The branch, v4-0-test has been updated via 9712362 Merge tag 'samba-4.0.1' into v4-0-test via d2e9007 VERSION: Bump version number up to 4.0.1. (CVE-2013-0172) via 0c02492 WHATSNEW: Update release notes for Samba 4.0.1. (CVE-2013-0172) via 8bafe08 dsdb: Add test for modification of two attributes, one permitted, one denied (bug #9554 - CVE-2013-0172) via d776fd8 dsdb-acl: Run sec_access_check_ds on each attribute proposed to modify (bug #9554 - CVE-2013-0172) via a758054 libcli/security: Ensure to fill in remaining_access for the initial case (bug #9554 - CVE-2013-0172) from 15652ef selftest: show that Samba honours "write list" and valid users
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log ----------------------------------------------------------------- commit 9712362a563bfdfe71334071c35c7429e9462811 Merge: 15652efca8644c03a48e258473fe5b58168df333 d2e900757d8e8e2a82cb14e79814ed3cbc8d93c1 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 15 09:39:07 2013 +0100 Merge tag 'samba-4.0.1' into v4-0-test samba: tag release samba-4.0.1 ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 56 ++++++++++++++++++++++++++++++++++ libcli/security/object_tree.c | 1 + source4/dsdb/samdb/ldb_modules/acl.c | 55 ++++++++++++++++----------------- source4/dsdb/tests/python/acl.py | 15 +++++++++ 4 files changed, 99 insertions(+), 28 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 520075f..5c69ca9 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,60 @@ ============================= + Release Notes for Samba 4.0.1 + January 15, 2013 + ============================= + + +This is a security release in order to address CVE-2013-0172. + +o CVE-2013-0172: + Samba 4.0.0 as an AD DC may provide authenticated users with write access + to LDAP directory objects. + + In AD, Access Control Entries can be assigned based on the objectClass + of the object. If a user or a group the user is a member of has any + access based on the objectClass, then that user has write access to that + object. + + Additionally, if a user has write access to any attribute on the object, + they may have access to write to all attributes. + + An important mitigation is that anonymous access is totally disabled by + default. The second important mitigation is that normal users are + typically only given the problematic per-objectClass right via the + "pre-windows 2000 compatible access" group, and Samba 4.0.0 incorrectly + does not make "authenticated users" part of this group. + +Changes since 4.0.0: +==================== + +o Andrew Bartlett <abart...@samba.org> + * Bug 9554 - CVE-2013-0172 - Samba 4.0 as an AD DC may provide authenticated + users with write access to LDAP directory objects. + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.0 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================= Release Notes for Samba 4.0.0 December 11, 2012 ============================= diff --git a/libcli/security/object_tree.c b/libcli/security/object_tree.c index 6809c8e..dcbd310 100644 --- a/libcli/security/object_tree.c +++ b/libcli/security/object_tree.c @@ -53,6 +53,7 @@ bool insert_in_object_tree(TALLOC_CTX *mem_ctx, return false; } (*root)->guid = *guid; + (*root)->remaining_access = init_access; *new_node = *root; return true; } diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 9bf2612..3f09760 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -977,8 +977,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) unsigned int i; const struct GUID *guid; uint32_t access_granted; - struct object_tree *root = NULL; - struct object_tree *new_node = NULL; NTSTATUS status; struct ldb_result *acl_res; struct security_descriptor *sd; @@ -1043,12 +1041,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) "acl_modify: Error retrieving object class GUID."); } sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid"); - if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP, - &root, &new_node)) { - talloc_free(tmp_ctx); - return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, - "acl_modify: Error adding new node in object tree."); - } for (i=0; i < req->op.mod.message->num_elements; i++){ const struct dsdb_attribute *attr; attr = dsdb_attribute_by_lDAPDisplayName(schema, @@ -1129,6 +1121,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) goto fail; } } else { + struct object_tree *root = NULL; + struct object_tree *new_node = NULL; /* This basic attribute existence check with the right errorcode * is needed since this module is the first one which requests @@ -1143,6 +1137,14 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) ret = LDB_ERR_NO_SUCH_ATTRIBUTE; goto fail; } + + if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP, + &root, &new_node)) { + talloc_free(tmp_ctx); + return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, + "acl_modify: Error adding new node in object tree."); + } + if (!insert_in_object_tree(tmp_ctx, &attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) { @@ -1159,27 +1161,24 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) ret = LDB_ERR_OPERATIONS_ERROR; goto fail; } - } - } - - if (root->num_of_children > 0) { - status = sec_access_check_ds(sd, acl_user_token(module), - SEC_ADS_WRITE_PROP, - &access_granted, - root, - sid); - if (!NT_STATUS_IS_OK(status)) { - ldb_asprintf_errstring(ldb_module_get_ctx(module), - "Object %s has no write property access\n", - ldb_dn_get_linearized(req->op.mod.message->dn)); - dsdb_acl_debug(sd, - acl_user_token(module), - req->op.mod.message->dn, - true, - 10); - ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; - goto fail; + status = sec_access_check_ds(sd, acl_user_token(module), + SEC_ADS_WRITE_PROP, + &access_granted, + root, + sid); + if (!NT_STATUS_IS_OK(status)) { + ldb_asprintf_errstring(ldb_module_get_ctx(module), + "Object %s has no write property access\n", + ldb_dn_get_linearized(req->op.mod.message->dn)); + dsdb_acl_debug(sd, + acl_user_token(module), + req->op.mod.message->dn, + true, + 10); + ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; + goto fail; + } } } diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 94bc504..ecda3c5 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -389,6 +389,21 @@ url: www.samba.org""" else: # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS self.fail() + # Modify on attribute you do not have rights for granted while also modifying something you do have rights for + ldif = """ +dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ +changetype: modify +replace: url +url: www.samba.org +replace: displayName +displayName: test_changed""" + try: + self.ldb_user.modify_ldif(ldif) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS + self.fail() # Second test object -- Organizational Unit print "Testing modify on OU object" self.ldb_admin.create_ou("OU=test_modify_ou1," + self.base_dn) -- Samba Shared Repository