Project

General

Profile

Actions
Copy link

Bug #5783

closed

smb: wrong endian conversion when parse NTLM Negotiate Flags

Added by b1 tg almost 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
7.0.0-rc2
Affected Versions:
git master
Effort:
Difficulty:
Label:

Description

NTLM Negotiate Flags value in follow image is 0xe2888215, function parse_ntlm_auth_nego_flags return version_set_flag = 0 on this, which is wrong. This bug can cause NTLM Auth Version be ignored.

pcap screenshot

version_set_flag is at offset 25 by bits:

>>> 0xe2888215 >> 6 &0b1
0
>>> 0xe2888215 >> 25 &0b1
1
>>> 0xe2888215 >> 6 &0b1

I would like to make a pr for this bug, as the Developers Guide said, maybe i need to have the "developer" role?

Bug location: https://github.com/OISF/suricata/blob/55c4834e4e9b14a441b735f84d8d35b4eb151702/rust/src/smb/ntlmssp_records.rs#L71-L73
NegotiateFlags document: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832

Files

Download all files
clipboard-202301122235-jl69q.png (252 KB) clipboard-202301122235-jl69q.png pcap screenshot b1 tg, 01/12/2023 02:35 PM
smb-on-windows-10.pcapng (139 KB) smb-on-windows-10.pcapng pcap b1 tg, 01/12/2023 02:55 PM
smb-on-windows-10.pcap (122 KB) smb-on-windows-10.pcap pcap b1 tg, 02/01/2023 10:40 AM

Subtasks 1 (0 open1 closed)

Bug #5961: smb: wrong endian conversion when parse NTLM Negotiate Flags (6.0.x backport)ClosedPhilippe AntoineActions
Actions
Copy link

Also available in: Atom PDF