[jcifs] SmbComNTCreateAndX bug?

Josh Cooper josh.nw at gmail.com
Fri Feb 22 23:22:41 GMT 2008 

Hi Michael,

I'm connecting to the srvsvc via DCE/RPC pipe. I'm frequently, but not always
get an error that the response has an invalid signature, even though the
signature is actually correct.

I'm using jcifs-1.2.18e, and connecting to an XP machine. The ACME domain in
which the target machine lives requires NTLM clients to sign messages (as set
through group policy), and I've set the corresponding
jcifs.smb.client.signingPreferred property.

In SmbFile, if CAP_NT_SMBS is true, and this is an instance of SmbNamedPipe,
then we set response.isExtended = true. Then later in AndXServerMessageBlock,
while reading the response, we advance the bufferIndex by 32 if isExtended is
true:

 if( wordCount > 2 ) {
   bufferIndex += readParameterWordsWireFormat( buffer, bufferIndex );
   /* required for signing verification
    */
   if (command == SMB_COM_NT_CREATE_ANDX) {
     if (((SmbComNTCreateAndXResponse)this).isExtended)
       bufferIndex += 32;
   }
 ...

 byteCount = readInt2( buffer, bufferIndex ); bufferIndex += 2;

In my case, it's advancing the bufferIndex to the end of the real SMB data, and
reading 0x3800 as the byteCount. For comparison, Ethereal reports the byteCount
as 0, which jcifs would have done if it hadn't incremented the bufferIndex.

The bufferIndex is then incremented by the byteCount, and the response.length
gets set incorrectly, which throws off signature verification.

I've included the debug output. I can also send you an ethereal dump if needed. 

I think that the problem doesn't happen every time because the end of the SMB
data is sometimes 0, in which case bufferIndex is not incremented by byteCount...

TIA,
Josh

doConnect: 0.0.0.0<00>/192.168.194.131
SmbComNegotiate[command=SMB_COM_NEGOTIATE,received=false,errorCode=0,
flags=0x0018,flags2=0xC007,signSeq=0,tid=0,pid=1824,uid=0,mid=1,wordCount=0,
byteCount=12,wordCount=0,dialects=NT LM 0.12]
New data read: Transport38[0.0.0.0<00>/192.168.194.131:445]
00000: FF 53 4D 42 72 00 00 00 00 98 07 C0 00 00 00 00  | SMBr......└....|
00010: 00 00 00 00 00 00 00 00 00 00 20 07 00 00 01 00  |.......... .....|

byteCount=28 but readBytesWireFormat returned 16
SmbComNegotiateResponse[command=SMB_COM_NEGOTIATE,received=false,errorCode=0,
flags=0x0098,flags2=0xC007,signSeq=0,tid=0,pid=1824,uid=0,mid=1,wordCount=17,
byteCount=28,wordCount=17,dialectIndex=0,securityMode=0xF,security=user,
encryptedPasswords=true,maxMpxCount=10,maxNumberVcs=1,maxBufferSize=4356,
maxRawSize=65536,sessionKey=0x00000000,capabilities=0x0000E3FD,
serverTime=Fri Feb 22 14:36:52 PST 2008,serverTimeZone=480,
encryptionKeyLength=8,byteCount=28,encryptionKey=0xBB9BAEFA6A4C756A,
oemDomainName=ACME]
NodeStatusRequest[nameTrnId=38,isResponse=false,opCode=QUERY,isAuthAnswer=false,
isTruncated=false,isRecurAvailable=false,isRecurDesired=false,isBroadcast=false,
resultCode=0,questionCount=1,answerCount=0,authorityCount=0,additionalCount=0,
questionName=*              <00>,questionType=0x0021,questionClass=IN,
recordName=null,recordType=0x0000,recordClass=0x0000,ttl=0,rDataLength=0]
00000: 00 26 00 00 00 01 00 00 00 00 00 00 20 43 4B 41  |.&.......... CKA|
00010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00020: 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  |AAAAAAAAAAAAA..!|
00030: 00 01                                            |..              |

