Bug #5783: smb: wrong endian conversion when parse NTLM Negotiate Flags - Suricata - Open Information Security Foundation

Actions

Bug #5783

closed

smb: wrong endian conversion when parse NTLM Negotiate Flags

Added by b1 tg over 1 year ago. Updated 12 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

NTLM Negotiate Flags value in follow image is 0xe2888215, function parse_ntlm_auth_nego_flags return version_set_flag = 0 on this, which is wrong. This bug can cause NTLM Auth Version be ignored.

version_set_flag is at offset 25 by bits:

>>> 0xe2888215 >> 6 &0b1
0
>>> 0xe2888215 >> 25 &0b1
1
>>> 0xe2888215 >> 6 &0b1

I would like to make a pr for this bug, as the Developers Guide said, maybe i need to have the "developer" role?

Bug location: https://github.com/OISF/suricata/blob/55c4834e4e9b14a441b735f84d8d35b4eb151702/rust/src/smb/ntlmssp_records.rs#L71-L73
NegotiateFlags document: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832

Files

Download all files

clipboard-202301122235-jl69q.png (252 KB) clipboard-202301122235-jl69q.png	pcap screenshot	b1 tg, 01/12/2023 02:35 PM
smb-on-windows-10.pcapng (139 KB) smb-on-windows-10.pcapng	pcap	b1 tg, 01/12/2023 02:55 PM
smb-on-windows-10.pcap (122 KB) smb-on-windows-10.pcap	pcap	b1 tg, 02/01/2023 10:40 AM

Subtasks 1 (0 open — 1 closed)

Actions

#1

Updated by Victor Julien over 1 year ago

You have the developer role now. Thanks for looking into this.

Actions

#2

Updated by Juliana Fajardini Reichow about 1 year ago

Status changed from New to In Review
Assignee changed from OISF Dev to b1 tg
Target version changed from TBD to 7.0.0-rc1

PR for review: https://github.com/OISF/suricata/pull/8373

Actions

#3

Updated by Victor Julien about 1 year ago

Target version changed from 7.0.0-rc1 to 7.0.0-rc2

Actions

#4

Updated by b1 tg about 1 year ago

File smb-on-windows-10.pcap smb-on-windows-10.pcap added

add .pcap file for reference in suricata-verify

Actions

#5

Updated by Juliana Fajardini Reichow about 1 year ago

Status changed from In Review to Closed

Merged PR: https://github.com/OISF/suricata/pull/8543

Actions

#6

Updated by Philippe Antoine about 1 year ago

Status changed from Closed to Assigned
Assignee changed from b1 tg to Philippe Antoine
Label Needs backport to 6.0 added

Still needs a fix...

Actions

#7

Updated by OISF Ticketbot about 1 year ago

Subtask #5961 added

Actions

#8

Updated by OISF Ticketbot about 1 year ago

Label deleted (~~Needs backport to 6.0~~)

Actions

#9

Updated by Philippe Antoine about 1 year ago

Status changed from Assigned to In Review

https://github.com/OISF/suricata/pull/8673

Actions

#10

Updated by Philippe Antoine 12 months ago

Status changed from In Review to Resolved

https://github.com/OISF/suricata/pull/8673

Actions

#11

Updated by Philippe Antoine 12 months ago

Status changed from Resolved to Closed

Actions

Also available in: Atom PDF