smbj
smbj copied to clipboard
hierynomus
Null pointer when authenticating as guest
Attempting to authenticate as guest using AuthenticationContext.guest() results in an exception
Caused by: java.lang.NullPointerException
at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKey(SMBSessionBuilder.java:324)
at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKeys(SMBSessionBuilder.java:290)
at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:174)
at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:152)
at com.hierynomus.smbj.connection.SMBSessionBuilder.establish(SMBSessionBuilder.java:119)
at com.hierynomus.smbj.connection.Connection.authenticate(Connection.java:197)
The server is running SMB_3_1_1 (Windows Server 2022)
@dkocher Which version? I fixed a similar bug for anonymous authentication in v0.12.2, and I thought I had checked guest then also.
@dkocher Which version? I fixed a similar bug for anonymous authentication in v0.12.2, and I thought I had checked guest then also.
Running 0.12.2.
@dkocher Which authenticator are you using?
This is using NtlmAuthenticator.
Even, I'm facing the same Nullpointer exception when trying with anonymous login:
java.lang.NullPointerException
at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKey(SMBSessionBuilder.java:324)
at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKeys(SMBSessionBuilder.java:290)
at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:174)
at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:152)
at com.hierynomus.smbj.connection.SMBSessionBuilder.establish(SMBSessionBuilder.java:119)
at com.hierynomus.smbj.connection.Connection.authenticate(Connection.java:202)
It is happening after upgrade to smbj library 0.12.2 and my target server Windows 11 (protocol: SMB_3_1_1), I've tried to allow insecure guest logons as well in my Local group policy editor.
Not sure if this is relevant but found this while debugging that this can be the cause:
if (!ctx.authContext.isAnonymous() && !ctx.authContext.isGuest()) {
context.setSessionKey(new SecretKeySpec(ctx.sessionKey, HMAC_SHA256_ALGORITHM));
}
session key is set to context when it is neither anonymous nor guest, meaning only for user context, thus later in the derivekeys, this ended up in NullPointer.
Is there any update on the issue, whether if it's server configuration issue or bug in the actual code?
@dkocher @karthik-119 Can you try with the fix from https://github.com/hierynomus/smbj/pull/800?
I tested and:
- I get the crash in first post with published 0.12.2 (expected)
- I do not get the crash using current git smbj as of the date of this post without #800 applied
So that issue has already been fixed by a commit post v0.12.2 it seems.
@bubbleguuum Now that's even weirder, as Git doesn't show any change which could have anything to do with that on the current master branch 🤔
Yes please disregard, I did my testing wrong (was actually using v0.11.1 instead of git master!). Will do it again properly with the PR applied.
Still crashing using master git + the 1 line PR.
Double checked that everything is correct this time, with even a logged "LALA" line just before the if (ctx.sessionKey != null) { line change:
smb: resolved FOOBAR -> 192.168.1.157
PacketEncryptor I Initialized PacketEncryptor with Cipher << AES_128_CCM >>
Connection I Successfully connected to: 192.168.1.157
SMBShareInfo I smb: \\FOOBAR\: NegotiatedProtocol{dialect=SMB_3_0_2, maxTransactSize=8388608, maxReadSize=8388608, maxWriteSize=8388608}
SMBSessionBuilder I LALA
SMBShareInfo W java.lang.NullPointerException: Attempt to invoke interface method 'byte[] javax.crypto.SecretKey.getEncoded()' on a null object reference
W at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKey(SMBSessionBuilder.java:326)
W at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKeys(SMBSessionBuilder.java:294)
W at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:176)
W at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:152)
W at com.hierynomus.smbj.connection.SMBSessionBuilder.establish(SMBSessionBuilder.java:119)
W at com.hierynomus.smbj.connection.Connection.authenticate(Connection.java:202)
...
@dkocher @karthik-119 Can you try with the fix from #800?
@hierynomus , let me try to verify the fix.
I realized that this project needs to be built with gradle which I'm not used to and have no correct configuration on my system. I'm afraid I can't verify the fix when it is still on issue branch.
Is there any possibility to build the project using maven?
There should be no need to set it up. You can use ./gradlew build to build the project. This will use the Gradle wrapper. There is no Maven build files included
Thanks, I'm able to build project with Java 11, can you please update Readme, it still says Java 7? thanks.
I'll test the jar and update results here.
Verified and can still see same NullPointerException.
java.lang.NullPointerException
at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKey(SMBSessionBuilder.java:324)
at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKeys(SMBSessionBuilder.java:290)
at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:174)
at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:152)
at com.hierynomus.smbj.connection.SMBSessionBuilder.establish(SMBSessionBuilder.java:119)
at com.hierynomus.smbj.connection.Connection.authenticate(Connection.java:202)
I think the issue is within NtlmAuthenticatior logic itself (in doAuthenticate()):
// [MS-NLMP] 3.2.2 -- Special case for anonymous authentication
if (context.isAnonymous()) {
NtlmAuthenticate msg = new NtlmAuthenticate(null, null, context.getUsername(), context.getDomain(),
config.getWorkstationName(), null, negotiateFlags, config.getWindowsVersion());
response.setNegToken(negTokenTarg(msg));
return response;
}
for anonymous context, response neither have any session key set nor sessions flags updated later in authentication logic of SMBSessionBuilder.
Compared to older 11.x version where for anonymous context, session key is set based on ntlm server challenge response. On the other hand, in the deriveKeys() logic, you make checks for smb3
if (dialect.isSmb3x() &&
!response.getSessionFlags().contains(SMB2SessionSetup.SMB2SessionFlags.SMB2_SESSION_FLAG_IS_NULL) &&
!response.getSessionFlags().contains(SMB2SessionSetup.SMB2SessionFlags.SMB2_SESSION_FLAG_IS_GUEST)) {
where it looks like this logic is not required for anonymous or guest context but session flags for response is not updated anywhere if that is proven.
((Note: I'm no expert in smb subject or this lib code, just trying to infer based on my understanding in debug sessions, I might be wrong in my statements, please correct me))
Indeed any update on this issue? As karthik-119 mentioned within method derivedKeys the sessionFlags are checked for anonymous (SMB2_SESSION_FLAG_IS_NULL) or guest (SMB2_SESSION_FLAG_IS_GUEST) login request.
Using SMBj 0.11.5 when an anonymous logon (no username nor password set) was done the sessionFlag SMB2_SESSION_FLAG_IS_GUEST was set and the logon succeeded. Doubt if this was for the correct reason, would have expected that sessionFlag "SMB2_SESSION_FLAG_IS_NULL" was set instead of "SMB2_SESSION_FLAG_IS_GUEST". However with SMBj 0.12.x it fails as none of these sessionFlags are set, hence for signing it is tried to set the deriveKey, based on context. The context however does not contain a sessionKey as it's an anonymous login which is not able to sign or encrypt.
