Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SMB Server fails when receiving a malformed query #206

Open
cdelafuente-r7 opened this issue Apr 11, 2022 · 0 comments
Open

SMB Server fails when receiving a malformed query #206

cdelafuente-r7 opened this issue Apr 11, 2022 · 0 comments
Labels
bug

Comments

@cdelafuente-r7
Copy link
Contributor

cdelafuente-r7 commented Apr 11, 2022
edited
Loading

The SMB server fails when a SMBv1 malformed query is received. The examples/list_directory.rb script can be used to reproduce the issue:

ruby examples/list_directory.rb 127.0.0.1 myuser mypasswd public /

This will send \/\* as search pattern and will end up with path equal to // after being parsed. This will break the logic and raise a RuntimeError ("Directory traversal detected..."). Note that Windows returns a STATUS_OBJECT_NAME_INVALID error when it receives the same malformed pattern.

Step to reproduce

  • start the server using the example/file_server.rb script:
ruby examples/file_server.rb --path /path/to/local/dir --no-smbv2 --no-smbv3 --username myuser --password 123456 --share public
  • use the examples/list_directory.rb script:
ruby examples/list_directory.rb 127.0.0.1 myuser 123456 public /

You should see the following stack trace:

D, [2022-04-11T13:30:26.371725 #65281] DEBUG -- : Received SMB_COM_TRANSACTION2 request for share: public
#<Thread:0x00007fae369759a0 /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server.rb:56 run> terminated with exception (report_on_exception is true):
/Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/share/provider/disk/processor.rb:100:in `get_local_path': Directory traversal detected to: / (RuntimeError)
	from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/share/provider/disk/processor/query.rb:177:in `transaction2_smb1_find_first2'
	from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/share/provider/disk/processor/query.rb:19:in `do_transactions2_smb1'
	from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/server_client/share_io.rb:14:in `proxy_share_io_smb1'
	from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/server_client.rb:317:in `handle_smb1'
	from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/server_client.rb:81:in `handle_smb'
	from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/server_client.rb:164:in `block in run'
	from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/server_client.rb:153:in `loop'
	from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/server_client.rb:153:in `run'
	from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server.rb:56:in `block (2 levels) in run'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cdelafuente-r7