samba.git/libcli, branch v4-7-stable Unnamed repository; edit this file 'description' to name the repository. CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth". 2018-08-11T19:56:43+00:00 Günther Deschner gd@samba.org 2018-03-13T15:56:20+00:00 9ff1d906d0945c644b964f2e577547927387ac6e This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0. Found by Vivek Das <vdas@redhat.com> (Red Hat QE). In order to demonstrate simply run: smbclient //server/share -U user%password -mNT1 -c quit \ --option="client ntlmv2 auth"=no \ --option="client use spnego"=no against a server that uses "ntlm auth = ntlmv2-only" (our default setting). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.

Found by Vivek Das <vdas@redhat.com> (Red Hat QE).

In order to demonstrate simply run:

smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no

against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check() 2018-08-11T19:56:42+00:00 Günther Deschner gd@samba.org 2018-03-14T14:36:05+00:00 29f2fe7d072d37644592e1cf6bc069de60c5f607 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check() 2018-08-11T19:56:42+00:00 Andrew Bartlett abartlet@samba.org 2018-07-26T20:44:24+00:00 a5fe27c10e776ad59288762330ab513439efbfb2 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 Signed-off-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights 2018-08-11T19:56:41+00:00 Tim Beale timbeale@catalyst.net.nz 2018-07-20T01:01:00+00:00 1594cade555d96461b5b9db9965d8cdf9f5e45e0 An 'Object Access Allowed' ACE that assigned 'Control Access' (CR) rights to a specific attribute would not actually grant access. What was happening was the remaining_access mask for the object_tree nodes would be Read Property (RP) + Control Access (CR). The ACE mapped to the schemaIDGUID for a given attribute, which would end up being a child node in the tree. So the CR bit was cleared for a child node, but not the rest of the tree. We would then check the user had the RP access right, which it did. However, the RP right was cleared for another node in the tree, which still had the CR bit set in its remaining_access bitmap, so Samba would not grant access. Generally, the remaining_access only ever has one bit set, which means this isn't a problem normally. However, in the Control Access case there are 2 separate bits being checked, i.e. RP + CR. One option to fix this problem would be to clear the remaining_access for the tree instead of just the node. However, the Windows spec is actually pretty clear on this: if the ACE has a CR right present, then you can stop any further access checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> 
An 'Object Access Allowed' ACE that assigned 'Control Access' (CR)
rights to a specific attribute would not actually grant access.

What was happening was the remaining_access mask for the object_tree
nodes would be Read Property (RP) + Control Access (CR). The ACE mapped
to the schemaIDGUID for a given attribute, which would end up being a
child node in the tree. So the CR bit was cleared for a child node, but
not the rest of the tree. We would then check the user had the RP access
right, which it did. However, the RP right was cleared for another node
in the tree, which still had the CR bit set in its remaining_access
bitmap, so Samba would not grant access.

Generally, the remaining_access only ever has one bit set, which means
this isn't a problem normally. However, in the Control Access case there
are 2 separate bits being checked, i.e. RP + CR.

One option to fix this problem would be to clear the remaining_access
for the tree instead of just the node. However, the Windows spec is
actually pretty clear on this: if the ACE has a CR right present, then
you can stop any further access checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
CVE-2018-10919 security: Add more comments to the object-specific access checks 2018-08-11T19:56:41+00:00 Tim Beale timbeale@catalyst.net.nz 2018-07-20T01:13:50+00:00 81865e8584a0f597650a9df31d49bad3e7549d26 Reading the spec and then reading the code makes sense, but we could comment the code more so it makes sense on its own. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> 
Reading the spec and then reading the code makes sense, but we could
comment the code more so it makes sense on its own.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
CVE-2018-10919 security: Move object-specific access checks into separate function 2018-08-11T19:56:41+00:00 Tim Beale timbeale@catalyst.net.nz 2018-07-19T04:03:36+00:00 12f97f9f69d3ace751c9b49f739aecc4e452dd35 Object-specific access checks refer to a specific section of the MS-ADTS, and the code closely matches the spec. We need to extend this logic to properly handle the Control-Access Right (CR), so it makes sense to split the logic out into its own function. This patch just moves the code, and should not alter the logic (apart from ading in the boolean grant_access return variable. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> 
Object-specific access checks refer to a specific section of the
MS-ADTS, and the code closely matches the spec. We need to extend this
logic to properly handle the Control-Access Right (CR), so it makes
sense to split the logic out into its own function.

This patch just moves the code, and should not alter the logic (apart
from ading in the boolean grant_access return variable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
libsmb: Handle long-running smb2cli_notify 2018-04-20T09:53:10+00:00 Volker Lendecke vl@samba.org 2017-10-30T13:34:12+00:00 b28593e86c5ff78076e1e01a60d11f02cc961579 This likely runs into a timeout. Properly cancel the smb2 request, allowing the higher-level caller to re-issue this request on an existing handle. I did not see a proper way to achieve this with tevent_req_set_endtime or something like that. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13382 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 91c0f497816bb88d8935a8a79c146c08379ecf53) 
This likely runs into a timeout. Properly cancel the smb2 request,
allowing the higher-level caller to re-issue this request on an existing
handle.

I did not see a proper way to achieve this with tevent_req_set_endtime or
something like that.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13382
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 91c0f497816bb88d8935a8a79c146c08379ecf53)
libsmb: Add smb2cli_notify() 2018-04-20T09:53:09+00:00 Volker Lendecke vl@samba.org 2017-07-25T10:11:37+00:00 898297b7a1ef4397b018327b83e3f77c709f94f8 Bug: https://bugzilla.samba.org/show_bug.cgi?id=13382 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit ad33964f8c85b67a2d2b451bece208d8bfb8cad6) 
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13382
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ad33964f8c85b67a2d2b451bece208d8bfb8cad6)
libcli/security: only announce a session as GUEST if 'Builtin\Guests' is there without 'Authenticated User' 2018-03-20T16:13:07+00:00 Ralph Boehme slow@samba.org 2018-03-14T10:44:49+00:00 ff7a8e416b53e073a6d16fb122cdeba8b53c6e53 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit f564847c8e9d31fe07dd3cbf435986b36f097fa3) 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f564847c8e9d31fe07dd3cbf435986b36f097fa3)
smbXcli: Add "force_channel_sequence" 2018-03-08T12:34:30+00:00 Volker Lendecke vl@samba.org 2018-01-11T10:25:49+00:00 164b38ccb778a9128fd6ad29cad72ab96e109f9d This enables use of the channel sequence number even for non-multi-channel servers. This makes our client invalid, but we need to protect against broken clients with tests. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit cd288a08500b1cc38ef26e5cb8ef754b4da658b6) 
This enables use of the channel sequence number even for
non-multi-channel servers. This makes our client invalid, but we need to
protect against broken clients with tests.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit cd288a08500b1cc38ef26e5cb8ef754b4da658b6)