CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control

This is not strictly needed to fig bug 13272, but it makes sense to also
fix this while fixing the overall ACL checking logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 9b4be7b6909e4ad205a47207a83326308a9b83b6..d750362c47fe7ebe6c2ba06b1a37ba49fdc05159 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -971,7 +971,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
        struct ldb_message *msg;
        struct ldb_control *c = NULL;
        const char *passwordAttrs[] = { "userPassword", "clearTextPassword",
-                                       "unicodePwd", "dBCSPwd", NULL }, **l;
+                                       "unicodePwd", NULL }, **l;
        TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
        struct dsdb_control_password_acl_validation *pav = NULL;
 
@@ -1031,6 +1031,15 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
                goto checked;
        }
 
+       el = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
+       if (el != NULL) {
+               /*
+                * dBCSPwd is only allowed with a control.
+                */
+               talloc_free(tmp_ctx);
+               return LDB_ERR_UNWILLING_TO_PERFORM;
+       }
+
        msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message);
        if (msg == NULL) {
                return ldb_module_oom(module);