Skip to content

Commit

Permalink
selftest: Test repushing an ntlmssp AUTHENTICATE_MESSAGE
Browse files Browse the repository at this point in the history
This demonstrates a bug found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer where the value() evaluatuion could segfault if it was made to follow a NULL
pointer.

This also demonstrates that the --base64 mode works on file inputs.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • Loading branch information
abartlet committed Nov 20, 2019
1 parent ac1be89 commit 33e9021
Show file tree
Hide file tree
Showing 4 changed files with 148 additions and 0 deletions.
12 changes: 12 additions & 0 deletions python/samba/tests/blackbox/ndrdump.py
Original file line number Diff line number Diff line change
Expand Up @@ -198,3 +198,15 @@ def test_ndrdump_fuzzed_IRemoteActivation_RemoteActivation(self):
except BlackboxProcessError as e:
self.fail(e)
self.assertRegex(actual.decode('utf8'), expected + "$")

def test_ndrdump_fuzzed_ntlmsssp_AUTHENTICATE_MESSAGE(self):
expected = open(self.data_path("fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.txt")).read()
try:
actual = self.check_output(
"ndrdump ntlmssp AUTHENTICATE_MESSAGE struct --base64-input %s --validate" %
self.data_path("fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.b64.txt"))
except BlackboxProcessError as e:
self.fail(e)
# check_output will return bytes
# convert expected to bytes for python 3
self.assertEqual(actual, expected.encode('utf-8'))
1 change: 1 addition & 0 deletions selftest/knownfail.d/ndrdump-NTLMSSP
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_ntlmsssp_AUTHENTICATE_MESSAGE
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
AA4AAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAzOQAAAAAAAAABAAAAAAAAAAD//gAAAAAAAAAABDMyMTUyMTE1MDI2MzE0Njg3/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+5+T2dekB8vfW3brf3WrDRDczOQAAAAA=
134 changes: 134 additions & 0 deletions source4/librpc/tests/fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
pull returned Success
WARNING! 188 unread bytes
[0000] 04 33 32 31 35 32 31 31 35 30 32 36 33 31 34 36 .3215211 50263146
[0010] 38 37 FE FE FE FE FE FE FE FE FE FE FE FE FE FE 87...... ........
[0020] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........
[0030] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........
[0040] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........
[0050] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........
[0060] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........
[0070] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........
[0080] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........
[0090] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........
[00A0] FE FE FE FE FE E7 E4 F6 75 E9 01 F2 F7 D6 DD BA ........ u.......
[00B0] DF DD 6A C3 44 37 33 39 00 00 00 00 ..j.D739 ....
AUTHENTICATE_MESSAGE: struct AUTHENTICATE_MESSAGE
Signature : ''
MessageType : UNKNOWN_ENUM_VALUE (0)
LmChallengeResponseLen : 0x0000 (0)
LmChallengeResponseMaxLen: 0x0000 (0)
LmChallengeResponse : NULL
NtChallengeResponseLen : 0x0000 (0)
NtChallengeResponseMaxLen: 0x0000 (0)
NtChallengeResponse : NULL
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : NULL
UserNameLen : 0x0000 (0)
UserNameMaxLen : 0x0001 (1)
UserName : NULL
WorkstationLen : 0x3933 (14643)
WorkstationMaxLen : 0x0000 (0)
Workstation : NULL
EncryptedRandomSessionKeyLen: 0x0100 (256)
EncryptedRandomSessionKeyMaxLen: 0x0000 (0)
EncryptedRandomSessionKey: NULL
NegotiateFlags : 0xfeff0000 (4278124544)
0: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
0: NTLMSSP_REQUEST_TARGET
0: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
0: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
0: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
1: NTLMSSP_TARGET_TYPE_DOMAIN
1: NTLMSSP_TARGET_TYPE_SERVER
1: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
1: NTLMSSP_NEGOTIATE_IDENTIFY
1: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
1: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
1: NTLMSSP_NEGOTIATE_56
Version: struct ntlmssp_VERSION
ProductMajorVersion : UNKNOWN_ENUM_VALUE (0)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : UNKNOWN_ENUM_VALUE (0)
push returned Success
pull returned Success
AUTHENTICATE_MESSAGE: struct AUTHENTICATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmAuthenticate (3)
LmChallengeResponseLen : 0x0000 (0)
LmChallengeResponseMaxLen: 0x0000 (0)
LmChallengeResponse : NULL
NtChallengeResponseLen : 0x0000 (0)
NtChallengeResponseMaxLen: 0x0000 (0)
NtChallengeResponse : NULL
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : NULL
UserNameLen : 0x0000 (0)
UserNameMaxLen : 0x0000 (0)
UserName : NULL
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : NULL
EncryptedRandomSessionKeyLen: 0x0000 (0)
EncryptedRandomSessionKeyMaxLen: 0x0000 (0)
EncryptedRandomSessionKey: NULL
NegotiateFlags : 0xfeff0000 (4278124544)
0: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
0: NTLMSSP_REQUEST_TARGET
0: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
0: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
0: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
1: NTLMSSP_TARGET_TYPE_DOMAIN
1: NTLMSSP_TARGET_TYPE_SERVER
1: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
1: NTLMSSP_NEGOTIATE_IDENTIFY
1: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
1: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
1: NTLMSSP_NEGOTIATE_56
Version: struct ntlmssp_VERSION
ProductMajorVersion : UNKNOWN_ENUM_VALUE (0)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : UNKNOWN_ENUM_VALUE (0)
WARNING! orig bytes:260 validated pushed bytes:72
WARNING! orig and validated differ at byte 0x00 (0)
WARNING! orig byte[0x00] = 0x00 validated byte[0x00] = 0x4E
dump OK

0 comments on commit 33e9021

Please sign in to comment.