Compare commits
3 Commits
c8
...
changed/a8
Author | SHA1 | Date | |
---|---|---|---|
04e2eb07a7 | |||
791775af87 | |||
bb27d63e76 |
@ -0,0 +1,295 @@
|
|||||||
|
From 09ee91a8f7e53f688f091fe67e0b95d1d34fb9c9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jeremy Allison <jra@samba.org>
|
||||||
|
Date: Tue, 25 Jul 2023 17:41:04 -0700
|
||||||
|
Subject: [PATCH 1/3] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that
|
||||||
|
could exit socket_dir.
|
||||||
|
|
||||||
|
For now, SMB_ASSERT() to exit the server. We will remove
|
||||||
|
this once the test code is in place.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
|
||||||
|
|
||||||
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
||||||
|
---
|
||||||
|
source3/rpc_client/local_np.c | 18 ++++++++++++++++++
|
||||||
|
1 file changed, 18 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
|
||||||
|
index 0b323404f06..95228d5d801 100644
|
||||||
|
--- a/source3/rpc_client/local_np.c
|
||||||
|
+++ b/source3/rpc_client/local_np.c
|
||||||
|
@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
|
||||||
|
return tevent_req_post(req, ev);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Ensure we cannot process a path that exits
|
||||||
|
+ * the socket_dir.
|
||||||
|
+ */
|
||||||
|
+ if (ISDOTDOT(lower_case_pipename) ||
|
||||||
|
+ (strchr(lower_case_pipename, '/')!=NULL))
|
||||||
|
+ {
|
||||||
|
+ DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
|
||||||
|
+ lower_case_pipename);
|
||||||
|
+ /*
|
||||||
|
+ * For now, panic the server until we have
|
||||||
|
+ * the test code in place.
|
||||||
|
+ */
|
||||||
|
+ SMB_ASSERT(false);
|
||||||
|
+ tevent_req_error(req, ENOENT);
|
||||||
|
+ return tevent_req_post(req, ev);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
state->socketpath = talloc_asprintf(
|
||||||
|
state, "%s/np/%s", socket_dir, lower_case_pipename);
|
||||||
|
if (tevent_req_nomem(state->socketpath, req)) {
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
||||||
|
|
||||||
|
From 34d4258e77d7a3f48004e88161ac2398e9669a4b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jeremy Allison <jra@samba.org>
|
||||||
|
Date: Tue, 25 Jul 2023 17:49:21 -0700
|
||||||
|
Subject: [PATCH 2/3] CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME
|
||||||
|
to show we allow bad pipenames with unix separators through to the UNIX
|
||||||
|
domain socket code.
|
||||||
|
|
||||||
|
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
|
||||||
|
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
|
||||||
|
|
||||||
|
Add the knownfail.
|
||||||
|
|
||||||
|
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
|
||||||
|
|
||||||
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
||||||
|
---
|
||||||
|
selftest/knownfail.d/badpipename | 1 +
|
||||||
|
source3/selftest/tests.py | 14 ++++
|
||||||
|
source3/torture/proto.h | 1 +
|
||||||
|
source3/torture/test_smb2.c | 107 +++++++++++++++++++++++++++++++
|
||||||
|
source3/torture/torture.c | 4 ++
|
||||||
|
5 files changed, 127 insertions(+)
|
||||||
|
create mode 100644 selftest/knownfail.d/badpipename
|
||||||
|
|
||||||
|
diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..e69715f863d
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/selftest/knownfail.d/badpipename
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\)
|
||||||
|
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
|
||||||
|
index 1fdcad1089f..2c8336d35e8 100755
|
||||||
|
--- a/source3/selftest/tests.py
|
||||||
|
+++ b/source3/selftest/tests.py
|
||||||
|
@@ -296,6 +296,20 @@ plantestsuite("samba3.smbtorture_s3.smb2.SMB2-DFS-FILENAME-LEADING-BACKSLASH",
|
||||||
|
smbtorture3,
|
||||||
|
"-mSMB2"])
|
||||||
|
|
||||||
|
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
|
||||||
|
+# Prevent bad pipenames.
