[jcifs] Type1Message with no domain and workstation
michaelc
michaelc at idssoftware.com
Wed Jun 16 20:01:48 MDT 2010
Hi,
Wireshark 1.2.8 shows that when FireFox 3.5 uses SSL Tunneling to CONNECT via
Microsoft ISA 2006, it sends a Type1 Message with no domain and workstation.
However, the security buffer do exist for these two field, making the total
size of the NTLMSSP to be 32 bytes. This behavior is also confirmed by this
article (right before the Type1 Message Exception):
http://davenport.sourceforge.net/ntlm.html#theType1Message
The current 1.3.14 release jCIFS will send a malformed Type1Message if its
constructor is like this:
message = new Type1Message(0, null, "");
This message is only 16 bytes long, with the two security buffers omitted
altogether. The Wireshark folks deem this NTLMSSP message malformed.
It is time to move away from this Windows 95/98 style malformed Type1 message.
Above is the fix (a great example of less is more). I can't paste the diff
as it unless changing > to - and < to + to get around the "You seem to be
top-posting. Don't do that."
--Michael
$ diff jcifs/ntlmssp/Type1Message.java
../../../jcifs_1.3.14/src/jcifs/ntlmssp/Type1Message.java
131a132
- boolean hostInfo = false;
133a135
- hostInfo = true;
142a145
- hostInfo = true;
151c154,155
+ byte[] type1 = new byte[32 + domain.length + workstation.length];
---
- byte[] type1 = new byte[hostInfo ?
- (32 + domain.length + workstation.length) : 16];
155,156c159,162
+ writeSecurityBuffer(type1, 16, 32, domain);
+ writeSecurityBuffer(type1, 24, 32 + domain.length, workstation);
---
- if (hostInfo) {
- writeSecurityBuffer(type1, 16, 32, domain);
- writeSecurityBuffer(type1, 24, 32 + domain.length,
workstation);
- }
More information about the jCIFS
mailing list