Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 11:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix for an issue with GSSAPI mech_token from Florent Monjalet

Browse source 
From Florent's patch:
Previously, the ASN1EncodingMeta was in the NTLM_SSP_Token; this broke the
NTLM decoding when used directly with DCE-RPC. NTLM now works on DCE-RPC
and should work properly on other layers in the future (e.g. HTTP
Authentication data).
This commit is contained in:
Seth Hall 2016-07-07 13:03:33 -04:00
parent 5c744fa0c9
commit c31c0ed2e2
3 changed files with 9 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/analyzer/protocol/gssapi/gssapi-analyzer.pac
View file

@ -36,12 +36,11 @@ refine connection GSSAPI_Conn += {
%} %}
} }
refine typeattr GSSAPI_NEG_TOKEN_INIT_Arg_Data += &let { refine typeattr GSSAPI_NEG_TOKEN_MECH_TOKEN += &let {
fwd: bool = $context.connection.forward_ntlm(mech_token, true) &if(index==2); fwd: bool = $context.connection.forward_ntlm(mech_token, is_orig);
}; };
refine typeattr GSSAPI_NEG_TOKEN_RESP_Arg += &let { refine typeattr GSSAPI_NEG_TOKEN_RESP_Arg += &let {
proc: bool = $context.connection.proc_gssapi_neg_result(this) &if(seq_meta.index==0); proc: bool = $context.connection.proc_gssapi_neg_result(this) &if(seq_meta.index==0);
fwd: bool = $context.connection.forward_ntlm(response_token, false) &if(seq_meta.index==2);
}; };

9
src/analyzer/protocol/gssapi/gssapi-protocol.pac
View file

@ -30,7 +30,7 @@ type GSSAPI_NEG_TOKEN_INIT_Arg = record {
type GSSAPI_NEG_TOKEN_INIT_Arg_Data(index: uint8) = case index of { type GSSAPI_NEG_TOKEN_INIT_Arg_Data(index: uint8) = case index of {
0 -> mech_type_list : ASN1Encoding; 0 -> mech_type_list : ASN1Encoding;
1 -> req_flags : ASN1Encoding; 1 -> req_flags : ASN1Encoding;
2 -> mech_token : bytestring &restofdata; 2 -> mech_token : GSSAPI_NEG_TOKEN_MECH_TOKEN(true);
3 -> mech_list_mic : ASN1OctetString; 3 -> mech_list_mic : ASN1OctetString;
}; };
@ -44,7 +44,12 @@ type GSSAPI_NEG_TOKEN_RESP_Arg = record {
args : case seq_meta.index of { args : case seq_meta.index of {
0 -> neg_state : ASN1Integer; 0 -> neg_state : ASN1Integer;
1 -> supported_mech : ASN1Encoding; 1 -> supported_mech : ASN1Encoding;
2 -> response_token : bytestring &restofdata; 2 -> response_token : GSSAPI_NEG_TOKEN_MECH_TOKEN(false);
3 -> mech_list_mic : ASN1OctetString; 3 -> mech_list_mic : ASN1OctetString;
} &length=seq_meta.length; } &length=seq_meta.length;
}; };
type GSSAPI_NEG_TOKEN_MECH_TOKEN(is_orig: bool) = record {
meta : ASN1EncodingMeta;
mech_token : bytestring &length=meta.length;
};

1
src/analyzer/protocol/ntlm/ntlm-protocol.pac
View file

@ -1,6 +1,5 @@
type NTLM_SSP_Token(is_orig: bool) = record { type NTLM_SSP_Token(is_orig: bool) = record {
meta : ASN1EncodingMeta;
signature : bytestring &length=8; signature : bytestring &length=8;
msg_type : uint32; msg_type : uint32;
msg : case msg_type of { msg : case msg_type of {