diff options
Diffstat (limited to 'source3/rpc_server')
| -rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 23 | ||||
| -rw-r--r-- | source3/rpc_server/srv_pipe.c | 12 | ||||
| -rw-r--r-- | source3/rpc_server/srv_pipe_hnd.c | 2 | ||||
| -rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 18 |
4 files changed, 42 insertions, 13 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index e6d005b157..e8bc6345de 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -683,7 +683,8 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * pstring my_name; fstring user_sid_string; fstring group_sid_string; - uchar user_sess_key[16]; + uchar nt_session_key[16]; + uchar lm_session_key[16]; uchar netlogon_sess_key[16]; sampw = server_info->sam_account; @@ -718,10 +719,18 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * ZERO_STRUCT(netlogon_sess_key); memcpy(netlogon_sess_key, p->dc.sess_key, 8); - memcpy(user_sess_key, server_info->session_key, sizeof(user_sess_key)); - SamOEMhash(user_sess_key, netlogon_sess_key, 16); + if (server_info->nt_session_key.length) { + memcpy(nt_session_key, server_info->nt_session_key.data, + MIN(sizeof(nt_session_key), server_info->nt_session_key.length)); + SamOEMhash(nt_session_key, netlogon_sess_key, 16); + } + if (server_info->lm_session_key.length) { + memcpy(lm_session_key, server_info->lm_session_key.data, + MIN(sizeof(lm_session_key), server_info->lm_session_key.length)); + SamOEMhash(lm_session_key, netlogon_sess_key, 16); + } ZERO_STRUCT(netlogon_sess_key); - + init_net_user_info3(p->mem_ctx, usr_info, user_rid, group_rid, @@ -743,14 +752,16 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * num_gids, /* uint32 num_groups */ gids , /* DOM_GID *gids */ 0x20 , /* uint32 user_flgs (?) */ - user_sess_key, + server_info->nt_session_key.length ? nt_session_key : NULL, + server_info->lm_session_key.length ? lm_session_key : NULL, my_name , /* char *logon_srv */ pdb_get_domain(sampw), &domain_sid, /* DOM_SID *dom_sid */ /* Should be users domain sid, not servers - for trusted domains */ NULL); /* char *other_sids */ - ZERO_STRUCT(user_sess_key); + ZERO_STRUCT(nt_session_key); + ZERO_STRUCT(lm_session_key); } free_server_info(&server_info); return status; diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 96261c665f..fa24efe589 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -420,9 +420,15 @@ failed authentication on named pipe %s.\n", domain, user_name, wks, p->name )); * Set up the sign/seal data. */ - { + if (server_info->lm_session_key.length != 16) { + DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \ +succeeded authentication on named pipe %s, but session key was of incorrect length [%u].\n", + domain, user_name, wks, p->name, server_info->lm_session_key.length)); + free_server_info(&server_info); + return False; + } else { uchar p24[24]; - NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24); + NTLMSSPOWFencrypt(server_info->lm_session_key.data, lm_owf, p24); { unsigned char j = 0; int ind; @@ -468,7 +474,7 @@ failed authentication on named pipe %s.\n", domain, user_name, wks, p->name )); * Store the UNIX credential data (uid/gid pair) in the pipe structure. */ - memcpy(p->session_key, server_info->session_key, sizeof(p->session_key)); + p->session_key = data_blob(server_info->lm_session_key.data, server_info->lm_session_key.length); p->pipe_user.uid = server_info->uid; p->pipe_user.gid = server_info->gid; diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c index 57e45d477f..a9fd9ec652 100644 --- a/source3/rpc_server/srv_pipe_hnd.c +++ b/source3/rpc_server/srv_pipe_hnd.c @@ -342,7 +342,7 @@ static void *make_internal_rpc_pipe_p(char *pipe_name, /* Store the session key and NT_TOKEN */ if (vuser) { - memcpy(p->session_key, vuser->session_key, sizeof(p->session_key)); + p->session_key = data_blob(vuser->session_key.data, vuser->session_key.length); p->pipe_user.nt_user_token = dup_nt_token(vuser->nt_user_token); } diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1cfa8b2853..1debf90d23 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2953,7 +2953,13 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE break; case 24: - SamOEMhash(ctr->info.id24->pass, p->session_key, 516); + if (p->session_key.length != 16) { + /* we may have no session key at all, + and we don't know how to do the SamOEMhash + for length != 16 */ + return NT_STATUS_NO_USER_SESSION_KEY; + } + SamOEMhash(ctr->info.id24->pass, p->session_key.data, 516); dump_data(100, (char *)ctr->info.id24->pass, 516); @@ -2971,7 +2977,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE * info level and W2K SP2 drops down to level 23... JRA. */ - SamOEMhash(ctr->info.id25->pass, p->session_key, 532); + if (p->session_key.length != 16) { + return NT_STATUS_NO_USER_SESSION_KEY; + } + SamOEMhash(ctr->info.id25->pass, p->session_key.data, 532); dump_data(100, (char *)ctr->info.id25->pass, 532); @@ -2982,7 +2991,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE return NT_STATUS_INVALID_INFO_CLASS; case 23: - SamOEMhash(ctr->info.id23->pass, p->session_key, 516); + if (p->session_key.length != 16) { + return NT_STATUS_NO_USER_SESSION_KEY; + } + SamOEMhash(ctr->info.id23->pass, p->session_key.data, 516); dump_data(100, (char *)ctr->info.id23->pass, 516); |