Skip to content
52 changes: 46 additions & 6 deletions nasl/nasl_crypto.c
Original file line number Diff line number Diff line change
Expand Up @@ -254,9 +254,21 @@ nasl_get_sign (lex_ctxt *lexic)
"buflen:<bl>, seq_number:<s>)\n");
return NULL;
}
if (buflen != get_var_size_by_name (lexic, "buf") || buflen < 26)
{
nasl_perror (lexic, "OOB read/write\n");
return NULL;
}

uint8_t calc_md5_mac[16];
simple_packet_signature_ntlmssp ((uint8_t *) mac_key, buf, seq_num,
calc_md5_mac);
if (simple_packet_signature_ntlmssp ((uint8_t *) mac_key, buf,
(size_t) buflen, seq_num, calc_md5_mac)
!= 0)
{
nasl_perror (lexic, "get_signature: OOB read\n");
return NULL;
}

memcpy (buf + 18, calc_md5_mac, 8);
char *ret = g_malloc0 (buflen);
memcpy (ret, buf, buflen);
Expand Down Expand Up @@ -529,6 +541,19 @@ nasl_ntlmv2_response (lex_ctxt *lexic)
"ntlmv2_hash:<n>, address_list:<a>, address_list_len:<len>)\n");
return NULL;
}

if (address_list_len <= get_var_size_by_name (lexic, "address_list"))
{
nasl_perror (lexic, "ntlmv2_response: address_list and address_list_len "
"have different sized\n");
return NULL;
}
if (address_list_len > UINT16_MAX)
{
nasl_perror (lexic,
"ntlmv2_response: address_list_len exceed Max lenght\n");
return NULL;
}
uint8_t lm_response[24];
uint8_t nt_response[16 + 28 + address_list_len];
uint8_t session_key[16];
Expand Down Expand Up @@ -675,6 +700,8 @@ nasl_ntlmv1_hash (lex_ctxt *lexic)

if (pass_len < 16)
pass_len = 16;
if (pass_len > 21)
pass_len = 21;

bzero (p21, sizeof (p21));
memcpy (p21, password, pass_len);
Expand Down Expand Up @@ -887,17 +914,30 @@ nasl_ntlmv2_hash (lex_ctxt *lexic)

/* NTLMv2 */

/* We also get to specify some random data */
/* We also get to specify some random data.
To avoid DoS we set an uper limit for client chal length.
At the moment of fixing this, the max lenght used in a nasl script is 64.
*/
if (client_chal_length > 4096)
{
nasl_perror (lexic, "Length to big. Max is 4096\n");
return NULL;
}

ntlmv2_client_data = g_malloc0 (client_chal_length);
for (i = 0; i < client_chal_length; i++)
ntlmv2_client_data[i] = rand () % 256;

if (hash_len != 16)
nasl_perror (lexic, "owf_in must have a length of 16\n");
{
nasl_perror (lexic, "owf_in must have a length of 16\n");
return NULL;
}

/* Given that data, and the challenge from the server, generate a response */
SMBOWFencrypt_ntv2_ntlmssp (ntlm_v2_hash, server_chal, 8, ntlmv2_client_data,
client_chal_length, ntlmv2_response);
SMBOWFencrypt_ntv2_ntlmssp (
ntlm_v2_hash, server_chal, get_var_size_by_name (lexic, "cryptkey"),
ntlmv2_client_data, client_chal_length, ntlmv2_response);

/* put it into nt_response, for the code below to put into the packet */
final_response = g_malloc0 (client_chal_length + sizeof (ntlmv2_response));
Expand Down
2 changes: 1 addition & 1 deletion nasl/nasl_http2.c
Original file line number Diff line number Diff line change
Expand Up @@ -355,7 +355,7 @@ _http2_req (lex_ctxt *lexic, KEYWORD keyword)
}
if (ua)
{
curl_easy_setopt (handle, CURLOPT_USERAGENT, g_strdup (url->str));
curl_easy_setopt (handle, CURLOPT_USERAGENT, g_strdup (ua));
g_free (ua);
}

