← Back to branch summary

~ubuntu-branches/ubuntu/lucid/samba/lucid-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2012-2111.patch

  • Committer: Package Import Robot
  • Author(s): Tyler Hicks
  • Date: 2012-04-24 15:49:30 UTC
  • Revision ID: package-import@ubuntu.com-20120424154930-p2ixlter8kizi8re
Tags: 2:3.4.7~dfsg-1ubuntu3.10
* SECURITY UPDATE: Authenticated user can take ownership of arbitrary files
  and directories
  - debian/patches/CVE-2012-2111.patch: Remove excessive permissions granted
    in account related Local Security Authority remote procedure calls.
    Based on upstream patch.
  - CVE-2012-2111

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2012-2111.patch
 
1
From 5333a7040ba5c9e23649d38f4da78cd63cbb7051 Mon Sep 17 00:00:00 2001
 
2
From: Jeremy Allison <jra@samba.org>
 
3
Date: Tue, 17 Apr 2012 16:39:00 -0700
 
4
Subject: [PATCH] Fix bug #8873 - self granting privileges in security=ads.
 
5
 
 
6
Origin: other, https://bugzilla.samba.org/attachment.cgi?id=7463
 
7
Bug: https://bugzilla.samba.org/show_bug.cgi?id=8873
 
8
 
 
9
Index: samba-3.4.7~dfsg/source3/rpc_server/srv_lsa_nt.c
 
10
===================================================================
 
11
--- samba-3.4.7~dfsg.orig/source3/rpc_server/srv_lsa_nt.c       2010-03-08 13:53:38.000000000 -0600
 
12
+++ samba-3.4.7~dfsg/source3/rpc_server/srv_lsa_nt.c    2012-04-24 00:49:11.516355530 -0500
 
13
@@ -1579,6 +1579,15 @@
 
14
 {
 
15
        struct lsa_info *handle;
 
16
        struct lsa_info *info;
 
17
+       uint32 des_access = r->in.access_mask;
 
18
+       uint32 acc_granted;
 
19
+       uint32 owner_access = (LSA_ACCOUNT_ALL_ACCESS &
 
20
+                       ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
 
21
+                       LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
 
22
+                       DELETE_ACCESS));
 
23
+       SEC_DESC *psd = NULL;
 
24
+       size_t sd_size;
 
25
+       NTSTATUS status;
 
26
 
 
27
        /* find the connection policy handle. */
 
28
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
 
29
@@ -1600,6 +1609,27 @@
 
30
        if ( is_privileged_sid( r->in.sid ) )
 
31
                return NT_STATUS_OBJECT_NAME_COLLISION;
 
32
 
 
33
+       /* Work out max allowed. */
 
34
+       map_max_allowed_access(p->server_info->ptok, &des_access);
 
35
+
 
36
+       /* map the generic bits to the lsa policy ones */
 
37
+       se_map_generic(&des_access, &lsa_policy_mapping);
 
38
+
 
39
+       /* get the generic lsa policy SD until we store it */
 
40
+       status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
 
41
+                       r->in.sid, owner_access);
 
42
+       if (!NT_STATUS_IS_OK(status)) {
 
43
+               return status;
 
44
+       }
 
45
+
 
46
+       status = access_check_object(psd, p->server_info->ptok,
 
47
+               NULL, 0, des_access,
 
48
+               &acc_granted, "_lsa_CreateAccont" );
 
49
+
 
50
+       if (!NT_STATUS_IS_OK(status)) {
 
51
+               return status;
 
52
+       }
 
53
+
 
54
        /* associate the user/group SID with the (unique) handle. */
 
55
 
 
56
        info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
 
57
@@ -1608,7 +1638,7 @@
 
58
        }
 
59
 
 
60
        info->sid = *r->in.sid;
 
61
-       info->access = r->in.access_mask;
 
62
+       info->access = acc_granted;
 
63
        info->type = LSA_HANDLE_ACCOUNT_TYPE;
 
64
 
 
65
        /* get a (unique) handle.  open a policy on it. */
 
66
@@ -1631,6 +1661,10 @@
 
67
        size_t sd_size;
 
68
        uint32_t des_access = r->in.access_mask;
 
69
        uint32_t acc_granted;
 
70
+       uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
 
71
+                       ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
 
72
+                       LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
 
73
+                       STD_RIGHT_DELETE_ACCESS));
 
74
        NTSTATUS status;
 
75
 
 
76
        /* find the connection policy handle. */
 
77
@@ -1653,7 +1687,7 @@
 
78
        /* get the generic lsa account SD until we store it */
 
79
        status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
 
80
                                &lsa_account_mapping,
 
81
-                               r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
 
82
+                               r->in.sid, owner_access);
 
83
        if (!NT_STATUS_IS_OK(status)) {
 
84
                return status;
 
85
        }
 
86
@@ -2070,7 +2104,7 @@
 
87
         /* get the generic lsa account SD for this SID until we store it */
 
88
         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
 
89
                                 &lsa_account_mapping,
 
90
-                                r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
 
91
+                                NULL, 0);
 
92
         if (!NT_STATUS_IS_OK(status)) {
 
93
                 return status;
 
94
         }
 
95
@@ -2141,7 +2175,7 @@
 
96
         /* get the generic lsa account SD for this SID until we store it */
 
97
         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
 
98
                                 &lsa_account_mapping,
 
99
-                                r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
 
100
+                                NULL, 0);
 
101
         if (!NT_STATUS_IS_OK(status)) {
 
102
                 return status;
 
103
         }