samba: fix some security problems

This fixes the following security problems: * CVE-2015-7560 * CVE-2015-5370 * CVE-2016-2110 * CVE-2016-2111 * CVE-2016-2112 * CVE-2016-2115 * CVE-2016-2118 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 49175
author: Hauke Mehrtens <hauke@hauke-m.de> 2016-04-16 20:06:34 +0000
committer: Hauke Mehrtens <hauke@hauke-m.de> 2016-04-16 20:06:34 +0000
commit: 1414f1647d435a7eda48d9433a022286a46d9097 (patch)
tree: 633f8ca00f7284130188a3f6e8e65025009f9ff2 /package/network/services/samba36/patches/023-CVE-2016-2110-v3-6.patch
parent: 894aed060ee15dafea19d94157adddf38ff8e2e7 (diff)
download: mtk-20170518-1414f1647d435a7eda48d9433a022286a46d9097.zip
mtk-20170518-1414f1647d435a7eda48d9433a022286a46d9097.tar.gz
mtk-20170518-1414f1647d435a7eda48d9433a022286a46d9097.tar.bz2
1 files changed, 255 insertions, 0 deletions
diff --git a/package/network/services/samba36/patches/023-CVE-2016-2110-v3-6.patch b/package/network/services/samba36/patches/023-CVE-2016-2110-v3-6.patch
new file mode 100644
index 0000000..0da66bf
--- /dev/null
+++ b/package/network/services/samba36/patches/023-CVE-2016-2110-v3-6.patch
@@ -0,0 +1,255 @@
+From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 1 Dec 2015 08:46:45 +0100
+Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use
+ ntlmssp_state->allow_lm_key
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct nt
+ 	 * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
+ 	 */
+ 	if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ 	}
+ 	if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ 	}
+ 	if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ 	}
+ 	if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
+ 		ntlmssp_state->use_ccache = true;
+ 	}
++
++	ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
+ }
+ 
+ /**
+@@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp
+ {
+ 	/* As per JRA's comment above */
+ 	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ 	}
+ 	if (feature & NTLMSSP_FEATURE_SIGN) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ 	}
+ 	if (feature & NTLMSSP_FEATURE_SEAL) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ 	}
+ 	if (feature & NTLMSSP_FEATURE_CCACHE) {
+ 		ntlmssp_state->use_ccache = true;
+ 	}
++
++	ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
+ }
+ 
+ /**
+@@ -387,7 +392,12 @@ static NTSTATUS ntlmssp_client_initial(s
+ 	}
+ 
+ 	if (ntlmssp_state->use_ntlmv2) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
++		ntlmssp_state->allow_lm_key = false;
++	}
++
++	if (ntlmssp_state->allow_lm_key) {
++		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
+ 	}
+ 
+ 	/* generate the ntlmssp negotiate packet */
+@@ -422,6 +432,86 @@ static NTSTATUS ntlmssp_client_initial(s
+ 	return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+ 
++static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
++					  uint32_t flags)
++{
++	uint32_t missing_flags = ntlmssp_state->required_flags;
++
++	if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
++		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
++		ntlmssp_state->unicode = true;
++	} else {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
++		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
++		ntlmssp_state->unicode = false;
++	}
++
++	/*
++	 * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
++	 * has priority over NTLMSSP_NEGOTIATE_LM_KEY
++	 */
++	if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
++	}
++
++	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
++	}
++
++	if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
++	}
++
++	if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
++	}
++
++	if (!(flags & NTLMSSP_NEGOTIATE_128)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
++	}
++
++	if (!(flags & NTLMSSP_NEGOTIATE_56)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
++	}
++
++	if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
++	}
++
++	if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
++	}
++
++	if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
++	}
++
++	if ((flags & NTLMSSP_REQUEST_TARGET)) {
++		ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
++	}
++
++	missing_flags &= ~ntlmssp_state->neg_flags;
++	if (missing_flags != 0) {
++		NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR;
++		DEBUG(1, ("%s: Got challenge flags[0x%08x] "
++			  "- possible downgrade detected! "
++			  "missing_flags[0x%08x] - %s\n",
++			  __func__,
++			  (unsigned)flags,
++			  (unsigned)missing_flags,
++			  nt_errstr(status)));
++		debug_ntlmssp_flags(missing_flags);
++		DEBUGADD(4, ("neg_flags[0x%08x]\n",
++			     (unsigned)ntlmssp_state->neg_flags));
++		debug_ntlmssp_flags(ntlmssp_state->neg_flags);
++
++		return status;
++	}
++
++	return NT_STATUS_OK;
++}
++
+ /**
+  * Next state function for the Challenge Packet.  Generate an auth packet.
