From d0cf36c0a7f769e688e3be87840f0fc28bcdd6e5 Mon Sep 17 00:00:00 2001
From: nnposter <nnposter@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 16 Dec 2020 19:19:15 +0000
Subject: [PATCH] Fix false positives due to missing start/boot time

SMB field ServerStartTime ['start_time'] of zero should be interpreted
as "no time provided", not as the start of the epoch.
The field is zeroed out in SMB dialect 3.1.1.
---
 CHANGELOG                    |  3 +++
 scripts/smb2-vuln-uptime.nse | 34 +++++++++++++++++++---------------
 2 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 9a8dfe06b..19cd554d1 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -32,6 +32,9 @@ o [NSE][GH#2174] Script hostmap-crtsh got improved in several ways. The most
   identities that are syntactically incorrect to be hostnames are now ignored.
   [Michel Le Bihan, nnposter]
 
+o [NSE] Script smb2-vuln-uptime no longer reports false positives when
+  the target does not provide its boot time. [nnposter]
+
 o [NSE][GH#2197] Client packets composed by the DHCP library will now contain
   option 51 (IP address lease time) only when requested. [nnposter]
 
diff --git a/scripts/smb2-vuln-uptime.nse b/scripts/smb2-vuln-uptime.nse
index 632745c31..1840ef121 100644
--- a/scripts/smb2-vuln-uptime.nse
+++ b/scripts/smb2-vuln-uptime.nse
@@ -115,24 +115,28 @@ local function check_vulns(host, port)
   status, smbstate = smb.start(host)
   status = smb2.negotiate_v2(smbstate, overrides)
 
-  if status then
-    datetime.record_skew(host, smbstate.time, os.time())
-    stdnse.debug2("SMB2: Date: %s (%s) Start date:%s (%s)",
-                        smbstate['date'], smbstate['time'],
-            smbstate['start_date'], smbstate['start_time'])
-
-    for _, vuln in pairs(ms_vulns) do
-      if smbstate['start_time'] < vuln['disclosure_time'] then
-        stdnse.debug2("Vulnerability detected")
-        vuln.extra_info = string.format("The system hasn't been rebooted since %s", smbstate['start_date'])
-        table.insert(vulns_detected, vuln)
-      end
-    end
-
-  else
+  if not status then
     stdnse.debug2("Negotiation failed")
     return nil, "Protocol negotiation failed (SMB2)"
   end
+
+  datetime.record_skew(host, smbstate.time, os.time())
+  stdnse.debug2("SMB2: Date: %s (%s) Start date:%s (%s)",
+                      smbstate['date'], smbstate['time'],
+          smbstate['start_date'], smbstate['start_time'])
+  if smbstate['start_time'] == 0 then
+    stdnse.debug2("Boot time not provided")
+    return nil, "Boot time not provided"
+  end
+
+  for _, vuln in pairs(ms_vulns) do
+    if smbstate['start_time'] < vuln['disclosure_time'] then
+      stdnse.debug2("Vulnerability detected")
+      vuln.extra_info = string.format("The system hasn't been rebooted since %s", smbstate['start_date'])
+      table.insert(vulns_detected, vuln)
+    end
+  end
+
   return true, vulns_detected
 end