CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*(...

author Stefan Metzmacher <metze@samba.org>

Wed, 30 Nov 2022 16:15:36 +0000 (17:15 +0100)

committer Stefan Metzmacher <metze@samba.org>

Tue, 13 Dec 2022 23:48:48 +0000 (00:48 +0100)
author Stefan Metzmacher <metze@samba.org>
Wed, 30 Nov 2022 16:15:36 +0000 (17:15 +0100)
committer Stefan Metzmacher <metze@samba.org>
Tue, 13 Dec 2022 23:48:48 +0000 (00:48 +0100)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c

index db4e62b335e129d795210f1f9ba4ea571f6072b6..13846f3d15d3340720ea3905bd956414bc06bcd9 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -1407,6 +1407,35 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL
         struct auth_usersupplied_info *user_info = NULL;
         NTSTATUS nt_status;
         struct tevent_req *subreq = NULL;
+       enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+       enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+
+       dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
+
+       switch (dce_call->pkt.u.request.opnum) {
+       case NDR_NETR_LOGONSAMLOGON:
+       case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
+               /*
+                * These already called dcesrv_netr_check_schannel()
+                * via dcesrv_netr_creds_server_step_check()
+                */
+               break;
+       case NDR_NETR_LOGONSAMLOGONEX:
+       default:
+               if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+                       return NT_STATUS_ACCESS_DENIED;
+               }
+
+               nt_status = dcesrv_netr_check_schannel(dce_call,
+                                                      creds,
+                                                      auth_type,
+                                                      auth_level,
+                                                      dce_call->pkt.u.request.opnum);
+               if (!NT_STATUS_IS_OK(nt_status)) {
+                       return nt_status;
+               }
+               break;
+       }
  
         *r->out.authoritative = 1;
  
@@ -1755,7 +1784,6 @@ static void dcesrv_netr_LogonSamLogon_base_reply(
  static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                                      struct netr_LogonSamLogonEx *r)
  {
-       enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
         struct dcesrv_netr_LogonSamLogon_base_state *state;
         NTSTATUS nt_status;
  
@@ -1793,12 +1821,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call,
                 return nt_status;
         }
  
-       dcesrv_call_auth_info(dce_call, &auth_type, NULL);
-
-       if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
-               return NT_STATUS_ACCESS_DENIED;
-       }
-
         nt_status = dcesrv_netr_LogonSamLogon_base_call(state);
  
         if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
author	Stefan Metzmacher <metze@samba.org>
	Wed, 30 Nov 2022 16:15:36 +0000 (17:15 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Tue, 13 Dec 2022 23:48:48 +0000 (00:48 +0100)