+  *
+@@ -448,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge
+ 	DATA_BLOB encrypted_session_key = data_blob_null;
+ 	NTSTATUS nt_status = NT_STATUS_OK;
+ 
++	if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
++			 "NTLMSSP",
++			 &ntlmssp_command,
++			 &server_domain_blob,
++			 &chal_flags)) {
++		DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
++		dump_data(2, reply.data, reply.length);
++
++		return NT_STATUS_INVALID_PARAMETER;
++	}
++	data_blob_free(&server_domain_blob);
++
++	DEBUG(3, ("Got challenge flags:\n"));
++	debug_ntlmssp_flags(chal_flags);
++
++	nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
++	if (!NT_STATUS_IS_OK(nt_status)) {
++		return nt_status;
++	}
++
+ 	if (ntlmssp_state->use_ccache) {
+ 		struct wbcCredentialCacheParams params;
+ 		struct wbcCredentialCacheInfo *info = NULL;
+@@ -498,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge
+ 
+ noccache:
+ 
+-	if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
+-			 "NTLMSSP",
+-			 &ntlmssp_command,
+-			 &server_domain_blob,
+-			 &chal_flags)) {
+-		DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
+-		dump_data(2, reply.data, reply.length);
+-
+-		return NT_STATUS_INVALID_PARAMETER;
+-	}
+-
+ 	if (DEBUGLEVEL >= 10) {
+ 		struct CHALLENGE_MESSAGE *challenge = talloc(
+ 			talloc_tos(), struct CHALLENGE_MESSAGE);
+@@ -525,13 +624,6 @@ noccache:
+ 		}
+ 	}
+ 
+-	data_blob_free(&server_domain_blob);
+-
+-	DEBUG(3, ("Got challenge flags:\n"));
+-	debug_ntlmssp_flags(chal_flags);
+-
+-	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
+-
+ 	if (ntlmssp_state->unicode) {
+ 		if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
+ 			chal_parse_string = "CdUdbddB";
+@@ -769,6 +861,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX
+ 	ntlmssp_state->unicode = True;
+ 
+ 	ntlmssp_state->use_ntlmv2 = use_ntlmv2;
++	ntlmssp_state->allow_lm_key = lp_client_lanman_auth();
+ 
+ 	ntlmssp_state->expected_state = NTLMSSP_INITIAL;
+ 
+@@ -780,6 +873,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX
+ 		NTLMSSP_NEGOTIATE_KEY_EXCH |
+ 		NTLMSSP_REQUEST_TARGET;
+ 
++	if (ntlmssp_state->use_ntlmv2) {
++		ntlmssp_state->allow_lm_key = false;
++	}
++
+ 	ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
+ 	if (!ntlmssp_state->client.netbios_name) {
+ 		talloc_free(ntlmssp_state);
+--- a/libcli/auth/ntlmssp.h
++++ b/libcli/auth/ntlmssp.h
+@@ -83,6 +83,7 @@ struct ntlmssp_state
+ 	DATA_BLOB nt_resp;
+ 	DATA_BLOB session_key;
+ 
++	uint32_t required_flags;
+ 	uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
+ 
+ 	/**
author	Hauke Mehrtens <hauke@hauke-m.de>	2016-04-16 20:06:34 +0000
committer	Hauke Mehrtens <hauke@hauke-m.de>	2016-04-16 20:06:34 +0000
commit	1414f1647d435a7eda48d9433a022286a46d9097 (patch)
tree	633f8ca00f7284130188a3f6e8e65025009f9ff2 /package/network/services/samba36/patches/023-CVE-2016-2110-v3-6.patch
parent	894aed060ee15dafea19d94157adddf38ff8e2e7 (diff)
download	mtk-20170518-1414f1647d435a7eda48d9433a022286a46d9097.zip mtk-20170518-1414f1647d435a7eda48d9433a022286a46d9097.tar.gz mtk-20170518-1414f1647d435a7eda48d9433a022286a46d9097.tar.bz2