|
||||||
|
+#
|
||||||
|
+plantestsuite("samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME",
|
||||||
|
+ "fileserver",
|
||||||
|
+ [os.path.join(samba3srcdir,
|
||||||
|
+ "script/tests/test_smbtorture_s3.sh"),
|
||||||
|
+ 'SMB2-INVALID-PIPENAME',
|
||||||
|
+ '//$SERVER_IP/tmp',
|
||||||
|
+ '$USERNAME',
|
||||||
|
+ '$PASSWORD',
|
||||||
|
+ smbtorture3,
|
||||||
|
+ "-mSMB2"])
|
||||||
|
+
|
||||||
|
#
|
||||||
|
# SMB2-NON-DFS-SHARE needs to run against a special share non-msdfs-pathname-share
|
||||||
|
# This is an empty non-DFS share with no links, used merely to test
|
||||||
|
diff --git a/source3/torture/proto.h b/source3/torture/proto.h
|
||||||
|
index 21d7b3e00a7..3751697596a 100644
|
||||||
|
--- a/source3/torture/proto.h
|
||||||
|
+++ b/source3/torture/proto.h
|
||||||
|
@@ -124,6 +124,7 @@ bool run_smb2_dfs_paths(int dummy);
|
||||||
|
bool run_smb2_non_dfs_share(int dummy);
|
||||||
|
bool run_smb2_dfs_share_non_dfs_path(int dummy);
|
||||||
|
bool run_smb2_dfs_filename_leading_backslash(int dummy);
|
||||||
|
+bool run_smb2_invalid_pipename(int dummy);
|
||||||
|
bool run_smb1_dfs_paths(int dummy);
|
||||||
|
bool run_smb1_dfs_search_paths(int dummy);
|
||||||
|
bool run_smb1_dfs_operations(int dummy);
|
||||||
|
diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c
|
||||||
|
index 269ade4ef61..7ea3d83de10 100644
|
||||||
|
--- a/source3/torture/test_smb2.c
|
||||||
|
+++ b/source3/torture/test_smb2.c
|
||||||
|
@@ -5136,3 +5136,110 @@ bool run_smb2_dfs_filename_leading_backslash(int dummy)
|
||||||
|
(void)smb2_dfs_delete(cli, dfs_filename_slash);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+bool run_smb2_invalid_pipename(int dummy)
|
||||||
|
+{
|
||||||
|
+ struct cli_state *cli = NULL;
|
||||||
|
+ NTSTATUS status;
|
||||||
|
+ uint64_t fid_persistent = 0;
|
||||||
|
+ uint64_t fid_volatile = 0;
|
||||||
|
+ const char *unknown_pipe = "badpipe";
|
||||||
|
+ const char *invalid_pipe = "../../../../../../../../../badpipe";
|
||||||
|
+
|
||||||
|
+ printf("Starting SMB2-INVALID-PIPENAME\n");
|
||||||
|
+
|
||||||
|
+ if (!torture_init_connection(&cli)) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ status = smbXcli_negprot(cli->conn,
|
||||||
|
+ cli->timeout,
|
||||||
|
+ PROTOCOL_SMB2_02,
|
||||||
|
+ PROTOCOL_SMB3_11);
|
||||||
|
+ if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
+ printf("smbXcli_negprot returned %s\n", nt_errstr(status));
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ status = cli_session_setup_creds(cli, torture_creds);
|
||||||
|
+ if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
+ printf("cli_session_setup returned %s\n", nt_errstr(status));
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ status = cli_tree_connect(cli, "IPC$", "?????", NULL);
|
||||||
|
+ if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
+ printf("cli_tree_connect returned %s\n", nt_errstr(status));
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Try and connect to an unknown pipename. */
|
||||||
|
+ status = smb2cli_create(cli->conn,
|
||||||
|
+ cli->timeout,
|
||||||
|
+ cli->smb2.session,
|
||||||
|
+ cli->smb2.tcon,
|
||||||
|
+ unknown_pipe,
|
||||||
|
+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */
|
||||||
|
+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */
|
||||||
|
+ SEC_STD_SYNCHRONIZE|
|
||||||
|
+ SEC_FILE_READ_DATA|
|
||||||
|
+ SEC_FILE_WRITE_DATA|
|
||||||
|
+ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */
|
||||||
