintext password even if is requested by the server */
    620. 

  620.  	Globals.bLanmanAuth = False;	/* Do NOT use the LanMan hash, even if it is supplied */
    621. 

  621.  	Globals.bNTLMAuth = True;	/* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
    622. 

  622. +	Globals.bRawNTLMv2Auth = false;	/* Allow NTLMv2 without NTLMSSP */
    623. 

  623.  	Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
    624. 

  624.  	/* Note, that we will also use NTLM2 session security (which is different), if it is available */
    625. 

  625.  
    626. 

  626. @@ -5819,6 +5830,7 @@ FN_GLOBAL_BOOL(lp_map_untrusted_to_domai
    627. 

  627.  FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous)
    628. 

  628.  FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth)
    629. 

  629.  FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth)
    630. 

  630. +FN_GLOBAL_BOOL(lp_raw_ntlmv2_auth, &Globals.bRawNTLMv2Auth)
    631. 

  631.  FN_GLOBAL_BOOL(lp_client_plaintext_auth, &Globals.bClientPlaintextAuth)
    632. 

  632.  FN_GLOBAL_BOOL(lp_client_lanman_auth, &Globals.bClientLanManAuth)
    633. 

  633.  FN_GLOBAL_BOOL(lp_client_ntlmv2_auth, &Globals.bClientNTLMv2Auth)
    634. 

  634. --- a/source3/auth/auth_util.c
    635. 

  635. +++ b/source3/auth/auth_util.c
    636. 

  636. @@ -30,6 +30,7 @@
    637. 

  637.  #include "../lib/util/util_pw.h"
    638. 

  638.  #include "lib/winbind_util.h"
    639. 

  639.  #include "passdb.h"
    640. 

  640. +#include "../lib/tsocket/tsocket.h"
    641. 

  641.  
    642. 

  642.  #undef DBGC_CLASS
    643. 

  643.  #define DBGC_CLASS DBGC_AUTH
    644. 

  644. @@ -367,6 +368,19 @@ NTSTATUS make_user_info_for_reply_enc(st
    645. 

  645.                                        const char *client_domain, 
    646. 

  646.                                        DATA_BLOB lm_resp, DATA_BLOB nt_resp)
    647. 

  647.  {
    648. 

  648. +	bool allow_raw = lp_raw_ntlmv2_auth();
    649. 

  649. +
    650. 

  650. +	if (!allow_raw && nt_resp.length >= 48) {
    651. 

  651. +		/*
    652. 

  652. +		 * NTLMv2_RESPONSE has at least 48 bytes
    653. 

  653. +		 * and should only be supported via NTLMSSP.
    654. 

  654. +		 */
    655. 

  655. +		DEBUG(2,("Rejecting raw NTLMv2 authentication with "
    656. 

  656. +			 "user [%s\\%s]\n",
    657. 

  657. +			 client_domain, smb_name));
    658. 

  658. +		return NT_STATUS_INVALID_PARAMETER;
    659. 

  659. +	}
    660. 

  660. +
    661. 

  661.  	return make_user_info_map(user_info, smb_name, 
    662. 

  662.  				  client_domain, 
    663. 

  663.  				  get_remote_machine_name(), 
    664. 

  664. --- a/selftest/target/Samba3.pm
    665. 

  665. +++ b/selftest/target/Samba3.pm
    666. 

  666. @@ -127,6 +127,7 @@ sub setup_dc($$)
    667. 

  667.  	domain master = yes
    668. 

  668.  	domain logons = yes
    669. 

  669.  	lanman auth = yes
    670. 

  670. +	raw NTLMv2 auth = yes
    671. 

  671.  ";
    672. 

  672.  
    673. 

  673.  	my $vars = $self->provision($path,
    674. 

  674. @@ -230,6 +231,7 @@ sub setup_secserver($$$)
    675. 

  675.  	my $secserver_options = "
    676. 

  676.  	security = server
    677. 

  677.          password server = $s3dcvars->{SERVER_IP}
    678. 

  678. +	client ntlmv2 auth = no
    679. 

  679.  ";
    680. 

  680.  
    681. 

  681.  	my $ret = $self->provision($prefix,
    682.