From 292601f44d47794ac1866c72c53852fa69199062 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Mar 2015 14:21:22 -0700 Subject: [PATCH 1/2] s4: lib: auth: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields. Packet traces showing such servers are found in the bug this fixes: https://bugzilla.samba.org/show_bug.cgi?id=10016 Signed-off-by: Jeremy Allison Reviewed-by: Michael Adam (cherry picked from commit 5137af570d8a173d7775754ad2e60d6d8efbe3a2) --- auth/ntlmssp/ntlmssp_client.c | 40 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 36 insertions(+), 4 deletions(-) diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index f99257d..d8531e4c 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -132,12 +132,13 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, talloc_get_type_abort(gensec_security->private_data, struct gensec_ntlmssp_context); struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; - uint32_t chal_flags, ntlmssp_command, unkn1, unkn2; + uint32_t chal_flags, ntlmssp_command, unkn1 = 0, unkn2 = 0; DATA_BLOB server_domain_blob; DATA_BLOB challenge_blob; DATA_BLOB target_info = data_blob(NULL, 0); char *server_domain; const char *chal_parse_string; + const char *chal_parse_string_short = NULL; const char *auth_gen_string; DATA_BLOB lm_response = data_blob(NULL, 0); DATA_BLOB nt_response = data_blob(NULL, 0); @@ -178,6 +179,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, chal_parse_string = "CdUdbddB"; } else { chal_parse_string = "CdUdbdd"; + chal_parse_string_short = "CdUdb"; } auth_gen_string = "CdBBUUUBd"; } else { @@ -185,6 +187,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, chal_parse_string = "CdAdbddB"; } else { chal_parse_string = "CdAdbdd"; + chal_parse_string_short = "CdAdb"; } auth_gen_string = "CdBBAAABd"; @@ -199,10 +202,39 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, &challenge_blob, 8, &unkn1, &unkn2, &target_info)) { + + bool ok = false; + DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n")); - dump_data(2, in.data, in.length); - talloc_free(mem_ctx); - return NT_STATUS_INVALID_PARAMETER; + + if (chal_parse_string_short != NULL) { + /* + * In the case where NTLMSSP_NEGOTIATE_TARGET_INFO + * is not used, some NTLMSSP servers don't return + * the unused unkn1 and unkn2 fields. + * See bug: + * https://bugzilla.samba.org/show_bug.cgi?id=10016 + * for packet traces. + * Try and parse again without them. + */ + ok = msrpc_parse(mem_ctx, + &in, chal_parse_string_short, + "NTLMSSP", + &ntlmssp_command, + &server_domain, + &chal_flags, + &challenge_blob, 8); + if (!ok) { + DEBUG(1, ("Failed to short parse " + "the NTLMSSP Challenge: (#2)\n")); + } + } + + if (!ok) { + dump_data(2, in.data, in.length); + talloc_free(mem_ctx); + return NT_STATUS_INVALID_PARAMETER; + } } if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) { -- 2.2.0.rc0.207.ga3a616c From fdee1f79bf5ee477eec5ee47bc6ce25bbbe2c98a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Mar 2015 14:27:43 -0700 Subject: [PATCH 2/2] s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields. Packet traces showing such servers are found in the bug this fixes: https://bugzilla.samba.org/show_bug.cgi?id=10016 Signed-off-by: Jeremy Allison Reviewed-by: Michael Adam Autobuild-User(master): Michael Adam Autobuild-Date(master): Thu Mar 19 12:05:56 CET 2015 on sn-devel-104 (cherry picked from commit ffe33940faa6fb762fd2483f0245448b0434be00) --- source3/libsmb/ntlmssp.c | 38 +++++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index 617b34b..e661aeb 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -359,12 +359,13 @@ static NTSTATUS ntlmssp3_client_challenge(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *out_mem_ctx, /* Unused at this time */ const DATA_BLOB reply, DATA_BLOB *next_request) { - uint32_t chal_flags, ntlmssp_command, unkn1, unkn2; + uint32_t chal_flags, ntlmssp_command, unkn1 = 0, unkn2 = 0; DATA_BLOB server_domain_blob; DATA_BLOB challenge_blob; DATA_BLOB struct_blob = data_blob_null; char *server_domain; const char *chal_parse_string; + const char *chal_parse_string_short = NULL; const char *auth_gen_string; DATA_BLOB lm_response = data_blob_null; DATA_BLOB nt_response = data_blob_null; @@ -474,6 +475,7 @@ noccache: chal_parse_string = "CdUdbddB"; } else { chal_parse_string = "CdUdbdd"; + chal_parse_string_short = "CdUdb"; } auth_gen_string = "CdBBUUUBd"; } else { @@ -481,6 +483,7 @@ noccache: chal_parse_string = "CdAdbddB"; } else { chal_parse_string = "CdAdbdd"; + chal_parse_string_short = "CdAdb"; } auth_gen_string = "CdBBAAABd"; @@ -497,9 +500,38 @@ noccache: &challenge_blob, 8, &unkn1, &unkn2, &struct_blob)) { + + bool ok = false; + DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n")); - dump_data(2, reply.data, reply.length); - return NT_STATUS_INVALID_PARAMETER; + + if (chal_parse_string_short != NULL) { + /* + * In the case where NTLMSSP_NEGOTIATE_TARGET_INFO + * is not used, some NTLMSSP servers don't return + * the unused unkn1 and unkn2 fields. + * See bug: + * https://bugzilla.samba.org/show_bug.cgi?id=10016 + * for packet traces. + * Try and parse again without them. + */ + ok = msrpc_parse(ntlmssp_state, &reply, + chal_parse_string_short, + "NTLMSSP", + &ntlmssp_command, + &server_domain, + &chal_flags, + &challenge_blob, 8); + if (!ok) { + DEBUG(1, ("Failed to short parse " + "the NTLMSSP Challenge: (#2)\n")); + } + } + + if (!ok) { + dump_data(2, reply.data, reply.length); + return NT_STATUS_INVALID_PARAMETER; + } } if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) { -- 2.2.0.rc0.207.ga3a616c