Import fix for CVE-2022-24883 - FreeRDP Server authentication might allow invalid credentials to pass.
This commit is contained in:
Tobias Frost
parent
a8d9578fb9
commit
3f665697f0
6
debian/changelog
vendored
6
debian/changelog
vendored
@ -1,12 +1,14 @@
|
||||
freerdp2 (2.3.0+dfsg1-2+deb10u4) UNRELEASED; urgency=medium
|
||||
|
||||
* Non-maintainer upload by the LTS Security Team.
|
||||
* Previous upload had a typo in the CVE list: It was CVE 2023-40567 not
|
||||
CVE 2023-39357.
|
||||
* Import fix for CVE-2021-41160 - Improper region checks in all clients
|
||||
allow out of bound write to memory (Closes: #1001062)
|
||||
* Import fix for CVE-2022-24882 - Server side NTLM does not properly check
|
||||
parameters.
|
||||
* Previous upload: fix typo in CVE list. It was CVE 2023-40567 not CVE
|
||||
2023-39357.
|
||||
* Import fix for CVE-2022-24883 - FreeRDP Server authentication might allow
|
||||
invalid credentials to pass.
|
||||
|
||||
-- Tobias Frost <tobi@debian.org> Sat, 28 Oct 2023 18:12:57 +0200
|
||||
|
||||
|
||||
100
debian/patches/0052-CVE-2022-24883.patch
vendored
Normal file
100
debian/patches/0052-CVE-2022-24883.patch
vendored
Normal file
@ -0,0 +1,100 @@
|
||||
Description: CVE-2022-24883 - FreeRDP Server authentication might allow invalid credentials to pass
|
||||
Origin: https://github.com/FreeRDP/FreeRDP/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e144
|
||||
Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qxm3-v2r6-vmwf
|
||||
From 6f473b273a4b6f0cb6aca32b95e22fd0de88e144 Mon Sep 17 00:00:00 2001
|
||||
From: akallabeth <akallabeth@posteo.net>
|
||||
Date: Fri, 22 Apr 2022 14:42:11 +0200
|
||||
Subject: [PATCH] Cleaned up ntlm_fetch_ntlm_v2_hash
|
||||
|
||||
(cherry picked from commit 4661492e5a617199457c8074bad22f766a116cdc)
|
||||
---
|
||||
winpr/libwinpr/sspi/NTLM/ntlm_compute.c | 58 +++++++++++--------------
|
||||
1 file changed, 25 insertions(+), 33 deletions(-)
|
||||
|
||||
--- a/winpr/libwinpr/sspi/NTLM/ntlm_compute.c
|
||||
+++ b/winpr/libwinpr/sspi/NTLM/ntlm_compute.c
|
||||
@@ -282,10 +282,11 @@
|
||||
ntlm_current_time(context->Timestamp);
|
||||
}
|
||||
|
||||
-static int ntlm_fetch_ntlm_v2_hash(NTLM_CONTEXT* context, BYTE* hash)
|
||||
+static BOOL ntlm_fetch_ntlm_v2_hash(NTLM_CONTEXT* context, BYTE* hash)
|
||||
{
|
||||
- WINPR_SAM* sam;
|
||||
- WINPR_SAM_ENTRY* entry;
|
||||
+ BOOL rc = FALSE;
|
||||
+ WINPR_SAM* sam = NULL;
|
||||
+ WINPR_SAM_ENTRY* entry = NULL;
|
||||
SSPI_CREDENTIALS* credentials;
|
||||
|
||||
WINPR_ASSERT(context);
|
||||
@@ -295,48 +296,39 @@
|
||||
sam = SamOpen(context->SamFile, TRUE);
|
||||
|
||||
if (!sam)
|
||||
- return -1;
|
||||
+ goto fail;
|
||||
|
||||
entry = SamLookupUserW(
|
||||
- sam, (LPWSTR)credentials->identity.User, credentials->identity.UserLength * 2,
|
||||
- (LPWSTR)credentials->identity.Domain, credentials->identity.DomainLength * 2);
|
||||
+ sam, (LPWSTR)credentials->identity.User, credentials->identity.UserLength * sizeof(WCHAR),
|
||||
+ (LPWSTR)credentials->identity.Domain, credentials->identity.DomainLength * sizeof(WCHAR));
|
||||
|
||||
- if (entry)
|
||||
+ if (!entry)
|
||||
{
|
||||
-#ifdef WITH_DEBUG_NTLM
|
||||
- WLog_VRB(TAG, "NTLM Hash:");
|
||||
- winpr_HexDump(TAG, WLOG_DEBUG, entry->NtHash, 16);
|
||||
-#endif
|
||||
- NTOWFv2FromHashW(entry->NtHash, (LPWSTR)credentials->identity.User,
|
||||
- credentials->identity.UserLength * 2, (LPWSTR)credentials->identity.Domain,
|
||||
- credentials->identity.DomainLength * 2, (BYTE*)hash);
|
||||
- SamFreeEntry(sam, entry);
|
||||
- SamClose(sam);
|
||||
- return 1;
|
||||
+ entry = SamLookupUserW(sam, (LPWSTR)credentials->identity.User,
|
||||
+ credentials->identity.UserLength * sizeof(WCHAR), NULL, 0);
|
||||
}
|
||||
|
||||
- entry = SamLookupUserW(sam, (LPWSTR)credentials->identity.User,
|
||||
- credentials->identity.UserLength * 2, NULL, 0);
|
||||
+ if (!entry)
|
||||
+ goto fail;
|
||||
|
||||
- if (entry)
|
||||
- {
|
||||
#ifdef WITH_DEBUG_NTLM
|
||||
WLog_VRB(TAG, "NTLM Hash:");
|
||||
winpr_HexDump(TAG, WLOG_DEBUG, entry->NtHash, 16);
|
||||
#endif
|
||||
- NTOWFv2FromHashW(entry->NtHash, (LPWSTR)credentials->identity.User,
|
||||
- credentials->identity.UserLength * 2, (LPWSTR)credentials->identity.Domain,
|
||||
- credentials->identity.DomainLength * 2, (BYTE*)hash);
|
||||
- SamFreeEntry(sam, entry);
|
||||
- SamClose(sam);
|
||||
- return 1;
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- SamClose(sam);
|
||||
+ NTOWFv2FromHashW(entry->NtHash, (LPWSTR)credentials->identity.User,
|
||||
+ credentials->identity.UserLength * sizeof(WCHAR),
|
||||
+ (LPWSTR)credentials->identity.Domain,
|
||||
+ credentials->identity.DomainLength * sizeof(WCHAR), (BYTE*)hash);
|
||||
+
|
||||
+ rc = TRUE;
|
||||
+
|
||||
+fail:
|
||||
+ SamFreeEntry(sam, entry);
|
||||
+ SamClose(sam);
|
||||
+ if (!rc)
|
||||
WLog_ERR(TAG, "Error: Could not find user in SAM database");
|
||||
- return 0;
|
||||
- }
|
||||
+
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
static int ntlm_convert_password_hash(NTLM_CONTEXT* context, BYTE* hash)
|
||||
1
debian/patches/series
vendored
1
debian/patches/series
vendored
@ -41,3 +41,4 @@
|
||||
0049-CVE-2023-40589.patch
|
||||
0050-CVE-2021-41160.patch
|
||||
0051-CVE-2022-24882.patch
|
||||
0052-CVE-2022-24883.patch
|
||||
|
||||
Loading…
Reference in New Issue
Block a user