From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Thu, 22 Feb 2018 11:54:45 +1300 Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set with_cmocka flag We have cmocka in third_party, so we are never without it. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett (Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6 by Andrew Bartlett) --- selftest/tests.py | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/selftest/tests.py b/selftest/tests.py index 126e1184230..3f5097b680c 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -38,7 +38,6 @@ finally: f.close() have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash) -with_cmocka = ("HAVE_CMOCKA" in config_hash) with_pam = ("WITH_PAM" in config_hash) pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"] @@ -168,13 +167,12 @@ if with_pam: valgrindify(python), pam_wrapper_so_path, "$DOMAIN", "alice", "Secret007"]) -if with_cmocka: - plantestsuite("samba.unittests.krb5samba", "none", - [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")]) - plantestsuite("samba.unittests.sambafs_srv_pipe", "none", - [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")]) - plantestsuite("samba.unittests.lib_util_modules", "none", - [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")]) +plantestsuite("samba.unittests.krb5samba", "none", + [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")]) +plantestsuite("samba.unittests.sambafs_srv_pipe", "none", + [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")]) +plantestsuite("samba.unittests.lib_util_modules", "none", + [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")]) - plantestsuite("samba.unittests.smb1cli_session", "none", - [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) +plantestsuite("samba.unittests.smb1cli_session", "none", + [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) -- 2.14.4 From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 27 Jul 2018 08:44:24 +1200 Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 Signed-off-by: Andrew Bartlett --- libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++ libcli/auth/wscript_build | 13 ++ selftest/knownfail.d/ntlm | 2 + selftest/tests.py | 2 + 4 files changed, 430 insertions(+) create mode 100644 libcli/auth/tests/ntlm_check.c create mode 100644 selftest/knownfail.d/ntlm diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c new file mode 100644 index 00000000000..e87a0a276d4 --- /dev/null +++ b/libcli/auth/tests/ntlm_check.c @@ -0,0 +1,413 @@ +/* + * Unit tests for the ntlm_check password hash check library. + * + * Copyright (C) Andrew Bartlett 2018 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + */ + +/* + * from cmocka.c: + * These headers or their equivalents should be included prior to + * including + * this header file. + * + * #include + * #include + * #include + * + * This allows test applications to use custom definitions of C standard + * library functions and types. + * + */ + +/* + * Note that the messaging routines (audit_message_send and get_event_server) + * are not tested by these unit tests. Currently they are for integration + * test support, and as such are exercised by the integration tests. + */ +#include +#include +#include +#include + +#include "includes.h" +#include "../lib/crypto/crypto.h" +#include "librpc/gen_ndr/netlogon.h" +#include "libcli/auth/libcli_auth.h" +#include "auth/credentials/credentials.h" + +struct ntlm_state { + const char *username; + const char *domain; + DATA_BLOB challenge; + DATA_BLOB ntlm; + DATA_BLOB lm; + DATA_BLOB ntlm_key; + DATA_BLOB lm_key; + const struct samr_Password *nt_hash; +}; + +static int test_ntlm_setup_with_options(void **state, + int flags, bool upn) +{ + NTSTATUS status; + DATA_BLOB challenge = { + .data = discard_const_p(uint8_t, "I am a teapot"), + .length = 8 + }; + struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state); + DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state, + NULL, + "serverdom"); + struct cli_credentials *creds = cli_credentials_init(ntlm_state); + cli_credentials_set_username(creds, + "testuser", + CRED_SPECIFIED); + cli_credentials_set_domain(creds, + "testdom", + CRED_SPECIFIED); + cli_credentials_set_workstation(creds, + "testwksta", + CRED_SPECIFIED); + cli_credentials_set_password(creds, + "testpass", + CRED_SPECIFIED); + + if (upn) { + cli_credentials_set_principal(creds, + "testuser@samba.org", + CRED_SPECIFIED); + } + + cli_credentials_get_ntlm_username_domain(creds, + ntlm_state, + &ntlm_state->username, + &ntlm_state->domain); + + status = cli_credentials_get_ntlm_response(creds, + ntlm_state, + &flags, + challenge, + NULL, + target_info, + &ntlm_state->lm, + &ntlm_state->ntlm, + &ntlm_state->lm_key, + &ntlm_state->ntlm_key); + ntlm_state->challenge = challenge; + + ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds, + ntlm_state); + + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + + *state = ntlm_state; + return 0; +} + +static int test_ntlm_setup(void **state) { + return test_ntlm_setup_with_options(state, 0, false); +} + +static int test_ntlm_and_lm_setup(void **state) { + return test_ntlm_setup_with_options(state, + CLI_CRED_LANMAN_AUTH, + false); +} + +static int test_ntlm2_setup(void **state) { + return test_ntlm_setup_with_options(state, + CLI_CRED_NTLM2, + false); +} + +static int test_ntlmv2_setup(void **state) { + return test_ntlm_setup_with_options(state, + CLI_CRED_NTLMv2_AUTH, + false); +} + +static int test_ntlm_teardown(void **state) +{ + struct ntlm_state *ntlm_state + = talloc_get_type_abort(*state, + struct ntlm_state); + TALLOC_FREE(ntlm_state); + *state = NULL; + return 0; +} + +static void test_ntlm_allowed(void **state) +{ + DATA_BLOB user_sess_key, lm_sess_key; + struct ntlm_state *ntlm_state + = talloc_get_type_abort(*state, + struct ntlm_state); + NTSTATUS status; + status = ntlm_password_check(ntlm_state, + false, + NTLM_AUTH_ON, + 0, + &ntlm_state->challenge, + &ntlm_state->lm, + &ntlm_state->ntlm, + ntlm_state->username, + ntlm_state->username, + ntlm_state->domain, + NULL, + ntlm_state->nt_hash, + &user_sess_key, + &lm_sess_key); + + assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK)); +} + +static void test_ntlm_allowed_lm_supplied(void **state) +{ + return test_ntlm_allowed(state); +} + +static void test_ntlm_disabled(void **state) +{ + DATA_BLOB user_sess_key, lm_sess_key; + struct ntlm_state *ntlm_state + = talloc_get_type_abort(*state, + struct ntlm_state); + NTSTATUS status; + status = ntlm_password_check(ntlm_state, + false, + NTLM_AUTH_DISABLED, + 0, + &ntlm_state->challenge, + &ntlm_state->lm, + &ntlm_state->ntlm, + ntlm_state->username, + ntlm_state->username, + ntlm_state->domain, + NULL, + ntlm_state->nt_hash, + &user_sess_key, + &lm_sess_key); + + assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED)); +} + +static void test_ntlm2(void **state) +{ + DATA_BLOB user_sess_key, lm_sess_key; + struct ntlm_state *ntlm_state + = talloc_get_type_abort(*state, + struct ntlm_state); + NTSTATUS status; + status = ntlm_password_check(ntlm_state, + false, + NTLM_AUTH_ON, + 0, + &ntlm_state->challenge, + &ntlm_state->lm, + &ntlm_state->ntlm, + ntlm_state->username, + ntlm_state->username, + ntlm_state->domain, + NULL, + ntlm_state->nt_hash, + &user_sess_key, + &lm_sess_key); + + /* + * NTLM2 session security (where the real challenge is the + * MD5(challenge, client-challenge) (in the first 8 bytes of + * the lm) isn't decoded by ntlm_password_check(), it must + * first be converted back into normal NTLM by the NTLMSSP + * layer + */ + assert_int_equal(NT_STATUS_V(status), + NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); +} + +static void test_ntlm_mschapv2_only_allowed(void **state) +{ + DATA_BLOB user_sess_key, lm_sess_key; + struct ntlm_state *ntlm_state + = talloc_get_type_abort(*state, + struct ntlm_state); + NTSTATUS status; + status = ntlm_password_check(ntlm_state, + false, + NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY, + MSV1_0_ALLOW_MSVCHAPV2, + &ntlm_state->challenge, + &ntlm_state->lm, + &ntlm_state->ntlm, + ntlm_state->username, + ntlm_state->username, + ntlm_state->domain, + NULL, + ntlm_state->nt_hash, + &user_sess_key, + &lm_sess_key); + + assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK)); +} + +static void test_ntlm_mschapv2_only_denied(void **state) +{ + DATA_BLOB user_sess_key, lm_sess_key; + struct ntlm_state *ntlm_state + = talloc_get_type_abort(*state, + struct ntlm_state); + NTSTATUS status; + status = ntlm_password_check(ntlm_state, + false, + NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY, + 0, + &ntlm_state->challenge, + &ntlm_state->lm, + &ntlm_state->ntlm, + ntlm_state->username, + ntlm_state->username, + ntlm_state->domain, + NULL, + ntlm_state->nt_hash, + &user_sess_key, + &lm_sess_key); + + assert_int_equal(NT_STATUS_V(status), + NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); +} + +static void test_ntlmv2_only_ntlmv2(void **state) +{ + DATA_BLOB user_sess_key, lm_sess_key; + struct ntlm_state *ntlm_state + = talloc_get_type_abort(*state, + struct ntlm_state); + NTSTATUS status; + status = ntlm_password_check(ntlm_state, + false, + NTLM_AUTH_NTLMV2_ONLY, + 0, + &ntlm_state->challenge, + &ntlm_state->lm, + &ntlm_state->ntlm, + ntlm_state->username, + ntlm_state->username, + ntlm_state->domain, + NULL, + ntlm_state->nt_hash, + &user_sess_key, + &lm_sess_key); + + assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK)); +} + +static void test_ntlmv2_only_ntlm(void **state) +{ + DATA_BLOB user_sess_key, lm_sess_key; + struct ntlm_state *ntlm_state + = talloc_get_type_abort(*state, + struct ntlm_state); + NTSTATUS status; + status = ntlm_password_check(ntlm_state, + false, + NTLM_AUTH_NTLMV2_ONLY, + 0, + &ntlm_state->challenge, + &ntlm_state->lm, + &ntlm_state->ntlm, + ntlm_state->username, + ntlm_state->username, + ntlm_state->domain, + NULL, + ntlm_state->nt_hash, + &user_sess_key, + &lm_sess_key); + + assert_int_equal(NT_STATUS_V(status), + NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); +} + +static void test_ntlmv2_only_ntlm_and_lanman(void **state) +{ + return test_ntlmv2_only_ntlm(state); +} + +static void test_ntlmv2_only_ntlm_once(void **state) +{ + DATA_BLOB user_sess_key, lm_sess_key; + struct ntlm_state *ntlm_state + = talloc_get_type_abort(*state, + struct ntlm_state); + NTSTATUS status; + status = ntlm_password_check(ntlm_state, + false, + NTLM_AUTH_NTLMV2_ONLY, + 0, + &ntlm_state->challenge, + &data_blob_null, + &ntlm_state->ntlm, + ntlm_state->username, + ntlm_state->username, + ntlm_state->domain, + NULL, + ntlm_state->nt_hash, + &user_sess_key, + &lm_sess_key); + + assert_int_equal(NT_STATUS_V(status), + NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); +} + +int main(int argc, const char **argv) +{ + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_ntlm_allowed, + test_ntlm_setup, + test_ntlm_teardown), + cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied, + test_ntlm_and_lm_setup, + test_ntlm_teardown), + cmocka_unit_test_setup_teardown(test_ntlm_disabled, + test_ntlm_setup, + test_ntlm_teardown), + cmocka_unit_test_setup_teardown(test_ntlm2, + test_ntlm2_setup, + test_ntlm_teardown), + cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed, + test_ntlm_setup, + test_ntlm_teardown), + cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied, + test_ntlm_setup, + test_ntlm_teardown), + cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm, + test_ntlm_setup, + test_ntlm_teardown), + cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman, + test_ntlm_and_lm_setup, + test_ntlm_teardown), + cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once, + test_ntlm_setup, + test_ntlm_teardown), + cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2, + test_ntlmv2_setup, + test_ntlm_teardown) + }; + + cmocka_set_message_output(CM_OUTPUT_SUBUNIT); + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build index 475b7d69406..d319d9b879e 100644 --- a/libcli/auth/wscript_build +++ b/libcli/auth/wscript_build @@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS', bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE', source='spnego_parse.c', deps='asn1util') + +bld.SAMBA_BINARY( + 'test_ntlm_check', + source='tests/ntlm_check.c', + deps=''' + NTLM_CHECK + CREDENTIALS_NTLM + samba-credentials + cmocka + talloc + ''', + install=False + ) diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm new file mode 100644 index 00000000000..c6e6a3739ba --- /dev/null +++ b/selftest/knownfail.d/ntlm @@ -0,0 +1,2 @@ +^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied +^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\( diff --git a/selftest/tests.py b/selftest/tests.py index 3f5097b680c..dc6486c13f8 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none", plantestsuite("samba.unittests.smb1cli_session", "none", [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) +plantestsuite("samba.unittests.ntlm_check", "none", + [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) -- 2.14.4 From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 14 Mar 2018 15:36:05 +0100 Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andreas Schneider --- libcli/auth/ntlm_check.