|
+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */
|
||||||
|
+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */
|
||||||
|
+ FILE_CREATE, /* create_disposition, */
|
||||||
|
+ 0, /* create_options, */
|
||||||
|
+ NULL, /* smb2_create_blobs *blobs */
|
||||||
|
+ &fid_persistent,
|
||||||
|
+ &fid_volatile,
|
||||||
|
+ NULL, /* struct smb_create_returns * */
|
||||||
|
+ talloc_tos(), /* mem_ctx. */
|
||||||
|
+ NULL, /* struct smb2_create_blobs * */
|
||||||
|
+ NULL); /* struct symlink_reparse_struct */
|
||||||
|
+ /* We should get NT_STATUS_OBJECT_NAME_NOT_FOUND */
|
||||||
|
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
|
||||||
|
+ printf("%s:%d smb2cli_create on name %s returned %s\n",
|
||||||
|
+ __FILE__,
|
||||||
|
+ __LINE__,
|
||||||
|
+ unknown_pipe,
|
||||||
|
+ nt_errstr(status));
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Try and connect to an invalid pipename containing unix separators. */
|
||||||
|
+ status = smb2cli_create(cli->conn,
|
||||||
|
+ cli->timeout,
|
||||||
|
+ cli->smb2.session,
|
||||||
|
+ cli->smb2.tcon,
|
||||||
|
+ invalid_pipe,
|
||||||
|
+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */
|
||||||
|
+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */
|
||||||
|
+ SEC_STD_SYNCHRONIZE|
|
||||||
|
+ SEC_FILE_READ_DATA|
|
||||||
|
+ SEC_FILE_WRITE_DATA|
|
||||||
|
+ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */
|
||||||
|
+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */
|
||||||
|
+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */
|
||||||
|
+ FILE_CREATE, /* create_disposition, */
|
||||||
|
+ 0, /* create_options, */
|
||||||
|
+ NULL, /* smb2_create_blobs *blobs */
|
||||||
|
+ &fid_persistent,
|
||||||
|
+ &fid_volatile,
|
||||||
|
+ NULL, /* struct smb_create_returns * */
|
||||||
|
+ talloc_tos(), /* mem_ctx. */
|
||||||
|
+ NULL, /* struct smb2_create_blobs * */
|
||||||
|
+ NULL); /* struct symlink_reparse_struct */
|
||||||
|
+ /*
|
||||||
|
+ * We should still get NT_STATUS_OBJECT_NAME_NOT_FOUND
|
||||||
|
+ * (tested against Windows 2022).
|
||||||
|
+ */
|
||||||
|
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
|
||||||
|
+ printf("%s:%d smb2cli_create on name %s returned %s\n",
|
||||||
|
+ __FILE__,
|
||||||
|
+ __LINE__,
|
||||||
|
+ invalid_pipe,
|
||||||
|
+ nt_errstr(status));
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+ return true;
|
||||||
|
+}
|
||||||
|
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
|
||||||
|
index 1315b328f5f..d53699c3b02 100644
|
||||||
|
--- a/source3/torture/torture.c
|
||||||
|
+++ b/source3/torture/torture.c
|
||||||
|
@@ -15727,6 +15727,10 @@ static struct {
|
||||||
|
.name = "SMB2-DFS-FILENAME-LEADING-BACKSLASH",
|
||||||
|
.fn = run_smb2_dfs_filename_leading_backslash,
|
||||||
|
},
|
||||||
|
+ {
|
||||||
|
+ .name = "SMB2-INVALID-PIPENAME",
|
||||||
|
+ .fn = run_smb2_invalid_pipename,
|
||||||
|
+ },
|
||||||
|
{
|
||||||
|
.name = "SMB1-TRUNCATED-SESSSETUP",
|
||||||
|
.fn = run_smb1_truncated_sesssetup,
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
||||||
|
|
||||||
|
From cbd81ca9d7ea1d5a6ea2b1026bc342ff996cca7c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jeremy Allison <jra@samba.org>
|
||||||
|
Date: Tue, 25 Jul 2023 17:54:41 -0700
|
||||||
|
Subject: [PATCH 3/3] CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that
|
||||||
|
crashes on bad pipenames.
|
||||||
|
|
||||||
|
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).
