[cifs-protocol] [MS-SMB2] Selective Signing of ioctl FSCTL_QUERY_NETWORK_INTERFACE_INFO requests - TrackingID#2406060040007612
Jones Syue 薛懷宗
jonessyue at qnap.com
Fri Jun 7 08:44:53 UTC 2024
> Thanks for digging in further and I can assure you that I appreciate
> the bluntness. Just to clarify, is your concern that 3.2.4.1.1 signing
> conditions do not cover all conditions where Windows signs the
> FSCTL_QUERY_NETWORK_INTERFACE_INFO request? If so, what condition is not
> covered?
> Or, is the concern that " Windows-based clients do not selectively sign
> requests" from behavior note 104 should be more specific to say
> " Windows-based clients do not selectively sign requests beyond what
> is described in this document"?
Thank you Kristian for kind feedback!
Let me take earilier thread with wireshark captures as an example, it is
Windows-based env (ws2022 oprerates as server, ws2016 operates as client),
through wireshark packet captures there are two ioctl requests with two
CtlCode FSCTL_QUERY_NETWORK_INTERFACE_INFO and FSCTL_DFS_GET_REFERRALS,
Windows-base client seems to be biased to sign the former one, and the
latter one is not signed:
1. No. 35478 signature is none zeros, means Windows-based client signs
this Ioctl FSCTL_QUERY_NETWORK_INTERFACE_INFO request.
2. No. 35480 signature is all zeros, means Windows-based client does not
sign this Ioctl FSCTL_DFS_GET_REFERRALS request.
Per my test with different Windows-based clients, including
ws2012/ws2012r2/ws2016/ws2019/ws2022, it looks like Windows-based clients
always sign the Ioctl FSCTL_QUERY_NETWORK_INTERFACE_INFO request, this
behavior looks good to me.
However my concern is this behavior is not explicitly mentioned in
[MS-SMB2] so it is a not clear to me, and i am looking forward to having
this behavior document in [MS-SMB2] :)
Consider the No. 35476, Windows-based client signs Tree Connect request,
this behavior is explicitly documented in [MS-SMB2] so this looks clear to
me[1][2], so i am expecting something like 'client MUST sign Ioctl
FSCTL_QUERY_NETWORK_INTERFACE_INFO request' could be mentioned in [MS-SMB2]
too.
No. |Time |Prot|Signature |Info
-----+----------+----+--------------------------------+----
35467 16:47:09.9 SMB Negotiate Protocol Request
35468 16:47:09.9 SMB2 00000000000000000000000000000000 Negotiate Protocol Response
35469 16:47:09.9 SMB2 00000000000000000000000000000000 Negotiate Protocol Request
35470 16:47:09.9 SMB2 00000000000000000000000000000000 Negotiate Protocol Response
35472 16:47:09.9 SMB2 00000000000000000000000000000000 Session Setup Request, NTLMSSP_NEGOTIATE
35473 16:47:09.9 SMB2 00000000000000000000000000000000 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
35474 16:47:09.9 SMB2 00000000000000000000000000000000 Session Setup Request, NTLMSSP_AUTH, User: \administrator
35475 16:47:09.9 SMB2 73182d37759c7741ae0caced9ef04185 Session Setup Response
35476 16:47:09.9 SMB2 ec1d8a66ebea6120e5f8c44be2ba0dc4 Tree Connect Request Tree: \\${MY_IP}\IPC$
35477 16:47:09.9 SMB2 ad4572986b7fae36168ea18c87bb8a9b Tree Connect Response
35478 16:47:09.9 SMB2 d31c1cb4e3ca5df3766faf76a3b6da8a Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO
35479 16:47:09.9 SMB2 790b171573367693323aa73ddf4de49f Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO
35480 16:47:09.9 SMB2 00000000000000000000000000000000 Ioctl Request FSCTL_DFS_GET_REFERRALS, File: \${MY_IP}\ramdisk
35482 16:47:09.9 SMB2 00000000000000000000000000000000 Ioctl Response, Error: STATUS_FS_DRIVER_REQUIRED
[1] 3.2.4.1.1 Signing the Message
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/973630a8-8aa1-4398-89a8-13cf830f194d
[2] 3.3.5.7 Receiving an SMB2 TREE_CONNECT Request
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/652e0c14-5014-4470-999d-b174d7b2da87
If Connection.Dialect is "3.1.1" and Session.IsAnonymous and
Session.IsGuest are set to FALSE and the request is not signed or not
encrypted, then the server MUST disconnect the connection.
--
Regards,
Jones Syue | 薛懷宗
QNAP Systems, Inc.
More information about the cifs-protocol
mailing list