299 lines
11 KiB
Diff
299 lines
11 KiB
Diff
From 97829843013e2f0d81b6ed61d155a04217e40205 Mon Sep 17 00:00:00 2001
|
|
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Date: Wed, 1 Sep 2021 15:39:19 +1200
|
|
Subject: [PATCH 1/6] krb5pac.idl: Add ticket checksum PAC buffer type
|
|
|
|
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Isaac Boukris <iboukris@samba.org>
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
|
|
(cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce)
|
|
---
|
|
librpc/idl/krb5pac.idl | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
|
|
index fb360c1257f..3239d7656b6 100644
|
|
--- a/librpc/idl/krb5pac.idl
|
|
+++ b/librpc/idl/krb5pac.idl
|
|
@@ -112,7 +112,8 @@ interface krb5pac
|
|
PAC_TYPE_KDC_CHECKSUM = 7,
|
|
PAC_TYPE_LOGON_NAME = 10,
|
|
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
|
|
- PAC_TYPE_UPN_DNS_INFO = 12
|
|
+ PAC_TYPE_UPN_DNS_INFO = 12,
|
|
+ PAC_TYPE_TICKET_CHECKSUM = 16
|
|
} PAC_TYPE;
|
|
|
|
typedef struct {
|
|
@@ -128,6 +129,7 @@ interface krb5pac
|
|
[case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
|
|
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
|
|
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
|
|
+ [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
|
|
/* when new PAC info types are added they are supposed to be done
|
|
in such a way that they are backwards compatible with existing
|
|
servers. This makes it safe to just use a [default] for
|
|
--
|
|
2.33.1
|
|
|
|
|
|
From 99cc0e06e5fe2776371b808432af39de00f76cdf Mon Sep 17 00:00:00 2001
|
|
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Date: Wed, 1 Sep 2021 15:40:59 +1200
|
|
Subject: [PATCH 2/6] security.idl: Add well-known SIDs for FAST
|
|
|
|
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Isaac Boukris <iboukris@samba.org>
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
|
|
(cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12)
|
|
---
|
|
librpc/idl/security.idl | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
|
|
index 06bf7449a70..3df96dedbdd 100644
|
|
--- a/librpc/idl/security.idl
|
|
+++ b/librpc/idl/security.idl
|
|
@@ -295,6 +295,9 @@ interface security
|
|
const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
|
|
const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
|
|
|
|
+ const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
|
|
+ const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
|
|
+
|
|
/*
|
|
* http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
|
|
*/
|
|
--
|
|
2.33.1
|
|
|
|
|
|
From 693bcdb2f9b64af390d619c9b39293c581900151 Mon Sep 17 00:00:00 2001
|
|
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Date: Wed, 29 Sep 2021 16:15:26 +1300
|
|
Subject: [PATCH 3/6] krb5pac.idl: Add missing buffer type values
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
|
|
|
|
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Backported-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
librpc/idl/krb5pac.idl | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
|
|
index 3239d7656b6..515150ab9cd 100644
|
|
--- a/librpc/idl/krb5pac.idl
|
|
+++ b/librpc/idl/krb5pac.idl
|
|
@@ -113,6 +113,9 @@ interface krb5pac
|
|
PAC_TYPE_LOGON_NAME = 10,
|
|
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
|
|
PAC_TYPE_UPN_DNS_INFO = 12,
|
|
+ PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
|
|
+ PAC_TYPE_DEVICE_INFO = 14,
|
|
+ PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
|
|
PAC_TYPE_TICKET_CHECKSUM = 16
|
|
} PAC_TYPE;
|
|
|
|
--
|
|
2.33.1
|
|
|
|
|
|
From 97323751c1b6b97e72eb80b8b99485d94696b30b Mon Sep 17 00:00:00 2001
|
|
