[samba4/f17] Fixes CVE-2013-0172
asn
asn at fedoraproject.org
Tue Jan 15 15:36:56 UTC 2013
commit d90e76f26131b573bd3396dbe94e9adedb25c2b1
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Tue Jan 15 15:48:52 2013 +0100
Fixes CVE-2013-0172
samba4-CVE-2013-0172.patch | 165 ++++++++++++++++++++++++++++++++++++++++++++
samba4.spec | 7 ++-
2 files changed, 171 insertions(+), 1 deletions(-)
---
diff --git a/samba4-CVE-2013-0172.patch b/samba4-CVE-2013-0172.patch
new file mode 100644
index 0000000..dbac62c
--- /dev/null
+++ b/samba4-CVE-2013-0172.patch
@@ -0,0 +1,165 @@
+From 5cf13e59d13caf9f37e28e4beabdb1a1d955b08b Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab at samba.org>
+Date: Fri, 11 Jan 2013 13:56:34 +0200
+Subject: [PATCH] Fix CVE-2013-0172
+
+Rebase for 4.0.0 alpha18:
+o CVE-2013-0172:
+ Samba 4.0.0 as an AD DC may provide authenticated users with write access
+ to LDAP directory objects.
+
+ In AD, Access Control Entries can be assigned based on the objectClass
+ of the object. If a user or a group the user is a member of has any
+ access based on the objectClass, then that user has write access to that
+ object.
+
+ Additionally, if a user has write access to any attribute on the object,
+ they may have access to write to all attributes.
+
+ An important mitigation is that anonymous access is totally disabled by
+ default. The second important mitigation is that normal users are
+ typically only given the problematic per-objectClass right via the
+ "pre-windows 2000 compatible access" group, and Samba 4.0.0 incorrectly
+ does not make "authenticated users" part of this group.
+---
+ libcli/security/object_tree.c | 1 +
+ source4/dsdb/samdb/ldb_modules/acl.c | 55 ++++++++++++++++++------------------
+ source4/dsdb/tests/python/acl.py | 15 ++++++++++
+ 3 files changed, 43 insertions(+), 28 deletions(-)
+
+diff --git a/libcli/security/object_tree.c b/libcli/security/object_tree.c
+index 6809c8e3452d85312eaf5ede98b24b641abd2cd6..dcbd310baeaad7e7c12a89445fe12a1c125bc9a8 100644
+--- a/libcli/security/object_tree.c
++++ b/libcli/security/object_tree.c
+@@ -53,6 +53,7 @@ bool insert_in_object_tree(TALLOC_CTX *mem_ctx,
+ return false;
+ }
+ (*root)->guid = *guid;
++ (*root)->remaining_access = init_access;
+ *new_node = *root;
+ return true;
+ }
+diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
+index abde85f682c65b633b630ce4f3cec90608501af3..da75789bce11eef6b8e4b8645fd498fa495abf42 100644
+--- a/source4/dsdb/samdb/ldb_modules/acl.c
++++ b/source4/dsdb/samdb/ldb_modules/acl.c
+@@ -871,8 +871,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
+ unsigned int i;
+ const struct GUID *guid;
+ uint32_t access_granted;
+- struct object_tree *root = NULL;
+- struct object_tree *new_node = NULL;
+ NTSTATUS status;
+ struct ldb_result *acl_res;
+ struct security_descriptor *sd;
+@@ -935,12 +933,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
+ "acl_modify: Error retrieving object class GUID.");
+ }
+ sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid");
+- if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
+- &root, &new_node)) {
+- talloc_free(tmp_ctx);
+- return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+- "acl_modify: Error adding new node in object tree.");
+- }
+ for (i=0; i < req->op.mod.message->num_elements; i++){
+ const struct dsdb_attribute *attr;
+ attr = dsdb_attribute_by_lDAPDisplayName(schema,
+@@ -1008,6 +1000,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
+ goto fail;
+ }
+ } else {
++ struct object_tree *root = NULL;
++ struct object_tree *new_node = NULL;
+
+ /* This basic attribute existence check with the right errorcode
+ * is needed since this module is the first one which requests
