85 lines
3.9 KiB
Diff
85 lines
3.9 KiB
Diff
|
From 2a7249a43c82d720191e29510db5633f3a92a08c Mon Sep 17 00:00:00 2001
|
||
|
From: Alexander Bokovoy <ab@samba.org>
|
||
|
Date: Tue, 7 Jan 2020 19:25:53 +0200
|
||
|
Subject: [PATCH 209/209] s3-rpcserver: fix security level check for
|
||
|
DsRGetForestTrustInformation
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which
|
||
|
didn't change since DCE RPC channel refactoring.
|
||
|
|
||
|
With the current code we return RPC faul as can be seen in the logs:
|
||
|
|
||
|
2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
|
||
|
netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
|
||
|
in: struct netr_DsRGetForestTrustInformation
|
||
|
server_name : *
|
||
|
server_name : '\\some-dc.example.com'
|
||
|
trusted_domain_name : NULL
|
||
|
flags : 0x00000000 (0)
|
||
|
[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)
|
||
|
api_rpcTNP: fault(5) return.
|
||
|
|
||
|
This is due to this check in processing a request:
|
||
|
if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
|
||
|
&& (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
|
||
|
p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
|
||
|
return WERR_ACCESS_DENIED;
|
||
|
}
|
||
|
|
||
|
and since we get AuthZ response,
|
||
|
|
||
|
Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]
|
||
|
Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]
|
||
|
[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
|
||
|
JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",
|
||
|
"type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},
|
||
|
"localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",
|
||
|
"serviceDescription": "netlogon", "authType": "ncacn_np",
|
||
|
"domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",
|
||
|
"sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",
|
||
|
"transportProtection": "SMB", "accountFlags": "0x00000010"}}
|
||
|
|
||
|
this means we are actually getting anonymous DCE/RPC access to netlogon
|
||
|
on top of authenticated SMB connection. In such case we have exactly
|
||
|
auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to
|
||
|
DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.
|
||
|
|
||
|
Update the code to follow the same security level check as in s4 variant
|
||
|
of the call.
|
||
|
|
||
|
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||
|
Reviewed-by: Guenther Deschner <gd@samba.org>
|
||
|
|
||
|
Autobuild-User(master): Günther Deschner <gd@samba.org>
|
||
|
Autobuild-Date(master): Mon Jan 13 15:05:28 UTC 2020 on sn-devel-184
|
||
|
|
||
|
(cherry picked from commit c6d880a115095c336b8b74f45854a99abb1bbb87)
|
||
|
---
|
||
|
source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++---
|
||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
||
|
index 3dd8ecf5ca8..3fb62d3f82e 100644
|
||
|
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
|
||
|
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
||
|
@@ -2454,10 +2454,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
|
||
|
{
|
||
|
NTSTATUS status;
|
||
|
struct lsa_ForestTrustInformation *info, **info_ptr;
|
||
|
+ enum security_user_level security_level;
|
||
|
|
||
|
- if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
|
||
|
- && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
|
||
|
- p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
|
||
|
+ security_level = security_session_user_level(p->session_info, NULL);
|
||
|
+ if (security_level < SECURITY_USER) {
|
||
|
return WERR_ACCESS_DENIED;
|
||
|
}
|
||
|
|
||
|
--
|
||
|
2.24.1
|
||
|
|