Fix self granting privileges in security=ads.samba-3.6.5

CVE-2012-2111
author: Jeremy Allison <jra@samba.org> 2012-04-17 12:30:15 -0700
committer: Karolin Seeger <kseeger@samba.org> 2012-04-27 20:25:33 +0200
commit: 5bdabda9e2143b1188f52533a4fa3f838b6066c9 (patch)
tree: 03f05ee18136b5231030484ec0ef89880f6ff258
parent: 49808d01df79d67bc98f9c993b38c3ed49e892b4 (diff)
download: samba-5bdabda9e2143b1188f52533a4fa3f838b6066c9.tar.gz
1 files changed, 12 insertions, 4 deletions
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index f8c77bab546..a7b55e71eb6 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -2448,6 +2448,10 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
 	uint32_t acc_granted;
 	struct security_descriptor *psd;
 	size_t sd_size;
+	uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
+			~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
+			LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+			SEC_STD_DELETE));
 
 	/* find the connection policy handle. */
 	if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
@@ -2473,7 +2477,7 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
 
 	status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
 				    &lsa_account_mapping,
-				    r->in.sid, LSA_POLICY_ALL_ACCESS);
+				    r->in.sid, owner_access);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -2514,6 +2518,10 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
 	size_t sd_size;
 	uint32_t des_access = r->in.access_mask;
 	uint32_t acc_granted;
+	uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
+			~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
+			LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+			SEC_STD_DELETE));
 	NTSTATUS status;
 
 	/* find the connection policy handle. */
@@ -2538,7 +2546,7 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
 	/* get the generic lsa account SD until we store it */
 	status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
 				&lsa_account_mapping,
-				r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+				r->in.sid, owner_access);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -2886,7 +2894,7 @@ NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
         /* get the generic lsa account SD for this SID until we store it */
         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
                                 &lsa_account_mapping,
-                                r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+				NULL, 0);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
         }
@@ -2957,7 +2965,7 @@ NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
         /* get the generic lsa account SD for this SID until we store it */
         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
                                 &lsa_account_mapping,
-                                r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+				NULL, 0);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
         }
author	Jeremy Allison <jra@samba.org>	2012-04-17 12:30:15 -0700
committer	Karolin Seeger <kseeger@samba.org>	2012-04-27 20:25:33 +0200
commit	5bdabda9e2143b1188f52533a4fa3f838b6066c9 (patch)
tree	03f05ee18136b5231030484ec0ef89880f6ff258
parent	49808d01df79d67bc98f9c993b38c3ed49e892b4 (diff)
download	samba-5bdabda9e2143b1188f52533a4fa3f838b6066c9.tar.gz