<!doctype html><html><head><title></title><style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style></head><body>Hi,<br><br>A downgrade occurs if two SMB2 capable nodes end up using SMB1 between them. The classic attack is for an active MITM to block the SMB2 transactions, but with this patch the attacker needs not even be an MITM, just an eavesdropper.<br><br><div class="gmail_quote">Le 16 octobre 2019 10:02:54 GMT+03:00, Simon Latapie <garf@videolabs.io> a écrit :<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div>Hello,<br></div><div><br></div><div>can you explain a bit more about a downgrade attack scenario ? This does not look obvious to me.<br></div><div>Downgrade attacks are usually either a problem for the server (so not VLC), or an service spoof, which does not seem to be relevant here (the patch is not modifying the server selection/address).<br></div><div><br></div><div>Regards,<br></div><div><br></div><div id="sig66622160"><div class="signature">-- <br></div><div class="signature">Simon Latapie<br></div><div class="signature">garf@videolabs.io<br></div><div class="signature">+33 1 84 17 56 63<br></div><div class="signature"><br></div></div><div><br></div><div><br></div><div>On Tue, Oct 15, 2019, at 17:19, Rémi Denis-Courmont wrote:<br></div><blockquote type="cite" id="qt"><div>Hi,<br></div><div><br></div><div>Looks like an obvious downgrade attack to me. You're waiting for a CVE if you merge this patch.<br></div><div><br></div><div class="qt-gmail_quote"><div>Le 15 octobre 2019 16:41:17 GMT+03:00, Thomas Guillem <thomas@gllm.fr> a écrit :<br></div><blockquote style="margin-top:0pt;margin-right:0pt;margin-bottom:0pt;margin-left:0.8ex;border-left-color:rgb(204, 204, 204);border-left-style:solid;border-left-width:1px;padding-left:1ex;" class="qt-gmail_quote"><pre class="qt-k9mail"><div>Some samba servers (on Windows 7) implement both SMB2 and SMB1. The problem is<br></div><div>that the SMB2 part is not configured like the SMB1 one. Only SMB1 seems to<br></div><div>reflect the user configuration (using Windows Settings, not anything<br></div><div>complicated like via powershell/regedit).<br></div><div><br></div><div>If we try to connect to such server via libsmb2, the server will return a<br></div><div>SMB2_STATUS_ACCESS_DENIED (0xC0000022) status. Our libsmb2 module will then ask<br></div><div>the user for credentials via a dialog. The problem is that no credentials will<br></div><div>ever work since only the SMB1 part is configured.<br></div><div><br></div><div>I tried to differentiate (via wireshark) the negotiation between such server<br></div><div>and an other working SMB2 server but could not find anything that could tell us<br></div><div>that this ACCESS_DENIED status should be ignored on this specific server (in<br></div><div>order to fallback to libdsm).<br></div><div><br></div><div>The only possible fix is to try libdsm first. VLC will then favor the SMB1<br></div><div>protocol over SMB 2&3.<br></div><div><br></div><div>NB1: libsmb2 is backported to VLC 3.0 for iOS and Android ports. These ports<br></div><div>are beta-testing SMB 2&3 support on mobile.<br></div><div><br></div><div>NB2: We get a lot of angry mail/reviews about SMB1 support broken, I don't<br></div><div>think we can drop SMB1 (even if I would love to).<br></div><div><br></div><div>NB3: We can't drop libsmb2 either for the same reason (we got a *lot* of<br></div><div>requests to support it).