diff mbox series

Only checks the signature for the first pdu in a compound.

Message ID CAGvGhF65fvZksvcLy8RWEizDwLVmKvM-0Mwe-xhWQk67-mExfQ@mail.gmail.com (mailing list archive)
State New, archived
Headers show
Series Only checks the signature for the first pdu in a compound. | expand

Commit Message

Leif Sahlberg Sept. 22, 2021, 5:22 a.m. UTC
Minor issue, as far as I can tell not exploitable, but looks funny.


Apply this patch to libsmb2 and run this for a reproducer:
         /* CLOSE command */


./examples/smb2-stat-sync smb://server/Share


What it basically does it it corrupts the SMB2 signature for the
second PDU in the
Create/GetInfo/Close compound.

Wireshark is fine with this and still decodes the PDU eventhough it
has the signature 0xfe 'S 'M' 0xaa


The bug is  that it only checks the signature for the first PDU:

int ksmbd_verify_smb_message(struct ksmbd_work *work)
{
struct smb2_hdr *smb2_hdr = work->request_buf;

if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER)
return ksmbd_smb2_check_message(work);

return 0;
}


Funny thing is that ksmbd responds with the same bogus signature in
the second PDU in the compound.

Comments

Namjae Jeon Sept. 22, 2021, 5:39 a.m. UTC | #1
2021-09-22 14:22 GMT+09:00, Leif Sahlberg <lsahlber@redhat.com>:
> Minor issue, as far as I can tell not exploitable, but looks funny.
>
>
> Apply this patch to libsmb2 and run this for a reproducer:
> diff --git a/lib/libsmb2.c b/lib/libsmb2.c
> index d17e72b..244cab6 100644
> --- a/lib/libsmb2.c
> +++ b/lib/libsmb2.c
> @@ -1985,6 +1985,7 @@ smb2_getinfo_async(struct smb2_context *smb2,
> const char *path,
>                  smb2_free_pdu(smb2, pdu);
>                  return -1;
>          }
> +        next_pdu->header.protocol_id[3] = 0xaa;
>          smb2_add_compound_pdu(smb2, pdu, next_pdu);
>
>          /* CLOSE command */
>
>
> ./examples/smb2-stat-sync smb://server/Share
>
>
> What it basically does it it corrupts the SMB2 signature for the
> second PDU in the
> Create/GetInfo/Close compound.
>
> Wireshark is fine with this and still decodes the PDU eventhough it
> has the signature 0xfe 'S 'M' 0xaa
>
>
> The bug is  that it only checks the signature for the first PDU:
>
> int ksmbd_verify_smb_message(struct ksmbd_work *work)
> {
> struct smb2_hdr *smb2_hdr = work->request_buf;
>
> if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER)
> return ksmbd_smb2_check_message(work);
>
> return 0;
> }
>
>
> Funny thing is that ksmbd responds with the same bogus signature in
> the second PDU in the compound.
Oops, I will fix it, Thanks for your check!
>
>
diff mbox series

Patch

diff --git a/lib/libsmb2.c b/lib/libsmb2.c
index d17e72b..244cab6 100644
--- a/lib/libsmb2.c
+++ b/lib/libsmb2.c
@@ -1985,6 +1985,7 @@  smb2_getinfo_async(struct smb2_context *smb2,
const char *path,
                 smb2_free_pdu(smb2, pdu);
                 return -1;
         }
+        next_pdu->header.protocol_id[3] = 0xaa;
         smb2_add_compound_pdu(smb2, pdu, next_pdu);