From ec42fe46d4c126d9c2ebc20c1cb168ad5e06a21e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 20 Apr 2016 11:26:57 +0200 Subject: [PATCH 1/3] CVE-2016-2019: libcli/smb: don't allow guest sessions if we require signing Note real anonymous sessions (with "" as username) don't hit this as we don't even call smb2cli_session_set_session_key() in that case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 Signed-off-by: Stefan Metzmacher --- libcli/smb/smbXcli_base.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index b07fdad..6797207 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -4952,6 +4952,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session) return false; } + if (session->conn->mandatory_signing) { + return false; + } + if (session->conn->protocol >= PROTOCOL_SMB2_02) { if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { return true; @@ -5177,7 +5181,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, const struct iovec *recv_iov) { struct smbXcli_conn *conn = session->conn; - uint16_t no_sign_flags; + uint16_t no_sign_flags = 0; uint8_t session_key[16]; bool check_signature = true; uint32_t hdr_flags; @@ -5191,7 +5195,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, return NT_STATUS_INVALID_PARAMETER_MIX; } - no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; + if (!conn->mandatory_signing) { + /* + * only allow guest sessions without + * mandatory signing. + * + * If we try an authentication with username != "" + * and the server let us in without verifying the + * password we don't have a negotiated session key + * for signing. + */ + no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST; + } if (session->smb2->session_flags & no_sign_flags) { session->smb2->should_sign = false; -- 1.9.1 From c303bd4bdf6e3f89e6821abb13e3ef40164944f5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 28 Apr 2016 02:36:35 +0200 Subject: [PATCH 2/3] CVE-2016-2019: s3:libsmb: add comment regarding smbXcli_session_is_guest() with mandatory signing BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 Signed-off-by: Stefan Metzmacher --- source3/libsmb/cliconnect.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 420fe3c..3de3796 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1606,6 +1606,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq) * have a negotiated session key. * * So just pretend we are completely done. + * + * Note that smbXcli_session_is_guest() + * always returns false if we require signing. */ state->blob_in = data_blob_null; state->local_ready = true; -- 1.9.1 From fd0750e860b18b1182126dcf7ccc1f7dd38560ce Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 28 Apr 2016 02:24:52 +0200 Subject: [PATCH 3/3] CVE-2016-2019: s3:selftest: add regression tests for guest logins and mandatory signing BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 Signed-off-by: Stefan Metzmacher --- source3/script/tests/test_smbclient_ntlm.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh index b8fc564..33a927f 100755 --- a/source3/script/tests/test_smbclient_ntlm.sh +++ b/source3/script/tests/test_smbclient_ntlm.sh @@ -37,4 +37,8 @@ else testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS + + testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS + testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS + testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS fi -- 1.9.1