Re: [cifs-protocol] [MS-APDS] NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397

Thu, 18 Jul 2024 11:41:18 -0700 

Hello Jo, please review the latest copy of [MS-NRPC].  It has the updated IDL 
definitions as well. As of now,  [MS-APDS] is still being updated. The 
following information should be helpful in the meantime.

MS-APDS Section 3.2.5.1 shows  messagetype field should be set to 0x00000026. 
The actual design did not introduce such message type. We are using a new  
logonlevel i.e. NETLOGON_LEVEL of NetlogonTicketLogonInformation and a new 
validationLevel i.e. NETLOGON_VALIDATION of NetlogonValidationTicketLogon.


  1.
     From MS-APDS Section 3.2.5.1, we see the NETLOGON_TICKET_LOGON_INFO  is 
layered on top of generic pass through structure however MS-NRPC section 
2.2.1.4.6 defines TicketLogon as a new NETLOGON_LEVEL struct which refers to 
NETLOGON_TICKET_LOGON_INFO.
     The NETLOGON_TICKET_LOGON_INFO message does not utilize Generic 
Passthrough as described in MS-APDS 3.2.5.1. Instead, you  will be using 
LogonLevel parameter 8 (NetlogonTicketLogonInformation 
<https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/8c7808e5-4e5c-420e-9c90-47286da2218f>
 )
        *

  2.
     Generic Passthrough returns NETLOGON_VALIDATION_GENERIC_INFO2.   But the 
new TicketLogon will return NETLOGON_VALIDATION_TICKET_LOGON.
     *
As NETLOGON_TICKET_LOGON_INFO message does not actually utilize Generic 
Passthrough, you will use ValidationLevel parameter is 7 
(NetLogonValidationTicketLogon<https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/95154ae4-d305-43e5-82e4-d5353e0f117c>),
        *

     *


You can find a list of applicable Windows OS versions that have this security 
update from the following link (click the “More…” link below the title)


  1.
https://support.microsoft.com/en-us/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1

This list does not include Server 2025, but it also contains this update.


Please let me know if you have additional questions.


Regards,

Sreekanth Nadendla

Microsoft Windows Open Specifications

________________________________
From: Jo Sutton <jsut...@samba.org>
Sent: Tuesday, July 16, 2024 12:33 AM
To: Sreekanth Nadendla <srena...@microsoft.com>; cifs-protocol@lists.samba.org 
<cifs-protocol@lists.samba.org>
Cc: Microsoft Support <supportm...@microsoft.com>
Subject: Re: [cifs-protocol] [EXTERNAL] Re: [MS-APDS] 
NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397

For completeness’ sake, I ran the same procedure against a Windows
Server 2022 host, and got exactly the same STATUS_INVALID_PARAMETER
error. For MessageType I tried both 0x00000003 and 0x00000026 (and many
other values, for good measure).

Cheers,
Jo (she/her)

