diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-06-14 15:23:55 +1200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-07-24 11:42:02 +0200 |
commit | 389851bcf399f9511e2cb797350c37ce91aa5849 (patch) | |
tree | dd7ae13bb764b00d06d6597c807f7d4149a75b1d | |
parent | abdac4241dd08dd90a08db877edd799f3833c2b4 (diff) | |
download | samba-389851bcf399f9511e2cb797350c37ce91aa5849.tar.gz |
CVE-2022-2031 tests/krb5: Test truncated forms of server principals
We should not be able to use krb@REALM instead of krbtgt@REALM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Fixed conflicts due to having older version of
_run_as_req_enc_timestamp()]
-rwxr-xr-x | python/samba/tests/krb5/as_req_tests.py | 40 | ||||
-rw-r--r-- | selftest/knownfail_heimdal_kdc | 4 | ||||
-rw-r--r-- | selftest/knownfail_mit_kdc | 4 |
3 files changed, 44 insertions, 4 deletions
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 315720f85d6..054a49b64aa 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -27,6 +27,7 @@ from samba.tests.krb5.kdc_base_test import KDCBaseTest import samba.tests.krb5.kcrypto as kcrypto import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( + KDC_ERR_S_PRINCIPAL_UNKNOWN, KDC_ERR_ETYPE_NOSUPP, KDC_ERR_PREAUTH_REQUIRED, KU_PA_ENC_TIMESTAMP, @@ -40,7 +41,8 @@ global_hexdump = False class AsReqBaseTest(KDCBaseTest): - def _run_as_req_enc_timestamp(self, client_creds): + def _run_as_req_enc_timestamp(self, client_creds, sname=None, + expected_error=None): client_account = client_creds.get_username() client_as_etypes = self.get_default_enctypes() client_kvno = client_creds.get_kvno() @@ -50,8 +52,9 @@ class AsReqBaseTest(KDCBaseTest): cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, names=[client_account]) - sname = self.PrincipalName_create(name_type=NT_SRV_INST, - names=[krbtgt_account, realm]) + if sname is None: + sname = self.PrincipalName_create(name_type=NT_SRV_INST, + names=[krbtgt_account, realm]) expected_crealm = realm expected_cname = cname @@ -63,7 +66,10 @@ class AsReqBaseTest(KDCBaseTest): initial_etypes = client_as_etypes initial_kdc_options = krb5_asn1.KDCOptions('forwardable') - initial_error_mode = KDC_ERR_PREAUTH_REQUIRED + if expected_error is not None: + initial_error_mode = expected_error + else: + initial_error_mode = KDC_ERR_PREAUTH_REQUIRED rep, kdc_exchange_dict = self._test_as_exchange(cname, realm, @@ -80,6 +86,10 @@ class AsReqBaseTest(KDCBaseTest): None, initial_kdc_options, pac_request=True) + + if expected_error is not None: + return None + etype_info2 = kdc_exchange_dict['preauth_etype_info2'] self.assertIsNotNone(etype_info2) @@ -209,6 +219,28 @@ class AsReqKerberosTests(AsReqBaseTest): client_creds = self.get_mach_creds() self._run_as_req_enc_timestamp(client_creds) + # Ensure we can't use truncated well-known principals such as krb@REALM + # instead of krbtgt@REALM. + def test_krbtgt_wrong_principal(self): + client_creds = self.get_client_creds() + + krbtgt_creds = self.get_krbtgt_creds() + + krbtgt_account = krbtgt_creds.get_username() + realm = krbtgt_creds.get_realm() + + # Truncate the name of the krbtgt principal. + krbtgt_account = krbtgt_account[:3] + + wrong_krbtgt_princ = self.PrincipalName_create( + name_type=NT_SRV_INST, + names=[krbtgt_account, realm]) + + self._run_as_req_enc_timestamp( + client_creds, + sname=wrong_krbtgt_princ, + expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) + if __name__ == "__main__": global_asn1_print = False diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index afb9bcf1209..dbfff5784e6 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -278,3 +278,7 @@ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc +# +# AS-REQ tests +# +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_krbtgt_wrong_principal\( diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index c2a31b4a140..0f90ea10299 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -583,3 +583,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc +# +# AS-REQ tests +# +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_krbtgt_wrong_principal\( |