smb.lua: fix SMB Extended Security parsing by resetting the offset index #1476
The SMB library (smb.lua) fails to properly parse "Negotiate Protocol Response" messages when SMB Extended Security is enabled. This cause many SMB scripts to fail, in particular against Samba servers based on my observations in real networks. Below are some observations with smb-os-discovery, but I've also noticed that with smb-vuln-ms17-010 which cause it to not run since it generates an exception in the early phase.
Example before the patch and with the latest public Nmap 7.70 release:
Example before the patch and with the latest Nmap version from Git as of now. The error is more visible:
This difference seems to be caused by the change from
And after the patch, no error. The results aren't very good, but it is an unrelated issue:
My detailed thoughts are the following.
I understand that the
But then it is reused against
The patch creates a new index
I've confirmed this by adding
I've tested against hosts that didn't show this problem (no Extended Security in this Negotiate Protocol Response) and I didn't observe any regression.
A fix for this issue has been committed as r37733. Thank you for contributing to nmap by researching the code discrepancy and proposing a patch.
P.S. I agree with your assessment of what roughly needs to be changed but your rationale is somewhat off. The root cause is a spec non-compliance inside Samba. For compliant Samba versions and for Windows the current code seems to be working just fine.
Under compliant circumstances,
You can see the Samba non-compliance in your Wireshark screenshot. Here
The true fix is to completely skip extracting