diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-04-28 20:34:36 +1200 |
|---|---|---|
| committer | Jule Anger <janger@samba.org> | 2023-03-20 10:04:29 +0100 |
| commit | b7af8aa2552e0690aac58fb98e3134b71f678ece (patch) | |
| tree | cc81b80f2467adcd87dc3c0ca991de880213f4f2 | |
| parent | 6b92716e7f89e22cedbf196b97a0203c54608e7a (diff) | |
| download | samba-b7af8aa2552e0690aac58fb98e3134b71f678ece.tar.gz | |
CVE-2023-0225 CVE-2020-25720 s4/dsdb/util: Add functions for dsHeuristics 28, 29
These are the newly-added AttributeAuthorizationOnLDAPAdd and
BlockOwnerImplicitRights.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0af5706b559e89c77123ed174b41fd3d01705aa5)
[abartlet@samba.org This patch is needed for a clean backport of
CVE-2023-0225 as these constants are used in the acl_modify test
even when this behaviour is not itself used.]
| -rw-r--r-- | libds/common/flags.h | 2 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/util.c | 40 |
2 files changed, 42 insertions, 0 deletions
diff --git a/libds/common/flags.h b/libds/common/flags.h index 75e04b0c488..bee1016b294 100644 --- a/libds/common/flags.h +++ b/libds/common/flags.h @@ -258,6 +258,8 @@ #define DS_HR_KVNOEMUW2K 0x00000011 #define DS_HR_TWENTIETH_CHAR 0x00000014 +#define DS_HR_ATTR_AUTHZ_ON_LDAP_ADD 0x0000001C +#define DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS 0x0000001D #define DS_HR_THIRTIETH_CHAR 0x0000001E #define DS_HR_FOURTIETH_CHAR 0x00000028 #define DS_HR_FIFTIETH_CHAR 0x00000032 diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index 9e00aedd09e..c2949f0734d 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -1433,6 +1433,46 @@ bool dsdb_do_list_object(struct ldb_module *module, return result; } +bool dsdb_attribute_authz_on_ldap_add(struct ldb_module *module, + TALLOC_CTX *mem_ctx, + struct ldb_request *parent) +{ + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + bool result = false; + const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module, + tmp_ctx, + parent); + if (hr_val != NULL && hr_val->length >= DS_HR_ATTR_AUTHZ_ON_LDAP_ADD) { + uint8_t val = hr_val->data[DS_HR_ATTR_AUTHZ_ON_LDAP_ADD - 1]; + if (val != '0' && val != '2') { + result = true; + } + } + + talloc_free(tmp_ctx); + return result; +} + +bool dsdb_block_owner_implicit_rights(struct ldb_module *module, + TALLOC_CTX *mem_ctx, + struct ldb_request *parent) +{ + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + bool result = false; + const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module, + tmp_ctx, + parent); + if (hr_val != NULL && hr_val->length >= DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS) { + uint8_t val = hr_val->data[DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS - 1]; + if (val != '0' && val != '2') { + result = true; + } + } + + talloc_free(tmp_ctx); + return result; +} + /* show the chain of requests, useful for debugging async requests */ |