NetBIOS: new data read from socket
NodeStatusResponse[nameTrnId=38,isResponse=true,opCode=QUERY,isAuthAnswer=true,
isTruncated=false,isRecurAvailable=false,isRecurDesired=false,isBroadcast=false,
resultCode=0,questionCount=0,answerCount=1,authorityCount=0,additionalCount=0,
questionName=null,questionType=0x0000,questionClass=IN,
recordName=*              <00>,recordType=0x0021,recordClass=IN,ttl=0,
rDataLength=155]
00000: 00 26 84 00 00 00 00 01 00 00 00 00 20 43 4B 41  |.&.......... CKA|
00010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00020: 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  |AAAAAAAAAAAAA..!|
00030: 00 01 00 00 00 00 00 9B 06 4A 43 58 50 20 20 20  |.........JCXP   |
00040: 20 20 20 20 20 20 20 20 00 44 00 41 43 4D 45 20  |        .D.ACME |
00050: 20 20 20 20 20 20 20 20 20 20 00 C4 00 4A 43 58  |          .─.JCX|
00060: 50 20 20 20 20 20 20 20 20 20 20 20 03 44 00 4A  |P           .D.J|
00070: 43 58 50 20 20 20 20 20 20 20 20 20 20 20 20 44  |CXP            D|
00080: 00 41 43 4D 45 20 20 20 20 20 20 20 20 20 20 20  |.ACME           |
00090: 1E C4 00 4A 43 4F 4F 50 45 52 20 20 20 20 20 20  |.─.JCOOPER      |
000A0: 20 20 03 44 00 00 0C 29 92 39 62 00 00 00 00 00  |  .D...).9b.....|
000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
000E0: 00 00 00 00 30                                   |....0           |

treeConnect: unc=\\JCXP\IPC$,service=?????
sessionSetup: accountName=jcooper,primaryDomain=ACME
LM_COMPATIBILITY=2
00000: 6B EC 28 9B 9B 36 4D 62 03 18 1D A2 35 B6 B8 EC  |k∞(..6Mb...ó5╢╕∞|
00010: 90 C7 D2 B2 0B 8E B6 34 E6 32 BC 70 E4 13 52 14  |.╟╥▓..╢4µ2╝pΣ.R.|
00020: 15 D7 73 0C 98 A5 FC D8                          |.╫s..Ñⁿ╪        |

update: 0 0:40
00000: 6B EC 28 9B 9B 36 4D 62 03 18 1D A2 35 B6 B8 EC  |k∞(..6Mb...ó5╢╕∞|
00010: 90 C7 D2 B2 0B 8E B6 34 E6 32 BC 70 E4 13 52 14  |.╟╥▓..╢4µ2╝pΣ.R.|
00020: 15 D7 73 0C 98 A5 FC D8                          |.╫s..Ñⁿ╪        |

update: 1 4:212
00000: FF 53 4D 42 73 00 00 00 00 18 07 C0 00 00 00 00  | SMBs......└....|
00010: 00 00 00 00 00 00 00 00 00 00 20 07 00 00 02 00  |.......... .....|
00020: 0D 75 00 AA 00 04 11 0A 00 01 00 00 00 00 00 18  |.u.¬............|
00030: 00 18 00 00 00 00 00 54 00 00 00 6D 00 90 C7 D2  |.......T...m..╟╥|
00040: B2 0B 8E B6 34 E6 32 BC 70 E4 13 52 14 15 D7 73  |▓..╢4µ2╝pΣ.R..╫s|
00050: 0C 98 A5 FC D8 90 C7 D2 B2 0B 8E B6 34 E6 32 BC  |..Ñⁿ╪.╟╥▓..╢4µ2╝|
00060: 70 E4 13 52 14 15 D7 73 0C 98 A5 FC D8 00 6A 00  |pΣ.R..╫s..Ñⁿ╪.j.|
00070: 63 00 6F 00 6F 00 70 00 65 00 72 00 00 00 41 00  |c.o.o.p.e.r...A.|
00080: 43 00 4D 00 45 00 00 00 57 00 69 00 6E 00 64 00  |C.M.E...W.i.n.d.|
00090: 6F 00 77 00 73 00 20 00 58 00 50 00 00 00 6A 00  |o.w.s. .X.P...j.|
000A0: 43 00 49 00 46 00 53 00 00 00 04 FF 00 DE DE 00  |C.I.F.S.... .▐▐.|
000B0: 00 01 00 1F 00 00 5C 00 5C 00 4A 00 43 00 58 00  |......\.\.J.C.X.|
000C0: 50 00 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F  |P.\.I.P.C.$...??|
000D0: 3F 3F 3F 00                                      |???.            |

digest:
00000: 9B 8A B5 42 02 99 5E 1E C7 31 B3 D1 7E 54 90 15  |..╡B..^.╟1│╤~T..|