|
||||||
|
|
||||||
|
Remove knowfail.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
|
||||||
|
|
||||||
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
||||||
|
---
|
||||||
|
selftest/knownfail.d/badpipename | 1 -
|
||||||
|
source3/rpc_client/local_np.c | 5 -----
|
||||||
|
2 files changed, 6 deletions(-)
|
||||||
|
delete mode 100644 selftest/knownfail.d/badpipename
|
||||||
|
|
||||||
|
diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename
|
||||||
|
deleted file mode 100644
|
||||||
|
index e69715f863d..00000000000
|
||||||
|
--- a/selftest/knownfail.d/badpipename
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1 +0,0 @@
|
||||||
|
-^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\)
|
||||||
|
diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
|
||||||
|
index 95228d5d801..791ded99a47 100644
|
||||||
|
--- a/source3/rpc_client/local_np.c
|
||||||
|
+++ b/source3/rpc_client/local_np.c
|
||||||
|
@@ -551,11 +551,6 @@ struct tevent_req *local_np_connect_send(
|
||||||
|
{
|
||||||
|
DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
|
||||||
|
lower_case_pipename);
|
||||||
|
- /*
|
||||||
|
- * For now, panic the server until we have
|
||||||
|
- * the test code in place.
|
||||||
|
- */
|
||||||
|
- SMB_ASSERT(false);
|
||||||
|
tevent_req_error(req, ENOENT);
|
||||||
|
return tevent_req_post(req, ev);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.39.2
|
@ -0,0 +1,239 @@
|
|||||||
|
From a4a3868fda277ddf0f174b77a859c33e4c339538 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ralph Boehme <slow@samba.org>
|
||||||
|
Date: Tue, 1 Aug 2023 12:30:00 +0200
|
||||||
|
Subject: [PATCH 1/2] CVE-2023-4091: smbtorture: test overwrite dispositions on
|
||||||
|
read-only file
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
|
||||||
|
|
||||||
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
||||||
|
---
|
||||||
|
selftest/knownfail.d/samba3.smb2.acls | 1 +
|
||||||
|
source4/torture/smb2/acls.c | 143 ++++++++++++++++++++++++++
|
||||||
|
2 files changed, 144 insertions(+)
|
||||||
|
create mode 100644 selftest/knownfail.d/samba3.smb2.acls
|
||||||
|
|
||||||
|
diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000000..18df260c0e50
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/selftest/knownfail.d/samba3.smb2.acls
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
|
||||||
|
diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
|
||||||
|
index a27d4e079e67..5a892d004ea8 100644
|
||||||
|
--- a/source4/torture/smb2/acls.c
|
||||||
|
+++ b/source4/torture/smb2/acls.c
|
||||||
|
@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static bool test_overwrite_read_only_file(struct torture_context *tctx,
|
||||||
|
+ struct smb2_tree *tree)
|
||||||
|
+{
|
||||||
|
+ NTSTATUS status;
|
||||||
|
+ struct smb2_create c;
|
||||||
|
+ const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
|
||||||
|
+ struct smb2_handle handle = {{0}};
|
||||||
|
+ union smb_fileinfo q;
|
||||||
|
+ union smb_setfileinfo set;
|
||||||
|
+ struct security_descriptor *sd = NULL, *sd_orig = NULL;
|
||||||
|
+ const char *owner_sid = NULL;
|
||||||
|
+ int i;
|
||||||
|
+ bool ret = true;
|
||||||
|
+
|
||||||
|
+ struct tcase {
|
||||||
|
+ int disposition;
|
||||||
|
+ const char *disposition_string;
|
||||||
|
+ NTSTATUS expected_status;
|
||||||
|
+ } tcases[] = {
|
||||||
|
+#define TCASE(d, s) { \
|
||||||
|
+ .disposition = d, \
|
||||||
|
+ .disposition_string = #d, \
|
||||||
|
+ .expected_status = s, \
|
||||||
|
+ }
|
||||||
|
+ TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
|
||||||
|
+ TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
|
||||||
|
+ TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
|
||||||
|
+ TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
|
||||||
|
+ };
|
||||||
|
+#undef TCASE
|
||||||
|
+
|
||||||
|
+ ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
