CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default

This prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/selftest/knownfail b/selftest/knownfail
index e95d048e12d80b821d5b6bf0b6611dbf95b1f285..fc711babf3b0ae4abc3bc562db010f6ecce9cab7 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -103,6 +103,8 @@
 ^samba4.rpc.netlogon.*.ServerGetTrustInfo
 ^samba4.rpc.drsuapi.*ncacn_ip_tcp.*validate # should only work with seal
 ^samba4.rpc.drsuapi.*ncacn_ip_tcp.*bigendian # should only work with seal
+^samba4.rpc.samr.passwords.validate.*ncacn_ip_tcp.*with.validate # should only work with seal
+^samba4.rpc.samr.passwords.validate.*ncacn_ip_tcp.*with.bigendian # should only work with seal
 ^samba4.base.charset.*.Testing partial surrogate
 ^samba4.*.base.maximum_allowed         # broken until we implement NTCREATEX_OPTIONS_BACKUP_INTENT
 .*net.api.delshare.*                           # DelShare isn't implemented yet

diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 8c34e305f15ff46afd0a946125712734af3a3cf8..3f7637819485347e637716329c984e82a3d64af7 100644 (file)
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -41,6 +41,14 @@
 #include "lib/util/tsort.h"
 #include "libds/common/flag_mapping.h"
 
+#define DCESRV_INTERFACE_SAMR_BIND(call, iface) \
+       dcesrv_interface_samr_bind(call, iface)
+static NTSTATUS dcesrv_interface_samr_bind(struct dcesrv_call_state *dce_call,
+                                            const struct dcesrv_interface *iface)
+{
+       return dcesrv_interface_bind_reject_connect(dce_call, iface);
+}
+
 /* these query macros make samr_Query[User|Group|Alias]Info a bit easier to read */
 
 #define QUERY_STRING(msg, field, attr) \