<hr> modules/access/dsm/access.c | 17 ++++++++++-------<br></div><div> modules/access/smb2.c | 14 +++++++-------<br></div><div> 2 files changed, 17 insertions(+), 14 deletions(-)<br></div><div><br></div><div>diff --git a/modules/access/dsm/access.c b/modules/access/dsm/access.c<br></div><div>index 776925c9eeb..186a567a72c 100644<br></div><div>--- a/modules/access/dsm/access.c<br></div><div>+++ b/modules/access/dsm/access.c<br></div><div>@@ -69,7 +69,7 @@ vlc_module_begin ()<br></div><div> set_shortname( "dsm" )<br></div><div> set_description( N_("libdsm SMB input") )<br></div><div> set_help(BDSM_HELP)<br></div><div>- set_capability( "access", 20 )<br></div><div>+ set_capability( "access", 22 )<br></div><div> set_category( CAT_INPUT )<br></div><div> set_subcategory( SUBCAT_INPUT_ACCESS )<br></div><div> add_string( "smb-user", NULL, SMB_USER_TEXT, SMB_USER_LONGTEXT, false )<br></div><div>@@ -343,12 +343,6 @@ static int login( stream_t *p_access )<br></div><div> <br></div><div> if( connect_err == EACCES )<br></div><div> {<br></div><div>- if (var_Type(p_access, "smb-dialog-failed") != 0)<br></div><div>- {<br></div><div>- /* A higher priority smb module (likely smb2) already requested<br></div><div>- * credentials to the users. It is useless to request it again. */<br></div><div>- goto error;<br></div><div>- }<br></div><div> while( connect_err == EACCES<br></div><div> && vlc_credential_get( &credential, p_access, "smb-user", "smb-pwd",<br></div><div> SMB_LOGIN_DIALOG_TITLE,<br></div><div>@@ -365,6 +359,15 @@ static int login( stream_t *p_access )<br></div><div> if( connect_err != 0 )<br></div><div> {<br></div><div> msg_Err( p_access, "Unable to login" );<br></div><div>+<br></div><div>+ if (credential.i_get_order == GET_FROM_DIALOG)<br></div><div>+ {<br></div><div>+ /* Tell other smb modules (likely smb2) that we already<br></div><div>+ * requested credential to the users and that it it useless to<br></div><div>+ * try again. This avoid to show 2 login dialogs for the same<br></div><div>+ * access. */<br></div><div>+ var_Create(p_access, "smb-dialog-failed", VLC_VAR_VOID);<br></div><div>+ }<br></div><div> goto error;<br></div><div> }<br></div><div> }<br></div><div>diff --git a/modules/access/smb2.c b/modules/access/smb2.c<br></div><div>index 923e6d57e04..7f9b614d006 100644<br></div><div>--- a/modules/access/smb2.c<br></div><div>+++ b/modules/access/smb2.c<br></div><div>@@ -664,6 +664,13 @@ Open(vlc_object_t *p_obj)<br></div><div> NULL);<br></div><div> ret = vlc_smb2_open_share(access, smb2_url, &credential);<br></div><div> <br></div><div>+ if (ret == -1 && var_Type(access, "smb-dialog-failed"))<br></div><div>+ {<br></div><div>+ /* A higher priority smb module (likely dsm) already requested<br></div><div>+ * credentials to the users. It is useless to request it again. */<br></div><div>+ goto error;<br></div><div>+ }<br></div><div>+<br></div><div> while (ret == -1<br></div><div> && (!sys->error_status || VLC_SMB2_STATUS_DENIED(sys->error_status))<br></div><div> && vlc_credential_get(&credential, access, "smb-user", "smb-pwd",<br></div><div>@@ -683,13 +690,6 @@ Open(vlc_object_t *p_obj)<br></div><div> if (error && *error)<br></div><div> vlc_dialog_display_error(access,<br></div><div> _("SMB2 operation failed"), "%s", error);<br></div><div>- if (credential.i_get_order == GET_FROM_DIALOG)<br></div><div>- {<br></div><div>- /* Tell other smb modules (likely dsm) that we already requested<br></div><div>- * credential to the users and that it it useless to try again.<br></div><div>- * This avoid to show 2 login dialogs for the same access. */<br></div><div>- var_Create(access, "smb-dialog-failed", VLC_VAR_VOID);<br></div><div>- }<br></div><div> goto error;<br></div><div> } <br></div></pre></blockquote></div><div><br></div><div>-- <br></div><div>Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté. <br></div><div>_______________________________________________<br></div><div>vlc-devel mailing list<br></div><div>To unsubscribe or modify your subscription options:<br></div><div>https://mailman.videolan.org/listinfo/vlc-devel<br></div></blockquote><div><br></div></blockquote></div><br>-- <br>Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.</body></html>