diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-05-30 19:18:17 +1200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-07-24 11:42:02 +0200 |
commit | abdac4241dd08dd90a08db877edd799f3833c2b4 (patch) | |
tree | f5870b987fa681626bf451122c4316d5226f6fd1 | |
parent | 531e7b596d35785bee61f3b4289e38ece1530f94 (diff) | |
download | samba-abdac4241dd08dd90a08db877edd799f3833c2b4.tar.gz |
CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
For Heimdal, this now matches the behaviour of Windows. The object of
this requirement is to ensure we don't allow kpasswd tickets, not having
a lifetime of more than two minutes, to be passed off as TGTs.
An existing requirement for TGTs to contain a REQUESTER_SID PAC buffer
suffices to prevent kpasswd ticket misuse, so this is just an additional
precaution on top.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org As we don't have access to the ticket or the request
in the plugin, rewrote check directly in Heimdal KDC]
-rw-r--r-- | selftest/knownfail_heimdal_kdc | 1 | ||||
-rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 19 |
2 files changed, 18 insertions, 2 deletions
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 387ccea3ba7..afb9bcf1209 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -275,7 +275,6 @@ # Kpasswd tests # ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc -^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 38dba8493ae..15be136496f 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -33,6 +33,9 @@ #include "kdc_locl.h" +/* Awful hack to get access to 'struct samba_kdc_entry'. */ +#include "../../kdc/samba_kdc.h" + /* * return the realm of a krbtgt-ticket or NULL */ @@ -130,6 +133,7 @@ check_PAC(krb5_context context, static krb5_error_code check_tgs_flags(krb5_context context, krb5_kdc_configuration *config, + const hdb_entry_ex *krbtgt_in, KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et) { KDCOptions f = b->kdc_options; @@ -244,6 +248,17 @@ check_tgs_flags(krb5_context context, et->endtime = min(*et->renew_till, et->endtime); } + if (tgt->endtime - kdc_time <= CHANGEPW_LIFETIME) { + /* Check that the ticket has not arrived across a trust. */ + const struct samba_kdc_entry *skdc_entry = krbtgt_in->ctx; + if (!skdc_entry->is_trust) { + /* This may be a kpasswd ticket rather than a TGT, so don't accept it. */ + kdc_log(context, config, 0, + "Ticket is not a ticket-granting ticket"); + return KRB5KRB_AP_ERR_TKT_EXPIRED; + } + } + #if 0 /* checks for excess flags */ if(f.request_anonymous && !config->allow_anonymous){ @@ -510,6 +525,7 @@ tgs_make_reply(krb5_context context, hdb_entry_ex *client, krb5_principal client_principal, const char *tgt_realm, + const hdb_entry_ex *krbtgt_in, hdb_entry_ex *krbtgt, krb5_pac mspac, uint16_t rodc_id, @@ -538,7 +554,7 @@ tgs_make_reply(krb5_context context, ALLOC(et.starttime); *et.starttime = kdc_time; - ret = check_tgs_flags(context, config, b, tgt, &et); + ret = check_tgs_flags(context, config, krbtgt_in, b, tgt, &et); if(ret) goto out; @@ -2129,6 +2145,7 @@ server_lookup: client, cp, tgt_realm, + krbtgt, krbtgt_out, mspac, rodc_id, |