|
||||||
|
+ torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
|
||||||
|
+
|
||||||
|
+ c = (struct smb2_create) {
|
||||||
|
+ .in.desired_access = SEC_STD_READ_CONTROL |
|
||||||
|
+ SEC_STD_WRITE_DAC |
|
||||||
|
+ SEC_STD_WRITE_OWNER,
|
||||||
|
+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
|
||||||
|
+ .in.share_access = NTCREATEX_SHARE_ACCESS_READ |
|
||||||
|
+ NTCREATEX_SHARE_ACCESS_WRITE,
|
||||||
|
+ .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
|
||||||
|
+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
|
||||||
|
+ .in.fname = fname,
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ status = smb2_create(tree, tctx, &c);
|
||||||
|
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
|
||||||
|
+ "smb2_create failed\n");
|
||||||
|
+ handle = c.out.file.handle;
|
||||||
|
+
|
||||||
|
+ torture_comment(tctx, "get the original sd\n");
|
||||||
|
+
|
||||||
|
+ ZERO_STRUCT(q);
|
||||||
|
+ q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
|
||||||
|
+ q.query_secdesc.in.file.handle = handle;
|
||||||
|
+ q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
|
||||||
|
+
|
||||||
|
+ status = smb2_getinfo_file(tree, tctx, &q);
|
||||||
|
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
|
||||||
|
+ "smb2_getinfo_file failed\n");
|
||||||
|
+ sd_orig = q.query_secdesc.out.sd;
|
||||||
|
+
|
||||||
|
+ owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
|
||||||
|
+
|
||||||
|
+ sd = security_descriptor_dacl_create(tctx,
|
||||||
|
+ 0, NULL, NULL,
|
||||||
|
+ owner_sid,
|
||||||
|
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
|
||||||
|
+ SEC_FILE_READ_DATA,
|
||||||
|
+ 0,
|
||||||
|
+ NULL);
|
||||||
|
+
|
||||||
|
+ ZERO_STRUCT(set);
|
||||||
|
+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
|
||||||
|
+ set.set_secdesc.in.file.handle = handle;
|
||||||
|
+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
|
||||||
|
+ set.set_secdesc.in.sd = sd;
|
||||||
|
+
|
||||||
|
+ status = smb2_setinfo_file(tree, &set);
|
||||||
|
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
|
||||||
|
+ "smb2_setinfo_file failed\n");
|
||||||
|
+
|
||||||
|
+ smb2_util_close(tree, handle);
|
||||||
|
+ ZERO_STRUCT(handle);
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < ARRAY_SIZE(tcases); i++) {
|
||||||
|
+ torture_comment(tctx, "Verify open with %s dispostion\n",
|
||||||
|
+ tcases[i].disposition_string);
|
||||||
|
+
|
||||||
|
+ c = (struct smb2_create) {
|
||||||
|
+ .in.create_disposition = tcases[i].disposition,
|
||||||
|
+ .in.desired_access = SEC_FILE_READ_DATA,
|
||||||
|
+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
|
||||||
|
+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
|
||||||
|
+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
|
||||||
|
+ .in.fname = fname,
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ status = smb2_create(tree, tctx, &c);
|
||||||
|
+ smb2_util_close(tree, c.out.file.handle);
|
||||||
|
+ torture_assert_ntstatus_equal_goto(
|
||||||
|
+ tctx, status, tcases[i].expected_status, ret, done,
|
||||||
|
+ "smb2_create failed\n");
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ torture_comment(tctx, "put back original sd\n");
|
||||||
|
+
|
||||||
|
+ c = (struct smb2_create) {
|
||||||
|
+ .in.desired_access = SEC_STD_WRITE_DAC,
|
||||||
|
+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
|
||||||
|
+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
|
||||||
|
+ .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
|
||||||
|
+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
|
||||||
|
+ .in.fname = fname,
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ status = smb2_create(tree, tctx, &c);
|
||||||
|
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
|
||||||
|
+ "smb2_create failed\n");
|
||||||
|
+ handle = c.out.file.handle;
|
||||||
|
+
|
||||||
