Fix false positives due to missing start/boot time

SMB field ServerStartTime ['start_time'] of zero should be interpreted as "no time provided", not as the start of the epoch. The field is zeroed out in SMB dialect 3.1.1.
2025-12-06 04:31:29 +00:00 · 2020-12-16 19:19:15 +00:00
parent 003849f795
commit d0cf36c0a7
2 changed files with 22 additions and 15 deletions
--- a/scripts/smb2-vuln-uptime.nse
+++ b/scripts/smb2-vuln-uptime.nse
@@ -115,24 +115,28 @@ local function check_vulns(host, port)
  status, smbstate = smb.start(host)
  status = smb2.negotiate_v2(smbstate, overrides)

-  if status then
-    datetime.record_skew(host, smbstate.time, os.time())
-    stdnse.debug2("SMB2: Date: %s (%s) Start date:%s (%s)",
-                        smbstate['date'], smbstate['time'],
-            smbstate['start_date'], smbstate['start_time'])
-
-    for _, vuln in pairs(ms_vulns) do
-      if smbstate['start_time'] < vuln['disclosure_time'] then
-        stdnse.debug2("Vulnerability detected")
-        vuln.extra_info = string.format("The system hasn't been rebooted since %s", smbstate['start_date'])
-        table.insert(vulns_detected, vuln)
-      end
-    end
-
-  else
+  if not status then
    stdnse.debug2("Negotiation failed")
    return nil, "Protocol negotiation failed (SMB2)"
  end
+
+  datetime.record_skew(host, smbstate.time, os.time())
+  stdnse.debug2("SMB2: Date: %s (%s) Start date:%s (%s)",
+                      smbstate['date'], smbstate['time'],
+          smbstate['start_date'], smbstate['start_time'])
+  if smbstate['start_time'] == 0 then
+    stdnse.debug2("Boot time not provided")
+    return nil, "Boot time not provided"
+  end
+
+  for _, vuln in pairs(ms_vulns) do
+    if smbstate['start_time'] < vuln['disclosure_time'] then
+      stdnse.debug2("Vulnerability detected")
+      vuln.extra_info = string.format("The system hasn't been rebooted since %s", smbstate['start_date'])
+      table.insert(vulns_detected, vuln)
+    end
+  end
+
  return true, vulns_detected
 end