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Date: Tue, 26 Oct 2021 20:33:38 +1300
|
|
Subject: [PATCH 4/6] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC
|
|
buffer type
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
|
|
|
|
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
librpc/idl/krb5pac.idl | 14 +++++++++++++-
|
|
1 file changed, 13 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
|
|
index 515150ab9cd..7a8d16464eb 100644
|
|
--- a/librpc/idl/krb5pac.idl
|
|
+++ b/librpc/idl/krb5pac.idl
|
|
@@ -97,6 +97,16 @@ interface krb5pac
|
|
PAC_UPN_DNS_FLAGS flags;
|
|
} PAC_UPN_DNS_INFO;
|
|
|
|
+ typedef [bitmap32bit] bitmap {
|
|
+ PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001,
|
|
+ PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY = 0x00000002
|
|
+ } PAC_ATTRIBUTE_INFO_FLAGS;
|
|
+
|
|
+ typedef struct {
|
|
+ uint32 flags_length; /* length in bits */
|
|
+ PAC_ATTRIBUTE_INFO_FLAGS flags;
|
|
+ } PAC_ATTRIBUTES_INFO;
|
|
+
|
|
typedef [public] struct {
|
|
PAC_LOGON_INFO *info;
|
|
} PAC_LOGON_INFO_CTR;
|
|
@@ -116,7 +126,8 @@ interface krb5pac
|
|
PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
|
|
PAC_TYPE_DEVICE_INFO = 14,
|
|
PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
|
|
- PAC_TYPE_TICKET_CHECKSUM = 16
|
|
+ PAC_TYPE_TICKET_CHECKSUM = 16,
|
|
+ PAC_TYPE_ATTRIBUTES_INFO = 17
|
|
} PAC_TYPE;
|
|
|
|
typedef struct {
|
|
@@ -133,6 +144,7 @@ interface krb5pac
|
|
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
|
|
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
|
|
[case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
|
|
+ [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
|
|
/* when new PAC info types are added they are supposed to be done
|
|
in such a way that they are backwards compatible with existing
|
|
servers. This makes it safe to just use a [default] for
|
|
--
|
|
2.33.1
|
|
|
|
|
|
From 9867beabf3b0be026d900e26ac91af655fb50cfe Mon Sep 17 00:00:00 2001
|
|
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Date: Tue, 26 Oct 2021 20:33:49 +1300
|
|
Subject: [PATCH 5/6] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC
|
|
buffer type
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
|
|
|
|
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
librpc/idl/krb5pac.idl | 8 +++++++-
|
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
|
|
index 7a8d16464eb..52fb40c4bbb 100644
|
|
--- a/librpc/idl/krb5pac.idl
|
|
+++ b/librpc/idl/krb5pac.idl
|
|
@@ -107,6 +107,10 @@ interface krb5pac
|
|
PAC_ATTRIBUTE_INFO_FLAGS flags;
|
|
} PAC_ATTRIBUTES_INFO;
|
|
|
|
+ typedef struct {
|
|
+ dom_sid sid;
|
|
+ } PAC_REQUESTER_SID;
|
|
+
|
|
typedef [public] struct {
|
|
PAC_LOGON_INFO *info;
|
|
} PAC_LOGON_INFO_CTR;
|
|
@@ -127,7 +131,8 @@ interface krb5pac
|
|
PAC_TYPE_DEVICE_INFO = 14,
|
|
PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
|
|
PAC_TYPE_TICKET_CHECKSUM = 16,
|
|
- PAC_TYPE_ATTRIBUTES_INFO = 17
|
|
+ PAC_TYPE_ATTRIBUTES_INFO = 17,
|
|
+ PAC_TYPE_REQUESTER_SID = 18
|
|
} PAC_TYPE;
|
|
|
|
typedef struct {
|
|
@@ -145,6 +150,7 @@ interface krb5pac
|
|
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
|
|
[case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
|
|
[case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
|
|
+ [case(PAC_TYPE_REQUESTER_SID)] PAC_REQUESTER_SID requester_sid;
|
|
/* when new PAC info types are added they are supposed to be done
|
|
in such a way that they are backwards compatible with existing
|
|
servers. This makes it safe to just use a [default] for
|
|
--
|
|
2.33.1
|
|
|
|
|
|
From fb92457cfd11745be73660eb90519b625f6a5d97 Mon Sep 17 00:00:00 2001
