fortra
RPC_SID structure does not match the MS documentation
Configuration
impacket version: Impacket v0.10.1.dev1+20220830.171426.b74c9e1e Python version: Python 3.9.2 Target OS: Debian 11
Context
The data generated by impacket.dcerpc.v5.dtypes.RPC_SID.getData() does not correspond to the structure documented by Microsoft https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f992ad60-0fe4-4b87-9fed-beb478836861
According to the MS documentation, the first byte should be the Revision byte but impacket seems to duplicate the SubAuthorityCount at the right place AND at the beginning of the packet.
Python 3.9.2 (default, Feb 28 2021, 17:03:44)
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from impacket.dcerpc.v5.dtypes import RPC_SID
>>> x = RPC_SID()
>>> x.fromCanonical('S-1-5-21-706573996-2287698545-1520902760-1000')
>>> x.getData()
b'\x05\x00\x00\x00\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xacv\x1d*q\x82[\x88h"\xa7Z\xe8\x03\x00\x00'
It should have come out with this result: b'\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xacv\x1d*q\x82[\x88h"\xa7Z\xe8\x03\x00\x00'
Same error for the parsing:
>>> y = RPC_SID(b'\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xacv\x1d*q\x82[\x88h"\xa7Z\xe8\x03\x00\x00')
>>> y.formatCanonical()
'S-0-0'
Is there a reason why this structure behaves like this in impacket or is it a mistake?
Waiting for an answer / correction, I was able to use the equivalent LDAP implementation (impacket.ldap.ldaptypes.LDAP_SID) which behaves correctly.
Thank you