On 10/07/24 2:08 pm, Jo Sutton via cifs-protocol wrote:
> Hi Sreekanth,
>
> I’m afraid that using 0x03 for the message type still gets me
> STATUS_INVALID_PARAMETER codes.
>
> 0x03 is the message type corresponding to KERB_VERIFY_PAC_REQUEST, which
> is used for the older method of PAC verification. But the message I’m
> attempting to send is NETLOGON_TICKET_LOGON_INFO ([MS-APDS] 2.2.2.1),
> which includes the entire Kerberos ticket and is used in the newer
> method of PAC verification.
>
> What do I need to do to get Windows Server 2019 to accept a
> NETLOGON_TICKET_LOGON_INFO message? I don’t see any information
> indicating that Windows Server 2019 doesn’t support such messages.
>
> Cheers,
> Jo (she/her)
>
> On 10/07/24 7:12 am, Sreekanth Nadendla wrote:
>> Hello Jo, can you change the message type from 0x00000026  ( byte
>> sequence seen as 26 00 00 00 below)  to 0x00000003 (to indicate
>> message type of KerbVerifyPacMessage) and try this again ?
>>
>> 0:002> db ProtocolSubmitBuffer L0x5e0
>>
>> 00000218`69819c80  26 00 00 00 00 00 11 00-21 00 31 00 c0 05 00 00
>>   &.......!.1.....
>> 00000218`69819c90  00 00 02 00 00 00 00 00-00 00 00 00 c0 05 00 00
>>   ................
>> 00000218`69819ca0  61 82 05 bc 30 82 05 b8-a0 03 02 01 05 a1 0d 1b
>>   a...0...........
>> .. ..... .. ..... .. .....
>> .. ..... .. ..... .. .....
>> .. ..... .. ..... .. .....
>> 00000218`6981a250  85 1d 35 87 38 7d b1 5b-52 c0 c3 e4 30 c8 77 7d
>>   ..5.8}.[R...0.w}
>>
>> Regards,
>>
>> Sreekanth Nadendla
>>
>> Microsoft Windows Open Specifications
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Jo Sutton <jsut...@samba.org>
>> *Sent:* Tuesday, July 2, 2024 6:23 PM
>> *To:* Sreekanth Nadendla <srena...@microsoft.com>;
>> cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org>
>> *Cc:* Microsoft Support <supportm...@microsoft.com>
>> *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
>> NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
>> Thank you, Sreekanth. I’ve uploaded a trace and network capture of a
>> call to NetrLogonSamLogonEx() attempting to validate a service ticket.
>>
>> Cheers,
>> Jo (she/her)
>>
>> On 3/07/24 2:02 am, Sreekanth Nadendla wrote:
>>  > Hello Jo,  you may have gotten an invitation to upload files by now.
>>  > Please check your e-mail folders and let me know otherwise.
>>  >
>>  > Regards,
>>  >
>>  > Sreekanth Nadendla
>>  >
>>  > Microsoft Windows Open Specifications
>>  >
>>  >
>> ------------------------------------------------------------------------
>>  > *From:* Jo Sutton <jsut...@samba.org>
>>  > *Sent:* Monday, July 1, 2024 10:01 PM
>>  > *To:* Sreekanth Nadendla <srena...@microsoft.com>;
>>  > cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org>
>>  > *Cc:* Microsoft Support <supportm...@microsoft.com>
>>  > *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
>>  > NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
>>  > On second thoughts, I’d rather not send traces via unencrypted email.
>>  > Can you provide somewhere for me to upload them?
>>  >
>>  > Cheers,
>>  > Jo (she/her)
>>  >
>>  > On 2/07/24 1:57 pm, Jo Sutton via cifs-protocol wrote:
>>  >> [moving back to cifs-protocol]
>>  >>
>>  >> Hi Sreekanth,
>>  >>
>>  >> Call me Jo :)
>>  >>
>>  >> As I can’t seem to upload the traces via the link you sent me,
>> I’ll try
>>  >> to email them to you directly.
>>  >>
>>  >> The reason for asking about NETLOGON_TICKET_LOGON_INFO is that we’re
>>  >> looking to address
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452298587%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=gfTLS51n5vEi4j62G7YITtu3oiZ0KQ9yhOADSyVTo2w%3D&reserved=0<https://bugzilla.samba.org/show_bug.cgi?id=15249>
>>  
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452307683%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=AarTYwC8gFcOXKCmrHukUiw8VMbUiDzmK744ND16vXE%3D&reserved=0<https://bugzilla.samba.org/show_bug.cgi?id=15249>>
>>  
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452310647%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ELl9%2Fl09tNXh27vMQg6Vr4epM2NKC%2FhlYuDG0lOKlYU%3D&reserved=0
>>  