|
+ ZERO_STRUCT(set);
|
||||||
|
+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
|
||||||
|
+ set.set_secdesc.in.file.handle = handle;
|
||||||
|
+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
|
||||||
|
+ set.set_secdesc.in.sd = sd_orig;
|
||||||
|
+
|
||||||
|
+ status = smb2_setinfo_file(tree, &set);
|
||||||
|
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
|
||||||
|
+ "smb2_setinfo_file failed\n");
|
||||||
|
+
|
||||||
|
+ smb2_util_close(tree, handle);
|
||||||
|
+ ZERO_STRUCT(handle);
|
||||||
|
+
|
||||||
|
+done:
|
||||||
|
+ smb2_util_close(tree, handle);
|
||||||
|
+ smb2_util_unlink(tree, fname);
|
||||||
|
+ smb2_deltree(tree, BASEDIR);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
basic testing of SMB2 ACLs
|
||||||
|
*/
|
||||||
|
@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
|
||||||
|
test_deny1);
|
||||||
|
torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
|
||||||
|
test_mxac_not_granted);
|
||||||
|
+ torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file);
|
||||||
|
|
||||||
|
suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
|
From 5b5e2b1714e4a242b1cea44deff1f380620872c9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ralph Boehme <slow@samba.org>
|
||||||
|
Date: Tue, 1 Aug 2023 13:04:36 +0200
|
||||||
|
Subject: [PATCH 2/2] CVE-2023-4091: smbd: use open_access_mask for access
|
||||||
|
check in open_file()
|
||||||
|
|
||||||
|
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
|
||||||
|
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
|
||||||
|
access check we're using access_mask which doesn't contain the additional
|
||||||
|
right, which means we can end up truncating a file for which the user has
|
||||||
|
only read-only access via an SD.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
|
||||||
|
|
||||||
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
||||||
|
---
|
||||||
|
selftest/knownfail.d/samba3.smb2.acls | 1 -
|
||||||
|
source3/smbd/open.c | 4 ++--
|
||||||
|
2 files changed, 2 insertions(+), 3 deletions(-)
|
||||||
|
delete mode 100644 selftest/knownfail.d/samba3.smb2.acls
|
||||||
|
|
||||||
|
diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
|
||||||
|
deleted file mode 100644
|
||||||
|
index 18df260c0e50..000000000000
|
||||||
|
--- a/selftest/knownfail.d/samba3.smb2.acls
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1 +0,0 @@
|
||||||
|
-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
|
||||||
|
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
|
||||||
|
index 94f50becb247..0c9ddfe7c948 100644
|
||||||
|
--- a/source3/smbd/open.c
|
||||||
|
+++ b/source3/smbd/open.c
|
||||||
|
@@ -1442,7 +1442,7 @@ static NTSTATUS open_file(struct smb_request *req,
|
||||||
|
dirfsp,
|
||||||
|
fsp,
|
||||||
|
false,
|
||||||
|
- access_mask);
|
||||||
|
+ open_access_mask);
|
||||||
|
|
||||||
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
DBG_DEBUG("smbd_check_access_rights_fsp"
|
||||||
|
@@ -1633,7 +1633,7 @@ static NTSTATUS open_file(struct smb_request *req,
|
||||||
|
status = smbd_check_access_rights_fsp(dirfsp,
|
||||||
|
fsp,
|
||||||
|
false,
|
||||||
|
- access_mask);
|
||||||
|
+ open_access_mask);
|
||||||
|
|
||||||
|
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
|
||||||
|
posix_open &&
|
||||||
|
--
|
||||||
|
2.41.0
|
@ -0,0 +1,123 @@
|
|||||||
|
From e534a858d15589f27181b82c8ed8abefc56fb95f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
Date: Tue, 12 Sep 2023 18:59:44 +1200
|
||||||
|
Subject: [PATCH 1/2] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
|
||||||
|
default
|
||||||
|
|
||||||
|
The rpcecho server is useful in development and testing, but should never
|
||||||
|
have been allowed into production, as it includes the facility to
|
||||||
|
do a blocking sleep() in the single-threaded rpc worker.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
