From 4b81a9268154d94df7b12ace8c8b0c61289ea406 Mon Sep 17 00:00:00 2001 From: ron Date: Thu, 2 Apr 2009 01:14:15 +0000 Subject: [PATCH] Fixed a bug reported where running openssl.encrypt() on an emptys tring would cause an assertion failure. I fixed it by printing a warning message if an empty challenge is encountered and faking out the challenge (if they sent an empty challenge, they're breaking the protocol anyways). This will cause the login to fail, and it will fall back to an anonymous check. --- nselib/smbauth.lua | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/nselib/smbauth.lua b/nselib/smbauth.lua index 7cf97fb31..b72a8c593 100644 --- a/nselib/smbauth.lua +++ b/nselib/smbauth.lua @@ -184,8 +184,15 @@ function lm_create_response(lanman, challenge) key2 = openssl.DES_string_to_key(str2) key3 = openssl.DES_string_to_key(str3) + -- Print a warning message if a blank challenge is received, and create a phony challenge. A blank challenge is + -- invalid in the protocol, and causes some versions of OpenSSL to abort with no possible error handling. + if(challenge == "") then + stdnse.print_debug(1, "SMB: ERROR: Server returned invalid (blank) challenge value (should be 8 bytes); failing login to avoid OpenSSL crash.") + challenge = "AAAAAAAA" + end + -- Encrypt the challenge with each key - result = openssl.encrypt("DES", key1, nil, challenge) .. openssl.encrypt("DES", key2, nil, challenge) .. openssl.encrypt("DES", key3, nil, challenge) + result = openssl.encrypt("DES", key1, nil, challenge) .. openssl.encrypt("DES", key2, nil, challenge) .. openssl.encrypt("DES", key3, nil, challenge) return true, result end