Bug #5783
closedsmb: wrong endian conversion when parse NTLM Negotiate Flags
Description
NTLM Negotiate Flags value in follow image is 0xe2888215, function parse_ntlm_auth_nego_flags return version_set_flag = 0 on this, which is wrong. This bug can cause NTLM Auth Version be ignored.
version_set_flag is at offset 25 by bits:
>>> 0xe2888215 >> 6 &0b1
0
>>> 0xe2888215 >> 25 &0b1
1
>>> 0xe2888215 >> 6 &0b1
I would like to make a pr for this bug, as the Developers Guide said, maybe i need to have the "developer" role?
Bug location: https://github.com/OISF/suricata/blob/55c4834e4e9b14a441b735f84d8d35b4eb151702/rust/src/smb/ntlmssp_records.rs#L71-L73
NegotiateFlags document: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832
Files
Updated by Victor Julien almost 2 years ago
You have the developer role now. Thanks for looking into this.
Updated by Juliana Fajardini Reichow almost 2 years ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to b1 tg
- Target version changed from TBD to 7.0.0-rc1
PR for review: https://github.com/OISF/suricata/pull/8373
Updated by Victor Julien almost 2 years ago
- Target version changed from 7.0.0-rc1 to 7.0.0-rc2
Updated by b1 tg almost 2 years ago
- File smb-on-windows-10.pcap smb-on-windows-10.pcap added
add .pcap file for reference in suricata-verify
Updated by Juliana Fajardini Reichow almost 2 years ago
- Status changed from In Review to Closed
Merged PR: https://github.com/OISF/suricata/pull/8543
Updated by Philippe Antoine over 1 year ago
- Status changed from Closed to Assigned
- Assignee changed from b1 tg to Philippe Antoine
- Label Needs backport to 6.0 added
Still needs a fix...
Updated by Philippe Antoine over 1 year ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine over 1 year ago
- Status changed from In Review to Resolved
Updated by Philippe Antoine over 1 year ago
- Status changed from Resolved to Closed