Fixed a bug reported where running openssl.encrypt() on an emptys tring would cause an assertion failure. I fixed it by printing a warning message if an empty challenge is encountered and faking out the challenge (if they sent an empty challenge, they're breaking the protocol anyways). This will cause the login to fail, and it will fall back to an anonymous check.

2025-12-09 06:01:28 +00:00 · 2009-04-02 01:14:15 +00:00
parent 46695b1a60
commit 4b81a92681
1 changed files with 8 additions and 1 deletions
--- a/nselib/smbauth.lua
+++ b/nselib/smbauth.lua
@@ -184,8 +184,15 @@ function lm_create_response(lanman, challenge)
 	key2 = openssl.DES_string_to_key(str2)
 	key3 = openssl.DES_string_to_key(str3)

+	-- Print a warning message if a blank challenge is received, and create a phony challenge. A blank challenge is
+	-- invalid in the protocol, and causes some versions of OpenSSL to abort with no possible error handling. 
+	if(challenge == "") then
+		stdnse.print_debug(1, "SMB: ERROR: Server returned invalid (blank) challenge value (should be 8 bytes); failing login to avoid OpenSSL crash.")
+		challenge = "AAAAAAAA"
+	end
+
 	-- Encrypt the challenge with each key
-	result = openssl.encrypt("DES", key1, nil, challenge) .. openssl.encrypt("DES", key2, nil, challenge) .. openssl.encrypt("DES", key3, nil, challenge) 
+	result = openssl.encrypt("DES", key1, nil, challenge) .. openssl.encrypt("DES", key2, nil, challenge) .. openssl.encrypt("DES", key3, nil, challenge)

 	return true, result
 end