diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-06-14 15:23:55 +1200 |
|---|---|---|
| committer | Jule Anger <janger@samba.org> | 2022-07-27 10:52:36 +0000 |
| commit | be239c716874aadea7591fbe06652c449a350c3a (patch) | |
| tree | fed518e17a81b75718aa8f64635c2ffcbec7c781 /python | |
| parent | bbad8f1de43d643e20f1a71c3466f08ed7c9d480 (diff) | |
| download | samba-be239c716874aadea7591fbe06652c449a350c3a.tar.gz samba-be239c716874aadea7591fbe06652c449a350c3a.tar.bz2 samba-be239c716874aadea7591fbe06652c449a350c3a.zip | |
CVE-2022-2031 tests/krb5: Test truncated forms of server principals
We should not be able to use krb@REALM instead of krbtgt@REALM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'python')
| -rwxr-xr-x | python/samba/tests/krb5/as_req_tests.py | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index b52937530e6..6a573947067 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -28,6 +28,7 @@ import samba.tests.krb5.kcrypto as kcrypto import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( KDC_ERR_C_PRINCIPAL_UNKNOWN, + KDC_ERR_S_PRINCIPAL_UNKNOWN, KDC_ERR_ETYPE_NOSUPP, KDC_ERR_PREAUTH_REQUIRED, KU_PA_ENC_TIMESTAMP, @@ -43,7 +44,7 @@ global_hexdump = False class AsReqBaseTest(KDCBaseTest): def _run_as_req_enc_timestamp(self, client_creds, client_account=None, - expected_cname=None, + expected_cname=None, sname=None, name_type=NT_PRINCIPAL, etypes=None, expected_error=None, expect_edata=None, kdc_options=None): @@ -59,8 +60,9 @@ class AsReqBaseTest(KDCBaseTest): cname = self.PrincipalName_create(name_type=name_type, names=client_account.split('/')) - sname = self.PrincipalName_create(name_type=NT_SRV_INST, - names=[krbtgt_account, realm]) + if sname is None: + sname = self.PrincipalName_create(name_type=NT_SRV_INST, + names=[krbtgt_account, realm]) expected_crealm = realm if expected_cname is None: @@ -492,6 +494,28 @@ class AsReqKerberosTests(AsReqBaseTest): name_type=NT_ENTERPRISE_PRINCIPAL, kdc_options=0) + # Ensure we can't use truncated well-known principals such as krb@REALM + # instead of krbtgt@REALM. + def test_krbtgt_wrong_principal(self): + client_creds = self.get_client_creds() + + krbtgt_creds = self.get_krbtgt_creds() + + krbtgt_account = krbtgt_creds.get_username() + realm = krbtgt_creds.get_realm() + + # Truncate the name of the krbtgt principal. + krbtgt_account = krbtgt_account[:3] + + wrong_krbtgt_princ = self.PrincipalName_create( + name_type=NT_SRV_INST, + names=[krbtgt_account, realm]) + + self._run_as_req_enc_timestamp( + client_creds, + sname=wrong_krbtgt_princ, + expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) + if __name__ == "__main__": global_asn1_print = False |