Expand Down
15 changes: 13 additions & 2 deletions nasl/nasl_packet_forgery.c
Original file line number Diff line number Diff line change
Expand Up @@ -370,9 +370,9 @@ insert_ip_options (lex_ctxt *lexic)
int pad_len;
char zero = '0';
int i;
int hl;
size_t hl;

if (ip == NULL)
if (ip == NULL || value == NULL)
{
nasl_perror (lexic, "Usage : insert_ip_options(ip:<ip>, code:<code>, "
"length:<len>, value:<value>\n");
Expand All @@ -384,7 +384,11 @@ insert_ip_options (lex_ctxt *lexic)
pad_len = 0;

hl = ip->ip_hl * 4 < UNFIX (ip->ip_len) ? ip->ip_hl * 4 : UNFIX (ip->ip_len);
if (hl > size)
return NULL; // malformed.

new_packet = g_malloc0 (size + 4 + value_size + pad_len);

bcopy (ip, new_packet, hl);

uc_code = (u_char) code;
Expand Down Expand Up @@ -898,6 +902,13 @@ get_tcp_option (lex_ctxt *lexic)
ip = (struct ip *) packet;

ipsz = get_var_size_by_name (lexic, "tcp");
if (ipsz < (int) sizeof (struct ip))
return NULL;

// check that ip + tcp is bigger that the original packet
if (ip->ip_hl * 4 + 20 > ipsz)
return NULL;

// ip header length is given in 32 bits words = 4 bytes.
if (ip->ip_hl * 4 > ipsz)
return NULL; /* Invalid packet */
Expand Down
14 changes: 12 additions & 2 deletions nasl/nasl_packet_forgery_v6.c
Original file line number Diff line number Diff line change
Expand Up @@ -407,9 +407,9 @@ insert_ip_v6_options (lex_ctxt *lexic)
int pad_len;
char zero = '0';
int i;
int pl;
size_t pl;

if (ip6 == NULL)
if (ip6 == NULL && value == NULL)
{
nasl_perror (lexic,
"Usage : %s(ip6:<ip6>, code:<code>, "
Expand All @@ -423,6 +423,10 @@ insert_ip_v6_options (lex_ctxt *lexic)
pad_len = 0;

pl = 40 < UNFIX (ip6->ip6_plen) ? 40 : UNFIX (ip6->ip6_plen);

if (pl > size)
return NULL; // malformed packet.

new_packet = g_malloc0 (size + 4 + value_size + pad_len);
bcopy (ip6, new_packet, pl);

Expand Down Expand Up @@ -863,6 +867,12 @@ get_tcp_v6_option (lex_ctxt *lexic)

/* valid ipv6 header check */
ipsz = get_var_size_by_name (lexic, "tcp");
if (ipsz < (int) sizeof (struct ip6_hdr))
return NULL; // mal formed.

if (40 + 20 > ipsz)
return NULL;

if (UNFIX (ip6->ip6_plen) > ipsz)
return NULL; /* Invalid packet */

Expand Down
9 changes: 8 additions & 1 deletion nasl/nasl_smb.c
Original file line number Diff line number Diff line change
Expand Up @@ -423,9 +423,16 @@ nasl_win_cmd_exec (lex_ctxt *lexic)
else
{
delimiter = strchr (kdc, ',');
int kdc_len = delimiter - kdc;
if (delimiter && (kdc_len > INET6_ADDRSTRLEN - 1))
{
g_warning ("kdc hostname value too long (max 45 chars)");
return NULL;
}

if (delimiter != NULL)
{
strncpy (first_kdc, kdc, delimiter - kdc);
strncpy (first_kdc, kdc, kdc_len);
}
else
{
Expand Down
29 changes: 18 additions & 11 deletions nasl/nasl_snmp.c
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
#include "nasl_snmp.h"

