Tompkins, Michael
2015-Feb-02 16:19 UTC
[Samba] Can login with a bogus username which ends with a "/" or a "\"
We have noticed that if a username, that ends in a "\" or a "/", tries to login, then the workspace becomes the user name ( up to the "/" or "\" ) and then username is empty, allowing a bogus user to authenticate and calls cli_session_setup_guest() to log in anonymously. This is done in cli_session_setup(): /* allow for workgroups as part of the username */ if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) || (p=strchr_m(user2,*lp_winbind_separator()))) { *p = 0; user = p+1; if (!strupper_m(user2)) { return NT_STATUS_INVALID_PARAMETER; } workgroup = user2; } I'm guessing that this was intended for a "WORKSPACE/USERNAME" construct and not for just "USERNAME/". We use smbclient to authenticate users, for access to services on our machine, so letting bogus users logon, is not a good thing. In popt_common_credentials_callback() I added the code: case 'U': { char *lp; char *puser = SMB_STRDUP(arg); if ((lp=strchr_m(puser,'%'))) { size_t len; *lp = 0; len = strlen(puser)-1; // +++ added code if ( (*(puser+len) == '\\') || (*(puser+len) == '/') ) // +++ added code *(puser+len) = 0; // +++ added code set_cmdline_auth_info_username(auth_info, puser); set_cmdline_auth_info_password(auth_info, lp+1); len = strlen(lp+1); memset(strchr_m(arg,'%')+1,'X',len); } else { set_cmdline_auth_info_username(auth_info, puser); } SAFE_FREE(puser); } break; Are there use cases which we aren't thinking of, or does this modification make sense. Please let us know. Regards, Mike
Tompkins, Michael
2015-Feb-09 13:22 UTC
[Samba] Can login with a bogus username which ends with a "/" or a "\"
Re-submitting question, hoping for a yay or nay on the change as to whether my logic is correct or not ... Thank you in advance, - Mike ? ? -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Tompkins, Michael Sent: Monday, February 02, 2015 11:19 AM To: samba at lists.samba.org Cc: USA Xerox Samba Subject: [Samba] Can login with a bogus username which ends with a "/" or a "\" We have noticed that if a username, that ends in a "\" or a "/", tries to login, then the workspace becomes the user name ( up to the "/" or "\" ) and then username is empty, allowing a bogus user to authenticate and calls cli_session_setup_guest() to log in anonymously. This is done in cli_session_setup(): /* allow for workgroups as part of the username */ if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) || (p=strchr_m(user2,*lp_winbind_separator()))) { *p = 0; user = p+1; if (!strupper_m(user2)) { return NT_STATUS_INVALID_PARAMETER; } workgroup = user2; } I'm guessing that this was intended for a "WORKSPACE/USERNAME" construct and not for just "USERNAME/". We use smbclient to authenticate users, for access to services on our machine, so letting bogus users logon, is not a good thing. In popt_common_credentials_callback() I added the code: case 'U': { char *lp; char *puser = SMB_STRDUP(arg); if ((lp=strchr_m(puser,'%'))) { size_t len; *lp = 0; len = strlen(puser)-1; // +++ added code if ( (*(puser+len) == '\\') || (*(puser+len) == '/') ) // +++ added code *(puser+len) = 0; // +++ added code set_cmdline_auth_info_username(auth_info, puser); set_cmdline_auth_info_password(auth_info, lp+1); len = strlen(lp+1); memset(strchr_m(arg,'%')+1,'X',len); } else { set_cmdline_auth_info_username(auth_info, puser); } SAFE_FREE(puser); } break; Are there use cases which we aren't thinking of, or does this modification make sense. Please let us know. Regards, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Maybe Matching Threads
- Lookup sid with libsmbclient (invoked from c# on mono)
- Lookup sid with libsmbclient (invoked from c# on mono)
- bug in parsing the 'username map' in 3.0.5pre1
- FreeBSD, Libmd5, samba 4.9.4 & "smbclient -L" (using password) -> core dump
- [LLVMdev] The use iterator not working...