SmbComSessionSetupAndX[command=SMB_COM_SESSION_SETUP_ANDX,received=false,
errorCode=0,flags=0x0018,flags2=0xC007,signSeq=0,tid=0,pid=1824,uid=0,mid=2,
wordCount=13,byteCount=109,andxCommand=0x75,andxOffset=170,snd_buf_size=4356,
maxMpxCount=10,VC_NUMBER=1,sessionKey=0,passwordLength=24,
unicodePasswordLength=24,capabilities=84,accountName=jcooper,
primaryDomain=ACME,NATIVE_OS=Windows XP,NATIVE_LANMAN=jCIFS]
SmbComTreeConnectAndX[command=SMB_COM_TREE_CONNECT_ANDX,received=false,
errorCode=0,flags=0x0018,flags2=0x0000,signSeq=0,tid=0,pid=1824,uid=0,mid=0,
wordCount=4,byteCount=31,andxCommand=0xFF,andxOffset=0,disconnectTid=false,
passwordLength=1,password=,path=\\JCXP\IPC$,service=?????]
New data read: Transport38[JCXP<00>/192.168.194.131:445]
00000: FF 53 4D 42 73 00 00 00 00 98 07 C0 00 00 23 6F  | SMBs......└..#o|
00010: A9 2B 57 6B 0D 56 00 00 00 08 20 07 00 08 02 00  |⌐+Wk.V.... .....|

SmbComSessionSetupAndXResponse[command=SMB_COM_SESSION_SETUP_ANDX,
received=false,errorCode=0,flags=0x0098,flags2=0xC007,signSeq=1,tid=2048,
pid=1824,uid=2048,mid=2,wordCount=3,byteCount=84,andxCommand=0x75,
andxOffset=125,isLoggedInAsGuest=false,nativeOs=Windows 5.1,
nativeLanMan=Windows 2000 LAN Manager,primaryDomain=ACME]
open0: \srvsvc
update: 0 0:40
00000: 6B EC 28 9B 9B 36 4D 62 03 18 1D A2 35 B6 B8 EC  |k∞(..6Mb...ó5╢╕∞|
00010: 90 C7 D2 B2 0B 8E B6 34 E6 32 BC 70 E4 13 52 14  |.╟╥▓..╢4µ2╝pΣ.R.|
00020: 15 D7 73 0C 98 A5 FC D8                          |.╫s..Ñⁿ╪        |

update: 1 4:100
00000: FF 53 4D 42 A2 00 00 00 00 18 07 C0 00 00 02 00  | SMBó......└....|
00010: 00 00 00 00 00 00 00 00 00 08 20 07 00 08 03 00  |.......... .....|
00020: 18 FF 00 DE DE 00 0E 00 16 00 00 00 00 00 00 00  |. .▐▐...........|
00030: 9F 01 02 00 00 00 00 00 00 00 00 00 80 00 00 00  |................|
00040: 07 00 00 00 01 00 00 00 40 00 00 00 02 00 00 00  |........ at .......|
00050: 03 11 00 00 5C 00 73 00 72 00 76 00 73 00 76 00  |....\.s.r.v.s.v.|
00060: 63 00 00 00                                      |c...            |

digest:
00000: 38 FE EE 26 CD F2 5D 34 13 6B 0D 6C D7 B5 9F 4F  |8■ε&═≥]4.k.l╫╡.O|

