diff options
| -rw-r--r-- | source4/libcli/auth/ntlm_check.c | 23 | ||||
| -rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 21 |
2 files changed, 27 insertions, 17 deletions
diff --git a/source4/libcli/auth/ntlm_check.c b/source4/libcli/auth/ntlm_check.c index eab150ad4d..f101b230d4 100644 --- a/source4/libcli/auth/ntlm_check.c +++ b/source4/libcli/auth/ntlm_check.c @@ -326,10 +326,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, so use it only if we otherwise allow LM authentication */ if (lp_lanman_auth() && lm_pw) { - uint8_t first_8_lm_hash[16]; - memcpy(first_8_lm_hash, lm_pw, 8); - memset(first_8_lm_hash + 8, '\0', 8); - *lm_sess_key = data_blob(first_8_lm_hash, 16); + *lm_sess_key = data_blob(lm_pw, 8); } return NT_STATUS_OK; } else { @@ -367,11 +364,17 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, if (smb_pwd_check_ntlmv1(lm_response, lm_pw, challenge, NULL)) { - uint8_t first_8_lm_hash[16]; - memcpy(first_8_lm_hash, lm_pw, 8); - memset(first_8_lm_hash + 8, '\0', 8); - *user_sess_key = data_blob(first_8_lm_hash, 16); - *lm_sess_key = data_blob(first_8_lm_hash, 16); + /* The session key for this response is still very odd. + It not very secure, so use it only if we otherwise + allow LM authentication */ + + if (lp_lanman_auth() && lm_pw) { + uint8_t first_8_lm_hash[16]; + memcpy(first_8_lm_hash, lm_pw, 8); + memset(first_8_lm_hash + 8, '\0', 8); + *user_sess_key = data_blob(first_8_lm_hash, 16); + *lm_sess_key = data_blob(lm_pw, 8); + } return NT_STATUS_OK; } } @@ -431,7 +434,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, memcpy(first_8_lm_hash, lm_pw, 8); memset(first_8_lm_hash + 8, '\0', 8); *user_sess_key = data_blob(first_8_lm_hash, 16); - *lm_sess_key = data_blob(first_8_lm_hash, 16); + *lm_sess_key = data_blob(lm_pw, 8); } return NT_STATUS_OK; } diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 933f28d84a..301f2ed041 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -543,6 +543,16 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT sam->domain_sid = dom_sid_dup(mem_ctx, server_info->user_sid); sam->domain_sid->num_auths--; + sam->AccountControl = 0; + + sam->unknown1 = 0; + sam->unknown2 = 0; + sam->unknown3 = 0; + sam->unknown4 = 0; + sam->unknown5 = 0; + sam->unknown6 = 0; + sam->unknown7 = 0; + sam->sidcount = 0; sam->sids = NULL; @@ -552,9 +562,9 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT ZERO_STRUCT(sam->key.key); } + /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ if (memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) { - /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ creds_arcfour_crypt(pipe_state->creds, sam->key.key, sizeof(sam->key.key)); @@ -567,6 +577,7 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT ZERO_STRUCT(sam->LMSessKey.key); } + /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ if (memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) { creds_arcfour_crypt(pipe_state->creds, @@ -584,11 +595,9 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT sam2->acct_expiry = sam->acct_expiry; sam2->last_password_change = sam->last_password_change; - sam2->allow_password_change = sam->allow_password_change; - - sam2->force_password_change = sam->force_password_change; + sam2->allow_password_change = sam->allow_password_change; + sam2->force_password_change = sam->force_password_change; - sam2->account_name = sam->account_name; sam2->full_name = sam->full_name; sam2->logon_script = sam->logon_script; @@ -617,8 +626,6 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT sam2->AccountControl = sam->AccountControl; - /* can we implicit memcpy an array? */ - sam2->unknown1 = sam->unknown1; sam2->unknown2 = sam->unknown2; sam2->unknown3 = sam->unknown3; |