| Message ID | CAGvGhF65fvZksvcLy8RWEizDwLVmKvM-0Mwe-xhWQk67-mExfQ@mail.gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Only checks the signature for the first pdu in a compound. | expand |
2021-09-22 14:22 GMT+09:00, Leif Sahlberg <lsahlber@redhat.com>: > Minor issue, as far as I can tell not exploitable, but looks funny. > > > Apply this patch to libsmb2 and run this for a reproducer: > diff --git a/lib/libsmb2.c b/lib/libsmb2.c > index d17e72b..244cab6 100644 > --- a/lib/libsmb2.c > +++ b/lib/libsmb2.c > @@ -1985,6 +1985,7 @@ smb2_getinfo_async(struct smb2_context *smb2, > const char *path, > smb2_free_pdu(smb2, pdu); > return -1; > } > + next_pdu->header.protocol_id[3] = 0xaa; > smb2_add_compound_pdu(smb2, pdu, next_pdu); > > /* CLOSE command */ > > > ./examples/smb2-stat-sync smb://server/Share > > > What it basically does it it corrupts the SMB2 signature for the > second PDU in the > Create/GetInfo/Close compound. > > Wireshark is fine with this and still decodes the PDU eventhough it > has the signature 0xfe 'S 'M' 0xaa > > > The bug is that it only checks the signature for the first PDU: > > int ksmbd_verify_smb_message(struct ksmbd_work *work) > { > struct smb2_hdr *smb2_hdr = work->request_buf; > > if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER) > return ksmbd_smb2_check_message(work); > > return 0; > } > > > Funny thing is that ksmbd responds with the same bogus signature in > the second PDU in the compound. Oops, I will fix it, Thanks for your check! > >
diff --git a/lib/libsmb2.c b/lib/libsmb2.c index d17e72b..244cab6 100644 --- a/lib/libsmb2.c +++ b/lib/libsmb2.c @@ -1985,6 +1985,7 @@ smb2_getinfo_async(struct smb2_context *smb2, const char *path, smb2_free_pdu(smb2, pdu); return -1; } + next_pdu->header.protocol_id[3] = 0xaa; smb2_add_compound_pdu(smb2, pdu, next_pdu);
Minor issue, as far as I can tell not exploitable, but looks funny. Apply this patch to libsmb2 and run this for a reproducer: /* CLOSE command */ ./examples/smb2-stat-sync smb://server/Share What it basically does it it corrupts the SMB2 signature for the second PDU in the Create/GetInfo/Close compound. Wireshark is fine with this and still decodes the PDU eventhough it has the signature 0xfe 'S 'M' 0xaa The bug is that it only checks the signature for the first PDU: int ksmbd_verify_smb_message(struct ksmbd_work *work) { struct smb2_hdr *smb2_hdr = work->request_buf; if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER) return ksmbd_smb2_check_message(work); return 0; } Funny thing is that ksmbd responds with the same bogus signature in the second PDU in the compound.