smb.lua: fix SMB Extended Security parsing by resetting the offset index #1476
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The SMB library (smb.lua) fails to properly parse "Negotiate Protocol Response" messages when SMB Extended Security is enabled. This cause many SMB scripts to fail, in particular against Samba servers based on my observations in real networks. Below are some observations with smb-os-discovery, but I've also noticed that with smb-vuln-ms17-010 which cause it to not run since it generates an exception in the early phase.
Example before the patch and with the latest public Nmap 7.70 release:
Example before the patch and with the latest Nmap version from Git as of now. The error is more visible:
This difference seems to be caused by the change from
bin.unpack
tostring.unpack
but this is just a symptom, not the problem itself.nmap/nselib/smb.lua
Line 1070 in cadb662
And after the patch, no error. The results aren't very good, but it is an unrelated issue:
My detailed thoughts are the following.
This section of the function
negotiate_v1
parses the "Negotiate Protocol Response" message, where SMB Extended Security is true.In this case, as explained in [MS-SMB], the response has two parts:
parameters
anddata
.These are returned by
smb_read()
:nmap/nselib/smb.lua
Line 952 in 1650469
I understand that the
pos
variable is used as an offset index. It is first used againstparameters
, like:nmap/nselib/smb.lua
Line 982 in 1650469
But then it is reused against
data
without being reset to 1. Which creates a read problem.nmap/nselib/smb.lua
Line 1030 in 1650469
The patch creates a new index
data_pos
dedicated to parse thisdata
array.I've confirmed this by adding
print
statements to view the variables values along the way.With the patch, the
smb.server_guid
is properly filled which wasn't the case before:Wireshark parsing, if that helps:
I've tested against hosts that didn't show this problem (no Extended Security in this Negotiate Protocol Response) and I didn't observe any regression.