rpms/samba
7
0
Fork 0
Code Issues Pull Requests Releases Activity
changed/a9/samba-4.17.5-103.el9_2.alma
samba/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
eabdullin 5aaccb3921 - Fix CVE-2023-3347 
- netlogon: add support for netr_LogonGetCapabilities response level 2
2023-08-03 11:10:55 +03:00

90 lines
3.1 KiB
Diff
Raw Permalink Blame History

From d5f1097b6220676d56ed5fc6707acf667b704518 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 15 Jul 2023 16:11:48 +0200
Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
invalid netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.
Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
.../knownfail.d/netr_LogonGetCapabilities | 2 --
source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++---
2 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
index 30aadf3bb9d..99c7ac711ed 100644
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
@@ -1,3 +1 @@
^samba3.rpc.schannel.*\.schannel\(nt4_dc
-^samba3.rpc.schannel.*\.schannel\(ad_dc
-^samba4.rpc.schannel.*\.schannel\(ad_dc
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 6ccba65d3bf..dc2167f08b2 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2364,6 +2364,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
struct netlogon_creds_CredentialState *creds;
NTSTATUS status;
+ switch (r->in.query_level) {
+ case 1:
+ break;
+ case 2:
+ /*
+ * Until we know the details behind KB5028166
+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
+ * like an unpatched Windows Server.
+ */
+ FALL_THROUGH;
+ default:
+ /*
+ * There would not be a way to marshall the
+ * the response. Which would mean our final
+ * ndr_push would fail an we would return
+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
+ *
+ * But it's important to match a Windows server
+ * especially before KB5028166, see also our bug #15418
+ * Otherwise Windows client would stop talking to us.
+ */
+ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
+ }
+
status = dcesrv_netr_creds_server_step_check(dce_call,
mem_ctx,
r->in.computer_name,
@@ -2375,10 +2399,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
}
NT_STATUS_NOT_OK_RETURN(status);
- if (r->in.query_level != 1) {
- return NT_STATUS_NOT_SUPPORTED;
- }
-
r->out.capabilities->server_capabilities = creds->negotiate_flags;
return NT_STATUS_OK;
--
2.39.3
Reference in New Issue View Git Blame Copy Permalink