gssapi - unable to process kerberos due to bad offsets

Description

The GSSAPI analyzer does not recognize KRB5 authentication made over SPNEGO.
looking at the code (gssapi-analyzer.pac), the analyzer does compare the value of the mech_token variable with the id of krb5 and mskrb5:

**else if ( ${val.mech_token}.length() == 9 &&
(memcmp("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ||
memcmp("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 )) **

It looks like we've managed to solve it in gssapi-analyzer.pac. The issue was in the following function (comments should provide suffice explanation ) :

function forward_blob(val: GSSAPI_NEG_TOKEN_MECH_TOKEN, is_orig: bool): bool
%{
if ( ${val.mech_token}.length() >= 7 &&
memcmp("NTLMSSP", ${val.mech_token}.begin(), 7) == 0 )
{
// ntlmssp
if ( ! ntlm )
ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());

if ( ntlm )
ntlm->DeliverStream(${val.mech_token}.length(), ${val.mech_token}.begin(), is_orig);
}

else if ( ${val.mech_token}.length() >= 9 &&
(memcmp("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", ${val.mech_token}.begin()+6, 9) == 0 ||
memcmp("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", ${val.mech_token}.begin()+6, 9) == 0 ) )
/* this else if was not correct because ${val.mech_token}.length()=9 never happens. ${val.mech_token}.length() is huge (3k+) so part
one of this if test is not correct. we changed it to >=9 just to go over it.
regarding the memcmp's, there were some offsets issue that are fixed here
*/
{
// krb5 && ms-krb5
if ( ! krb5 )
krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());

// 0x0100 is a special marker
/*
The x01 test is for krb requesting a ticket
*/
if ( krb5 && (memcmp("\x01\x00", ${val.mech_token}.begin() + 6 + 9, 2) == 0) )
{
printf("delivering packet\n");
krb5->DeliverPacket(${val.mech_token}.length()-2 - 9 - 6, ${val.mech_token}.begin()+ 2 + 6 + 9, is_orig, 0, 0, 0);
}
}

/*
The previous else if was relevant to krb requests only under gss-api. this else if takes care of responses as well
*/
else if ( ${val.mech_token}.length() >= 9 &&
(memcmp("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", ${val.mech_token}.begin()+5, 9) == 0 ||
memcmp("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", ${val.mech_token}.begin()+5, 9) == 0 ) )
{
// krb5 && ms-krb5
if ( ! krb5 )
krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());

// 0x0200 is a special marker
/*
The x02 test is for krb response with a ticket
*/
if ( krb5 && (memcmp("\x02\x00", ${val.mech_token}.begin() + 5 + 9, 2) == 0) )
{
/*
The original DeliverPacket code was not right, some offset issues that caused the krb5 analyzer to mishandle this blob
*/
krb5->DeliverPacket(${val.mech_token}.length()-2 - 9 - 5, ${val.mech_token}.begin()+ 2 + 5 + 9, is_orig, 0, 0, 0);
}
}

return true;
%}

Environment

None

Assignee

Unassigned

Reporter

william de ping

Labels

External issue ID

None

Components

Affects versions

Priority

Normal
Configure