From 33e9021cbee4c17ee2f11d02b99902a742d77293 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 20 Nov 2019 12:14:52 +1300 Subject: [PATCH] selftest: Test repushing an ntlmssp AUTHENTICATE_MESSAGE This demonstrates a bug found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X fuzzer where the value() evaluatuion could segfault if it was made to follow a NULL pointer. This also demonstrates that the --base64 mode works on file inputs. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- python/samba/tests/blackbox/ndrdump.py | 12 ++ selftest/knownfail.d/ndrdump-NTLMSSP | 1 + .../fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.b64.txt | 1 + .../tests/fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.txt | 134 +++++++++++++++++++++ 4 files changed, 148 insertions(+) create mode 100644 selftest/knownfail.d/ndrdump-NTLMSSP create mode 100644 source4/librpc/tests/fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.b64.txt create mode 100644 source4/librpc/tests/fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.txt diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py index 2736c9c751a..ca637b3ac7b 100644 --- a/python/samba/tests/blackbox/ndrdump.py +++ b/python/samba/tests/blackbox/ndrdump.py @@ -198,3 +198,15 @@ dump OK except BlackboxProcessError as e: self.fail(e) self.assertRegex(actual.decode('utf8'), expected + "$") + + def test_ndrdump_fuzzed_ntlmsssp_AUTHENTICATE_MESSAGE(self): + expected = open(self.data_path("fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.txt")).read() + try: + actual = self.check_output( + "ndrdump ntlmssp AUTHENTICATE_MESSAGE struct --base64-input %s --validate" % + self.data_path("fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.b64.txt")) + except BlackboxProcessError as e: + self.fail(e) + # check_output will return bytes + # convert expected to bytes for python 3 + self.assertEqual(actual, expected.encode('utf-8')) diff --git a/selftest/knownfail.d/ndrdump-NTLMSSP b/selftest/knownfail.d/ndrdump-NTLMSSP new file mode 100644 index 00000000000..40ff0538cda --- /dev/null +++ b/selftest/knownfail.d/ndrdump-NTLMSSP @@ -0,0 +1 @@ +samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_ntlmsssp_AUTHENTICATE_MESSAGE \ No newline at end of file diff --git a/source4/librpc/tests/fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.b64.txt b/source4/librpc/tests/fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.b64.txt new file mode 100644 index 00000000000..0a10ab03911 --- /dev/null +++ b/source4/librpc/tests/fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.b64.txt @@ -0,0 +1 @@ +AA4AAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAzOQAAAAAAAAABAAAAAAAAAAD//gAAAAAAAAAABDMyMTUyMTE1MDI2MzE0Njg3/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+5+T2dekB8vfW3brf3WrDRDczOQAAAAA= diff --git a/source4/librpc/tests/fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.txt b/source4/librpc/tests/fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.txt new file mode 100644 index 00000000000..8dbe6e6dac2 --- /dev/null +++ b/source4/librpc/tests/fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.txt @@ -0,0 +1,134 @@ +pull returned Success +WARNING! 188 unread bytes +[0000] 04 33 32 31 35 32 31 31 35 30 32 36 33 31 34 36 .3215211 50263146 +[0010] 38 37 FE FE FE FE FE FE FE FE FE FE FE FE FE FE 87...... ........ +[0020] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........ +[0030] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........ +[0040] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........ +[0050] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........ +[0060] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........ +[0070] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........ +[0080] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........ +[0090] FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE ........ ........ +[00A0] FE FE FE FE FE E7 E4 F6 75 E9 01 F2 F7 D6 DD BA ........ u....... +[00B0] DF DD 6A C3 44 37 33 39 00 00 00 00 ..j.D739 .... + AUTHENTICATE_MESSAGE: struct AUTHENTICATE_MESSAGE + Signature : '' + MessageType : UNKNOWN_ENUM_VALUE (0) + LmChallengeResponseLen : 0x0000 (0) + LmChallengeResponseMaxLen: 0x0000 (0) + LmChallengeResponse : NULL + NtChallengeResponseLen : 0x0000 (0) + NtChallengeResponseMaxLen: 0x0000 (0) + NtChallengeResponse : NULL + DomainNameLen : 0x0000 (0) + DomainNameMaxLen : 0x0000 (0) + DomainName : NULL + UserNameLen : 0x0000 (0) + UserNameMaxLen : 0x0001 (1) + UserName : NULL + WorkstationLen : 0x3933 (14643) + WorkstationMaxLen : 0x0000 (0) + Workstation : NULL + EncryptedRandomSessionKeyLen: 0x0100 (256) + EncryptedRandomSessionKeyMaxLen: 0x0000 (0) + EncryptedRandomSessionKey: NULL + NegotiateFlags : 0xfeff0000 (4278124544) + 0: NTLMSSP_NEGOTIATE_UNICODE + 0: NTLMSSP_NEGOTIATE_OEM + 0: NTLMSSP_REQUEST_TARGET + 0: NTLMSSP_NEGOTIATE_SIGN + 0: NTLMSSP_NEGOTIATE_SEAL + 0: NTLMSSP_NEGOTIATE_DATAGRAM + 0: NTLMSSP_NEGOTIATE_LM_KEY + 0: NTLMSSP_NEGOTIATE_NETWARE + 0: NTLMSSP_NEGOTIATE_NTLM + 0: NTLMSSP_NEGOTIATE_NT_ONLY + 0: NTLMSSP_ANONYMOUS + 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED + 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED + 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL + 0: NTLMSSP_NEGOTIATE_ALWAYS_SIGN + 1: NTLMSSP_TARGET_TYPE_DOMAIN + 1: NTLMSSP_TARGET_TYPE_SERVER + 1: NTLMSSP_TARGET_TYPE_SHARE + 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY + 1: NTLMSSP_NEGOTIATE_IDENTIFY + 1: NTLMSSP_REQUEST_NON_NT_SESSION_KEY + 1: NTLMSSP_NEGOTIATE_TARGET_INFO + 1: NTLMSSP_NEGOTIATE_VERSION + 1: NTLMSSP_NEGOTIATE_128 + 1: NTLMSSP_NEGOTIATE_KEY_EXCH + 1: NTLMSSP_NEGOTIATE_56 + Version: struct ntlmssp_VERSION + ProductMajorVersion : UNKNOWN_ENUM_VALUE (0) + ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0) + ProductBuild : 0x0000 (0) + Reserved: ARRAY(3) + [0] : 0x00 (0) + [1] : 0x00 (0) + [2] : 0x00 (0) + NTLMRevisionCurrent : UNKNOWN_ENUM_VALUE (0) +push returned Success +pull returned Success + AUTHENTICATE_MESSAGE: struct AUTHENTICATE_MESSAGE + Signature : 'NTLMSSP' + MessageType : NtLmAuthenticate (3) + LmChallengeResponseLen : 0x0000 (0) + LmChallengeResponseMaxLen: 0x0000 (0) + LmChallengeResponse : NULL + NtChallengeResponseLen : 0x0000 (0) + NtChallengeResponseMaxLen: 0x0000 (0) + NtChallengeResponse : NULL + DomainNameLen : 0x0000 (0) + DomainNameMaxLen : 0x0000 (0) + DomainName : NULL + UserNameLen : 0x0000 (0) + UserNameMaxLen : 0x0000 (0) + UserName : NULL + WorkstationLen : 0x0000 (0) + WorkstationMaxLen : 0x0000 (0) + Workstation : NULL + EncryptedRandomSessionKeyLen: 0x0000 (0) + EncryptedRandomSessionKeyMaxLen: 0x0000 (0) + EncryptedRandomSessionKey: NULL + NegotiateFlags : 0xfeff0000 (4278124544) + 0: NTLMSSP_NEGOTIATE_UNICODE + 0: NTLMSSP_NEGOTIATE_OEM + 0: NTLMSSP_REQUEST_TARGET + 0: NTLMSSP_NEGOTIATE_SIGN + 0: NTLMSSP_NEGOTIATE_SEAL + 0: NTLMSSP_NEGOTIATE_DATAGRAM + 0: NTLMSSP_NEGOTIATE_LM_KEY + 0: NTLMSSP_NEGOTIATE_NETWARE + 0: NTLMSSP_NEGOTIATE_NTLM + 0: NTLMSSP_NEGOTIATE_NT_ONLY + 0: NTLMSSP_ANONYMOUS + 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED + 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED + 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL + 0: NTLMSSP_NEGOTIATE_ALWAYS_SIGN + 1: NTLMSSP_TARGET_TYPE_DOMAIN + 1: NTLMSSP_TARGET_TYPE_SERVER + 1: NTLMSSP_TARGET_TYPE_SHARE + 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY + 1: NTLMSSP_NEGOTIATE_IDENTIFY + 1: NTLMSSP_REQUEST_NON_NT_SESSION_KEY + 1: NTLMSSP_NEGOTIATE_TARGET_INFO + 1: NTLMSSP_NEGOTIATE_VERSION + 1: NTLMSSP_NEGOTIATE_128 + 1: NTLMSSP_NEGOTIATE_KEY_EXCH + 1: NTLMSSP_NEGOTIATE_56 + Version: struct ntlmssp_VERSION + ProductMajorVersion : UNKNOWN_ENUM_VALUE (0) + ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0) + ProductBuild : 0x0000 (0) + Reserved: ARRAY(3) + [0] : 0x00 (0) + [1] : 0x00 (0) + [2] : 0x00 (0) + NTLMRevisionCurrent : UNKNOWN_ENUM_VALUE (0) +WARNING! orig bytes:260 validated pushed bytes:72 +WARNING! orig and validated differ at byte 0x00 (0) +WARNING! orig byte[0x00] = 0x00 validated byte[0x00] = 0x4E +dump OK -- 2.11.4.GIT