|
||||||
|
|
||||||
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
---
|
||||||
|
docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
|
||||||
|
lib/param/loadparm.c | 2 +-
|
||||||
|
selftest/target/Samba4.pm | 2 +-
|
||||||
|
source3/param/loadparm.c | 2 +-
|
||||||
|
source4/rpc_server/wscript_build | 3 ++-
|
||||||
|
5 files changed, 6 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
|
||||||
|
index 8a217cc7f11..c6642b795fd 100644
|
||||||
|
--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
|
||||||
|
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
|
||||||
|
@@ -6,6 +6,6 @@
|
||||||
|
<para>Specifies which DCE/RPC endpoint servers should be run.</para>
|
||||||
|
</description>
|
||||||
|
|
||||||
|
-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
|
||||||
|
+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
|
||||||
|
<value type="example">rpcecho</value>
|
||||||
|
</samba:parameter>
|
||||||
|
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
||||||
|
index 16cb0d47f31..83b05260e09 100644
|
||||||
|
--- a/lib/param/loadparm.c
|
||||||
|
+++ b/lib/param/loadparm.c
|
||||||
|
@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
||||||
|
lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
|
||||||
|
lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
|
||||||
|
|
||||||
|
- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
|
||||||
|
+ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
|
||||||
|
lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
|
||||||
|
lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
|
||||||
|
/* the winbind method for domain controllers is for both RODC
|
||||||
|
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
|
||||||
|
index d15156a538b..5687d2a8587 100755
|
||||||
|
--- a/selftest/target/Samba4.pm
|
||||||
|
+++ b/selftest/target/Samba4.pm
|
||||||
|
@@ -783,7 +783,7 @@ sub provision_raw_step1($$)
|
||||||
|
wins support = yes
|
||||||
|
server role = $ctx->{server_role}
|
||||||
|
server services = +echo $services
|
||||||
|
- dcerpc endpoint servers = +winreg +srvsvc
|
||||||
|
+ dcerpc endpoint servers = +winreg +srvsvc +rpcecho
|
||||||
|
notify:inotify = false
|
||||||
|
ldb:nosync = true
|
||||||
|
ldap server require strong auth = yes
|
||||||
|
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
||||||
|
index 12718ced9e7..e33751a27e3 100644
|
||||||
|
--- a/source3/param/loadparm.c
|
||||||
|
+++ b/source3/param/loadparm.c
|
||||||
|
@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
||||||
|
|
||||||
|
Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
|
||||||
|
|
||||||
|
- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
|
||||||
|
+ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
|
||||||
|
|
||||||
|
Globals.tls_enabled = true;
|
||||||
|
Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
|
||||||
|
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
|
||||||
|
index 0e44a3c2bae..31ec4f60c9a 100644
|
||||||
|
--- a/source4/rpc_server/wscript_build
|
||||||
|
+++ b/source4/rpc_server/wscript_build
|
||||||
|
@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
|
||||||
|
source='echo/rpc_echo.c',
|
||||||
|
subsystem='dcerpc_server',
|
||||||
|
init_function='dcerpc_server_rpcecho_init',
|
||||||
|
- deps='ndr-standard events'
|
||||||
|
+ deps='ndr-standard events',
|
||||||
|
+ enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
||||||
|
|
||||||
|
From 8ce92246a016f3e7f23b6a94ceb666f776e56998 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
Date: Tue, 12 Sep 2023 19:01:03 +1200
|
||||||
|
Subject: [PATCH 2/2] CVE-2023-42669 s3-rpc_server: Disable rpcecho for
|
||||||
|
consistency with the AD DC
|
||||||
|
|
||||||
|
The rpcecho server in source3 does have samba the sleep() feature that
|
||||||
|
the s4 version has, but the task architecture is different, so there
|
||||||
|