+@@ -1022,6 +1016,14 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
+ ret = LDB_ERR_NO_SUCH_ATTRIBUTE;
+ goto fail;
+ }
++
++ if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
++ &root, &new_node)) {
++ talloc_free(tmp_ctx);
++ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
++ "acl_modify: Error adding new node in object tree.");
++ }
++
+ if (!insert_in_object_tree(tmp_ctx,
+ &attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
+ &new_node, &new_node)) {
+@@ -1038,27 +1040,24 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto fail;
+ }
+- }
+- }
+
+- if (root->num_of_children > 0) {
+- status = sec_access_check_ds(sd, acl_user_token(module),
+- SEC_ADS_WRITE_PROP,
+- &access_granted,
+- root,
+- sid);
+-
+- if (!NT_STATUS_IS_OK(status)) {
+- ldb_asprintf_errstring(ldb_module_get_ctx(module),
+- "Object %s has no write property access\n",
+- ldb_dn_get_linearized(req->op.mod.message->dn));
+- dsdb_acl_debug(sd,
+- acl_user_token(module),
+- req->op.mod.message->dn,
+- true,
+- 10);
+- ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+- goto fail;
++ status = sec_access_check_ds(sd, acl_user_token(module),
++ SEC_ADS_WRITE_PROP,
++ &access_granted,
++ root,
++ sid);
++ if (!NT_STATUS_IS_OK(status)) {
++ ldb_asprintf_errstring(ldb_module_get_ctx(module),
++ "Object %s has no write property access\n",
++ ldb_dn_get_linearized(req->op.mod.message->dn));
++ dsdb_acl_debug(sd,
++ acl_user_token(module),
++ req->op.mod.message->dn,
++ true,
++ 10);
++ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
++ goto fail;
++ }
+ }
+ }
+
+diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
+index a62461449d9884b841855daca79a8f9f674865cb..8c82b3c991c523c878ef47e8b985e459691a4398 100755
+--- a/source4/dsdb/tests/python/acl.py
++++ b/source4/dsdb/tests/python/acl.py
+@@ -389,6 +389,21 @@ url: www.samba.org"""
+ else:
+ # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
+ self.fail()
++ # Modify on attribute you do not have rights for granted while also modifying something you do have rights for
++ ldif = """
++dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
++changetype: modify
++replace: url
++url: www.samba.org
++replace: displayName
++displayName: test_changed"""
++ try:
++ self.ldb_user.modify_ldif(ldif)
++ except LdbError, (num, _):
++ self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
++ else:
++ # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
++ self.fail()
+ # Second test object -- Organizational Unit
+ print "Testing modify on OU object"
+ self.ldb_admin.create_ou("OU=test_modify_ou1," + self.base_dn)
+--
+1.8.1
+
diff --git a/samba4.spec b/samba4.spec
index 678022b..234d9e6 100644
--- a/samba4.spec
+++ b/samba4.spec
@@ -1,4 +1,4 @@
-%define main_release 58
+%define main_release 59
%define samba_version 4.0.0
%define talloc_version 2.0.7
@@ -80,6 +80,7 @@ Patch6: samba4-4.0.0-alpha20-lib-private.patch
Patch7: samba4-CVE-2012-2111.patch
Patch8: samba4-4.0.0-beta1-fix-s3-daemon-memory-leaks.patch
Patch9: samba4-4.0.0beta1-fix-python-version-parsing.patch
+Patch10: samba4-CVE-2013-0172.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -369,6 +370,7 @@ link against the SMB, RPC and other protocols.
%patch7 -p1 -b .CVE-2012-2111
%patch8 -p1 -b .daemon_mem_leaks
%patch9 -p1 -b .python_version_parsing
+%patch10 -p1 -b .CVE-2013-0172
%build
%define _talloc_lib %nil
@@ -1239,6 +1241,9 @@ rm -rf %{buildroot}
%endif # with_libwbclient
%changelog
+* Tue Jan 15 2013 - Andreas Schneider <asn at redhat.com>
+- Fixes CVE-2013-0172
+
* Thu Jul 12 2012 Andreas Schneider <asn at redhat.com> - 2:4.0.0-58.alpha18
- Add requirement for samba4-python in samba4-dc.
- resolves: #839247
More information about the scm-commits
mailing list