|
|
From: Andrew Bartlett <abartlet@samba.org>
|
|
Date: Mon, 27 Sep 2021 11:20:19 +1300
|
|
Subject: [PATCH 6/6] CVE-2020-25721 krb5pac: Add new buffers for
|
|
samAccountName and objectSID
|
|
|
|
These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
|
|
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
---
|
|
librpc/idl/krb5pac.idl | 18 ++++++++++++++++--
|
|
librpc/ndr/ndr_krb5pac.c | 4 ++--
|
|
2 files changed, 18 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
|
|
index 52fb40c4bbb..bbe4a253e3a 100644
|
|
--- a/librpc/idl/krb5pac.idl
|
|
+++ b/librpc/idl/krb5pac.idl
|
|
@@ -86,15 +86,29 @@ interface krb5pac
|
|
} PAC_CONSTRAINED_DELEGATION;
|
|
|
|
typedef [bitmap32bit] bitmap {
|
|
- PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001
|
|
+ PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001,
|
|
+ PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID = 0x00000002
|
|
} PAC_UPN_DNS_FLAGS;
|
|
|
|
+ typedef struct {
|
|
+ [value(2*strlen_m(samaccountname))] uint16 samaccountname_size;
|
|
+ [relative_short,subcontext(0),subcontext_size(samaccountname_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *samaccountname;
|
|
+ [value(ndr_size_dom_sid(objectsid, ndr->flags))] uint16 objectsid_size;
|
|
+ [relative_short,subcontext(0),subcontext_size(objectsid_size)] dom_sid *objectsid;
|
|
+ } PAC_UPN_DNS_INFO_SAM_NAME_AND_SID;
|
|
+
|
|
+ typedef [nodiscriminant] union {
|
|
+ [case(PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_SAM_NAME_AND_SID sam_name_and_sid;
|
|
+ [default];
|
|
+ } PAC_UPN_DNS_INFO_EX;
|
|
+
|
|
typedef struct {
|
|
[value(2*strlen_m(upn_name))] uint16 upn_name_size;
|
|
[relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *upn_name;
|
|
[value(2*strlen_m(dns_domain_name))] uint16 dns_domain_name_size;
|
|
[relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *dns_domain_name;
|
|
PAC_UPN_DNS_FLAGS flags;
|
|
+ [switch_is(flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_EX ex;
|
|
} PAC_UPN_DNS_INFO;
|
|
|
|
typedef [bitmap32bit] bitmap {
|
|
@@ -160,7 +174,7 @@ interface krb5pac
|
|
|
|
typedef [public,nopush,nopull] struct {
|
|
PAC_TYPE type;
|
|
- [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size;
|
|
+ [value(_ndr_size_PAC_INFO(info, type, LIBNDR_FLAG_ALIGN8))] uint32 _ndr_size;
|
|
/*
|
|
* We need to have two subcontexts to get the padding right,
|
|
* the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
|
|
diff --git a/librpc/ndr/ndr_krb5pac.c b/librpc/ndr/ndr_krb5pac.c
|
|
index a9ae2c4a789..57b28df9e52 100644
|
|
--- a/librpc/ndr/ndr_krb5pac.c
|
|
+++ b/librpc/ndr/ndr_krb5pac.c
|
|
@@ -41,7 +41,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
|
|
if (ndr_flags & NDR_SCALARS) {
|
|
NDR_CHECK(ndr_push_align(ndr, 4));
|
|
NDR_CHECK(ndr_push_PAC_TYPE(ndr, NDR_SCALARS, r->type));
|
|
- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,0)));
|
|
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,LIBNDR_FLAG_ALIGN8)));
|
|
{
|
|
uint32_t _flags_save_PAC_INFO = ndr->flags;
|
|
ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN8);
|
|
@@ -59,7 +59,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
|
|
{
|
|
struct ndr_push *_ndr_info_pad;
|
|
struct ndr_push *_ndr_info;
|
|
- size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, 0);
|
|
+ size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, LIBNDR_FLAG_ALIGN8);
|
|
NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_info_pad, 0, NDR_ROUND(_ndr_size, 8)));
|
|
NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size));
|
|
NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type));
|
|
--
|
|
2.33.1
|
|
|