SmbComNTCreateAndX[command=SMB_COM_NT_CREATE_ANDX,received=false,errorCode=0,
flags=0x0018,flags2=0xC007,signSeq=2,tid=2048,pid=1824,uid=2048,mid=3,
wordCount=24,byteCount=17,andxCommand=0xFF,andxOffset=0,flags=0x16,
rootDirectoryFid=0,desiredAccess=0x019F,allocationSize=0,
extFileAttributes=0x0080,shareAccess=0x0007,createDisposition=0x0001,
createOptions=0x00000040,impersonationLevel=0x0002,securityFlags=0x03,
name=\srvsvc]
New data read: Transport38[JCXP<00>/192.168.194.131:445]
00000: FF 53 4D 42 A2 00 00 00 00 98 07 C0 00 00 B0 2C  | SMBó......└..░,|
00010: 41 66 51 5A 3E 84 00 00 00 08 20 07 00 08 03 00  |AfQZ>..... .....|

update: 0 0:40
00000: 6B EC 28 9B 9B 36 4D 62 03 18 1D A2 35 B6 B8 EC  |k∞(..6Mb...ó5╢╕∞|
00010: 90 C7 D2 B2 0B 8E B6 34 E6 32 BC 70 E4 13 52 14  |.╟╥▓..╢4µ2╝pΣ.R.|
00020: 15 D7 73 0C 98 A5 FC D8                          |.╫s..Ñⁿ╪        |

update: 1 4:14
00000: FF 53 4D 42 A2 00 00 00 00 98 07 C0 00 00        | SMBó......└..  |

update: 2 0:8
00000: 03 00 00 00 00 00 00 00                          |........        |

update: 3 26:14449
00000: 00 00 00 08 20 07 00 08 03 00 2A FF 00 87 00 00  |.... .....* ....|
00010: 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00  |. at ..............|
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00030: 00 00 00 00 00 00 80 00 00 00 00 10 00 00 00 00  |................|
00040: 00 00 00 00 00 00 00 00 00 00 02 00 FF 05 00 00  |............ ...|
00050: 00 00 01 00 4A 9D DC 00 10 00 00 00 00 00 00 00  |....J.▄.........|
00060: 10 00 00 00 31 00 39 FF 01 1F 00 9B 01 12 00 00  |....1.9 ........|
00070: 38 50 43 00 00 00 6E 00 64 00 6F 00 77 00 73 00  |8PC...n.d.o.w.s.|
00080: 20 00 58 00 50 00 00 00 6A 00 43 00 49 00 46 00  | .X.P...j.C.I.F.|
00090: 53 00 00 00 04 FF 00 DE DE 00 00 01 00 1F 00 00  |S.... .▐▐.......|
000A0: 5C 00 5C 00 4A 00 43 00 58 00 50 00 5C 00 49 00  |\.\.J.C.X.P.\.I.|
000B0: 50 00 43 00 24 00 00 00 3F 3F 3F 3F 3F 00 69 00  |P.C.$...?????.i.|
000C0: 67 00 6E 00 61 00 63 00 6C 00 69 00 65 00 6E 00  |g.n.a.c.l.i.e.n.|
000D0: 74 00 5C 00 72 00 65 00 6D 00 6F 00 74 00 65 00  |t.\.r.e.m.o.t.e.|
000E0: 5C 00 77 00 69 00 6E 00 6C 00 61 00 75 00 6E 00  |\.w.i.n.l.a.u.n.|
000F0: 63 00 68 00 65 00 72 00 2E 00 65 00 78 00 65 00  |c.h.e.r...e.x.e.|

digest:
00000: D4 E2 CD 5D 03 44 BC 1C A3 55 55 38 8A F0 5D A4  |╘Γ═].D╝.úUU8.≡]ñ|

signature verification failure
00000: D4 E2 CD 5D 03 44 BC 1C                          |╘Γ═].D╝.        |

00000: B0 2C 41 66 51 5A 3E 84                          |░,AfQZ>.        |

SmbComNTCreateAndXResponse[command=SMB_COM_NT_CREATE_ANDX,received=false,
errorCode=0,flags=0x0098,flags2=0xC007,signSeq=3,tid=2048,pid=1824,
uid=2048,mid=3,wordCount=42,byteCount=14336,andxCommand=0xFF,
andxOffset=135,oplockLevel=0,fid=16384,createAction=0x0001,
creationTime=Sun Dec 31 16:00:00 PST 1600,
lastAccessTime=Sun Dec 31 16:00:00 PST 1600,
lastWriteTime=Sun Dec 31 16:00:00 PST 1600,
changeTime=Sun Dec 31 16:00:00 PST 1600,
extFileAttributes=0x0080,allocationSize=4096,endOfFile=0,fileType=2,
deviceState=1535,directory=false]

More information about the jcifs mailing list