is not the same impact. Hoever equally this is not something that
|
||||||
|
should be enabled on production builds of Samba, so restrict to
|
||||||
|
selftest builds.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
|
||||||
|
|
||||||
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
---
|
||||||
|
source3/rpc_server/wscript_build | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build
|
||||||
|
index 341df41a321..5ed81283395 100644
|
||||||
|
--- a/source3/rpc_server/wscript_build
|
||||||
|
+++ b/source3/rpc_server/wscript_build
|
||||||
|
@@ -38,6 +38,7 @@ bld.SAMBA3_BINARY('rpcd_rpcecho',
|
||||||
|
RPC_WORKER
|
||||||
|
RPC_RPCECHO
|
||||||
|
''',
|
||||||
|
+ for_selftest=True,
|
||||||
|
install_path='${SAMBA_LIBEXECDIR}')
|
||||||
|
|
||||||
|
bld.SAMBA3_BINARY('rpcd_classic',
|
||||||
|
--
|
||||||
|
2.25.1
|
@ -138,7 +138,7 @@
|
|||||||
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
|
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
|
||||||
|
|
||||||
%global samba_version 4.18.6
|
%global samba_version 4.18.6
|
||||||
%global baserelease 1
|
%global baserelease 2
|
||||||
# This should be rc1 or %%nil
|
# This should be rc1 or %%nil
|
||||||
%global pre_release %nil
|
%global pre_release %nil
|
||||||
|
|
||||||
@ -202,7 +202,7 @@
|
|||||||
|
|
||||||
Name: samba
|
Name: samba
|
||||||
Version: %{samba_version}
|
Version: %{samba_version}
|
||||||
Release: %{samba_release}%{?dist}
|
Release: %{samba_release}%{?dist}.alma.1
|
||||||
|
|
||||||
%if 0%{?fedora}
|
%if 0%{?fedora}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
@ -234,6 +234,14 @@ Source17: samba-usershares-systemd-sysusers.conf
|
|||||||
Source201: README.downgrade
|
Source201: README.downgrade
|
||||||
Source202: samba.abignore
|
Source202: samba.abignore
|
||||||
|
|
||||||
|
# Patches were taken from:
|
||||||
|
# https://attachments.samba.org/attachment.cgi?id=18128
|
||||||
|
Patch1: CVE-2023-3961-s3-smbd-Catch-any-incoming-pipe-path-that.patch
|
||||||
|
# https://attachments.samba.org/attachment.cgi?id=18131
|
||||||
|
Patch2: CVE-2023-4091-smbtorture-test-overwrite-dispositions-on.patch
|
||||||
|
# https://attachments.samba.org/attachment.cgi?id=18136
|
||||||
|
Patch3: CVE-2023-42669-s4-rpc_server-Disable-rpcecho-server-by.patch
|
||||||
|
|
||||||
Requires(pre): /usr/sbin/groupadd
|
Requires(pre): /usr/sbin/groupadd
|
||||||
|
|
||||||
Requires(pre): %{name}-common = %{samba_depver}
|
Requires(pre): %{name}-common = %{samba_depver}
|
||||||
@ -2024,7 +2032,6 @@ fi
|
|||||||
%{_libexecdir}/samba/rpcd_fsrvp
|
%{_libexecdir}/samba/rpcd_fsrvp
|
||||||
%{_libexecdir}/samba/rpcd_lsad
|
%{_libexecdir}/samba/rpcd_lsad
|
||||||
%{_libexecdir}/samba/rpcd_mdssvc
|
%{_libexecdir}/samba/rpcd_mdssvc
|
||||||
%{_libexecdir}/samba/rpcd_rpcecho
|
|
||||||
%{_libexecdir}/samba/rpcd_spoolss
|
%{_libexecdir}/samba/rpcd_spoolss
|
||||||
%{_libexecdir}/samba/rpcd_winreg
|
%{_libexecdir}/samba/rpcd_winreg
|
||||||
%{_mandir}/man8/samba-dcerpcd.8*
|
%{_mandir}/man8/samba-dcerpcd.8*
|
||||||
@ -4328,6 +4335,14 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Nov 23 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.6-2.alma.1
|
||||||
|
- CVE-2023-3961:s3:smbd: Catch any incoming pipe path that
|
||||||
|
could exit socket_dir.
|
||||||
|
- CVE-2023-4091: smbtorture: test overwrite dispositions on
|
||||||
|
read-only file
|
||||||
|
- CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
|
||||||
|
default
|
||||||
|
|
||||||
* Thu Aug 17 2023 Andreas Schneider <asn@redhat.com> - 4.18.6-1
|
* Thu Aug 17 2023 Andreas Schneider <asn@redhat.com> - 4.18.6-1
|
||||||
- related: rhbz#2190417 - Update to version 4.18.6
|
- related: rhbz#2190417 - Update to version 4.18.6
|
||||||
- resolves: rhbz#2232564 - Fix the rpc dsgetinfo command
|
- resolves: rhbz#2232564 - Fix the rpc dsgetinfo command
|
||||||
|
Loading…
Reference in New Issue
Block a user