#include "../misc/plugutils.h"
#include "glib.h"
#include "nasl_lex_ctxt.h"

#include <assert.h>
Expand Down Expand Up @@ -419,19 +420,19 @@ check_spwan_output (int fd, snmp_result_t result, int fd_flag)
while (1)
{
char buf[4096];
size_t bytes;
ssize_t bytes;

bytes = read (fd, buf, sizeof (buf));
if (!bytes)
break;
else if (bytes > 0)
g_string_append_len (string, buf, bytes);
else
if (bytes < 0)
{
g_warning ("snmpget: %s", strerror (errno));
g_string_free (string, TRUE);
return -1;
}
if (!bytes)
break;
else if (bytes > 0)
g_string_append_len (string, buf, bytes);
}

// Split the result and store the oid and name
Expand Down Expand Up @@ -683,13 +684,19 @@ nasl_snmpv1v2c_get (lex_ctxt *lexic, int version, u_char action)
// is stored.
if (result->oid_str != NULL && g_strstr_len (result->oid_str, 3, "iso"))
{
next_oid_str = result->oid_str + 2;
next_oid_str[0] = '1';
result->oid_str = g_strdup (next_oid_str);
char *orig = result->oid_str;
char *tmp = result->oid_str + 2;
tmp[0] = '1';
result->oid_str = g_strdup (tmp);
g_free (orig);
g_free (next_oid_str);
next_oid_str = g_strdup (result->oid_str);
}
else if (result->oid_str != NULL)
next_oid_str = result->oid_str;

{
g_free (next_oid_str);
next_oid_str = g_strdup (result->oid_str);
}
/* Free request only, since members are pointers to the nasl lexic context
which will be free()'d later */
g_free (request);
Expand Down
25 changes: 20 additions & 5 deletions nasl/smb_signing.c
Original file line number Diff line number Diff line change
Expand Up @@ -19,21 +19,36 @@

#include "smb_signing.h"

void
#include <stdint.h>

int
simple_packet_signature_ntlmssp (uint8_t *mac_key, const uchar *buf,
uint32 seq_number, unsigned char *calc_md5_mac)
size_t buf_len, uint32 seq_number,
unsigned char *calc_md5_mac)
{
const size_t offset_end_of_sig = (smb_ss_field + 8);
unsigned char sequence_buf[8];
struct MD5Context md5_ctx;
const uint32 claimed_len = smb_len (buf);
size_t tail_len;

if (buf == NULL || buf_len < offset_end_of_sig)
return -1;

if (claimed_len < offset_end_of_sig - 4)
return -1;

tail_len = claimed_len - (offset_end_of_sig - 4);

if (tail_len > buf_len - offset_end_of_sig)
return -1;

/*
* Firstly put the sequence number into the first 4 bytes.
* and zero out the next 4 bytes.
*
* We do this here, to avoid modifying the packet.
*/

SIVAL (sequence_buf, 0, seq_number);
SIVAL (sequence_buf, 4, 0);

Expand All @@ -54,9 +69,9 @@ simple_packet_signature_ntlmssp (uint8_t *mac_key, const uchar *buf,
MD5Update (&md5_ctx, sequence_buf, sizeof (sequence_buf));

/* copy in the rest of the packet in, skipping the signature */
MD5Update (&md5_ctx, buf + offset_end_of_sig,
smb_len (buf) - (offset_end_of_sig - 4));
MD5Update (&md5_ctx, buf + offset_end_of_sig, tail_len);

/* calculate the MD5 sig */
MD5Final (calc_md5_mac, &md5_ctx);
return 0;
}
4 changes: 2 additions & 2 deletions nasl/smb_signing.h
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,9 @@
#define uint8 uint8_t
#endif

void
int
simple_packet_signature_ntlmssp (uint8_t *mac_key, const uchar *buf,
uint32 seq_number,
size_t buf_len, uint32 seq_number,
unsigned char *calc_md5_mac);

#endif
Loading