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452313475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=9ThDzJyYqoU7v8CC23wBYRyfvpZVTHc%2BYBg0D%2BcqjY0%3D&reserved=0<https://bugzilla.samba.org/show_bug.cgi?id=15249>>>.
>>  >>
>>  >> Cheers,
>>  >> Jo (she/her)
>>  >>
>>  >> On 14/06/24 3:39 am, Sreekanth Nadendla wrote:
>>  >>> Hello Joseph, I've sent you instructions to download time travel
>> trace
>>  >>> tool to collect traces for lass process earlier. But we were
>> informed
>>  >>> by Andrew Bartlet that the reason why you've raised the login issue
>>  >>> with [MS-APDS] NETLOGON_TICKET_LOGON_INFO is that you are looking to
>>  >>> resolve a privilege escalation problem via enforcement of PAC
>>  >>> verification.  I could not see how these two issues are connected
>>  >>> hence I'm unable to continue the investigation on my own (while you
>>  >>> are away dealing with a personal issue).
>>  >>> Please let us know whenever you are ready and we will gather the
>>  >>> details, data to investigate the issue you are experiencing.
>>  >>>
>>  >>> Regards,
>>  >>>
>>  >>> Sreekanth Nadendla
>>  >>>
>>  >>> Microsoft Windows Open Specifications
>>  >>>
>>  >>>
>>  >>>
>>  >>>
>>  >>>
>>  >>>
>>  >>> From: Jo Sutton <jsut...@samba.org>
>>  >>>
>>  >>> Sent: Monday, May 20, 2024 9:49 PM
>>  >>> To: cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org>;
>>  >>> Interoperability Documentation Help <doch...@microsoft.com>
>>  >>> Subject: [EXTERNAL] [MS-APDS] NETLOGON_TICKET_LOGON_INFO message
>>  >>> [Some people who received this message don't often get email from
>>  >>> jsut...@samba.org. Learn why this is important at
>>  >>> https://aka.ms/LearnAboutSenderIdentification
>> <https://aka.ms/LearnAboutSenderIdentification>
>>  > <https://aka.ms/LearnAboutSenderIdentification
>> <https://aka.ms/LearnAboutSenderIdentification>> ]
>>  >>>
>>  >>> Hi dochelp,
>>  >>>
>>  >>> I’m trying to follow [MS-APDS] 2.2.2.1, “NETLOGON_TICKET_LOGON_INFO
>>  >>> Message”, in order to create a NETLOGON_TICKET_LOGON_INFO message
>> that
>>  >>> will be accepted by Windows Server 2019. However, in my attempts
>> so far,
>>  >>> all I’ve got is STATUS_INVALID_PARAMETER codes from
>> NetrLogonSamLogonEx.
>>  >>>
>>  >>> Although [MS-APDS] doesn’t mention it, I assume
>>  >>> NETLOGON_TICKET_LOGON_INFO should contain an unsigned 32‐bit
>> MessageType
>>  >>> field, set to 0x00000026, that indicates the message is a
>>  >>> NETLOGON_TICKET_LOGON_INFO message. Other than that, I’m not sure
>> what
>>  >>> I’m doing wrong. Are the ticket fields arrays, are depicted in the
>>  >>> diagram, or pointers, as claimed in the documentation?
>>  >>>
>>  >>> I can provide traces showing the problem if you would like.
>>  >>>
>>  >>> Cheers,
>>  >>> Jo (she/her)
>>  >>
>>  >>
>>  >> _______________________________________________
>>  >> cifs-protocol mailing list
>>  >> cifs-protocol@lists.samba.org
>>  >>
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452316262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bmgJJDYuZd3bGzlzBX7QnlH9wbNyYoqRZ3hH6t3cBUA%3D&reserved=0<https://lists.samba.org/mailman/listinfo/cifs-protocol>
>>  
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452319086%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=wIxF7Mv4EEPRpDkZKAReemWJ5ciMvdTRuVzLSO06DAU%3D&reserved=0<https://lists.samba.org/mailman/listinfo/cifs-protocol>>
>>  
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452321842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=J2vrgrV1StI0%2BvgT7ZreEJ%2FI%2F4fKD8Jn%2B3iSrr7FowQ%3D&reserved=0
>>  
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452324601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=MTZ%2F670nGiMD%2Fu83tsGGyERHbe7y93r%2B43qsybmjlfE%3D&reserved=0<https://lists.samba.org/mailman/listinfo/cifs-protocol>>>
>
>
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol@lists.samba.org
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452327359%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2BhCD7Q6i2P3hvlr2MKjxU63BsGe9RMYOkSURCiUE39w%3D&reserved=0<https://lists.samba.org/mailman/listinfo/cifs-protocol>

_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

Reply via email to