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c index 3b02adc1d48..1c6499bd210 100644 --- a/libcli/auth/ntlm_check.c +++ b/libcli/auth/ntlm_check.c @@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, const struct samr_Password *stored_nt) { if (stored_nt == NULL) { - DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", + DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n", username)); } @@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) { return NT_STATUS_OK; } else { - DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n", + DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n", username)); return NT_STATUS_WRONG_PASSWORD; } } else if (client_lanman && stored_lanman) { if (!lanman_auth) { - DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n", + DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n", username)); return NT_STATUS_WRONG_PASSWORD; } @@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) { return NT_STATUS_OK; } else { - DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n", + DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n", username)); return NT_STATUS_WRONG_PASSWORD; } -- 2.14.4 From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 14 Mar 2018 15:35:01 +0100 Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andreas Schneider --- source3/utils/ntlm_auth.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 3f544902a24..8f77680416f 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context, *pauthoritative = 1; nt_status = ntlm_password_check(mem_ctx, - true, true, 0, + true, NTLM_AUTH_ON, 0, &auth4_context->challenge.data, &user_info->password.response.lanman, &user_info->password.response.nt, @@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash); nt_status = ntlm_password_check(mem_ctx, - true, true, 0, + true, + NTLM_AUTH_ON, + 0, &challenge, &lm_response, &nt_response, -- 2.14.4 From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 16 Mar 2018 17:25:12 +0100 Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled. Right now, this test will succeed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andreas Schneider --- source3/selftest/tests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 9092c1776c8..034c014e5b8 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration]) plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration]) -for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]: +for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]: for env in ["nt4_member", "ad_member"]: plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options]) plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options]) -- 2.14.4 From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 13 Mar 2018 16:56:20 +0100 Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth". This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0. Found by Vivek Das (Red Hat QE). In order to demonstrate simply run: smbclient //server/share -U user%password -mNT1 -c quit \ --option="client ntlmv2 auth"=no \ --option="client use spnego"=no against a server that uses "ntlm auth = ntlmv2-only" (our default setting). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Guenther Deschner Reviewed-by: Andreas Schneider --- libcli/auth/ntlm_check.c | 2 +- selftest/knownfail | 3 ++- selftest/knownfail.d/ntlm | 2 -- 3 files changed, 3 insertions(+), 4 deletions(-) delete mode 100644 selftest/knownfail.d/ntlm diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c index 1c6499bd210..b68e9c87888 100644 --- a/libcli/auth/ntlm_check.c +++ b/libcli/auth/ntlm_check.c @@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, - I think this is related to Win9X pass-though authentication */ DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n")); - if (ntlm_auth) { + if (ntlm_auth == NTLM_AUTH_ON) { if (smb_pwd_check_ntlmv1(mem_ctx, lm_response, stored_nt->hash, challenge, diff --git a/selftest/knownfail b/selftest/knownfail index ba16fd72290..84776d4f35d 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -303,8 +303,9 @@ ^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\) # fl2000dc doesn't support AES ^samba4.krb5.kdc.*as-req-aes.*fl2000dc -# nt4_member and ad_member don't support ntlmv1 +# nt4_member and ad_member don't support ntlmv1 (not even over SMB1) ^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user +^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user #nt-vfs server blocks read with execute access ^samba4.smb2.read.access #ntvfs server blocks copychunk with execute access on read handle diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm deleted file mode 100644 index c6e6a3739ba..00000000000 --- a/selftest/knownfail.d/ntlm +++ /dev/null @@ -1,2 +0,0 @@ -^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied -^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\( -- 2.14.4