go-msrpc icon indicating copy to clipboard operation
go-msrpc copied to clipboard
verified publisher icon oiweiwei

Panic during Bind with large Kerberos ticket

Open rtpt-erikgeiser opened this issue 1 month ago • 1 comments

When Security.Init returns a large buffer, for example a large Kerberos ticket, go-msrpc panics during bind. It panics at this line, because pkt.start is 0 and pkt.end is negative.

https://github.com/oiweiwei/go-msrpc/blob/60ff6238355b5e7d1ff8f86a3d80ec7b0b523fb3/dcerpc/packet.go#L390

The reason why pkt.end is negative is that the size of pkt.Header.AuthLength which holds the buffer from Security.Init is subtracted from the length of the packet.

https://github.com/oiweiwei/go-msrpc/blob/60ff6238355b5e7d1ff8f86a3d80ec7b0b523fb3/dcerpc/packet.go#L367

However, Kerberos tickets (or rather the corresponding APReq) can be quite large, e.g. >4k which may be larger than c.settings.MaxXmitFrag.

Unfortunately I cannot provide a POC for this crash.

rtpt-erikgeiser avatar Nov 10 '25 15:11 rtpt-erikgeiser