[vlc-devel] [PATCH] smb: try libdsm first
Simon Latapie
garf at videolabs.io
Wed Oct 16 09:02:54 CEST 2019
Hello,
can you explain a bit more about a downgrade attack scenario ? This does not look obvious to me.
Downgrade attacks are usually either a problem for the server (so not VLC), or an service spoof, which does not seem to be relevant here (the patch is not modifying the server selection/address).
Regards,
--
Simon Latapie
garf at videolabs.io
+33 1 84 17 56 63
On Tue, Oct 15, 2019, at 17:19, Rémi Denis-Courmont wrote:
> Hi,
>
> Looks like an obvious downgrade attack to me. You're waiting for a CVE if you merge this patch.
>
> Le 15 octobre 2019 16:41:17 GMT+03:00, Thomas Guillem <thomas at gllm.fr> a écrit :
>> Some samba servers (on Windows 7) implement both SMB2 and SMB1. The problem is
>> that the SMB2 part is not configured like the SMB1 one. Only SMB1 seems to
>> reflect the user configuration (using Windows Settings, not anything
>> complicated like via powershell/regedit).
>>
>> If we try to connect to such server via libsmb2, the server will return a
>> SMB2_STATUS_ACCESS_DENIED (0xC0000022) status. Our libsmb2 module will then ask
>> the user for credentials via a dialog. The problem is that no credentials will
>> ever work since only the SMB1 part is configured.
>>
>> I tried to differentiate (via wireshark) the negotiation between such server
>> and an other working SMB2 server but could not find anything that could tell us
>> that this ACCESS_DENIED status should be ignored on this specific server (in
>> order to fallback to libdsm).
>>
>> The only possible fix is to try libdsm first. VLC will then favor the SMB1
>> protocol over SMB 2&3.
>>
>> NB1: libsmb2 is backported to VLC 3.0 for iOS and Android ports. These ports
>> are beta-testing SMB 2&3 support on mobile.
>>
>> NB2: We get a lot of angry mail/reviews about SMB1 support broken, I don't
>> think we can drop SMB1 (even if I would love to).
>>
>> NB3: We can't drop libsmb2 either for the same reason (we got a *lot* of
>> requests to support it). modules/access/dsm/access.c | 17 ++++++++++-------
>> modules/access/smb2.c | 14 +++++++-------
>> 2 files changed, 17 insertions(+), 14 deletions(-)
>>
>> diff --git a/modules/access/dsm/access.c b/modules/access/dsm/access.c
>> index 776925c9eeb..186a567a72c 100644
>> --- a/modules/access/dsm/access.c
>> +++ b/modules/access/dsm/access.c
>> @@ -69,7 +69,7 @@ vlc_module_begin ()
>> set_shortname( "dsm" )
>> set_description( N_("libdsm SMB input") )
>> set_help(BDSM_HELP)
>> - set_capability( "access", 20 )
>> + set_capability( "access", 22 )
>> set_category( CAT_INPUT )
>> set_subcategory( SUBCAT_INPUT_ACCESS )
>> add_string( "smb-user", NULL, SMB_USER_TEXT, SMB_USER_LONGTEXT, false )
>> @@ -343,12 +343,6 @@ static int login( stream_t *p_access )
>>
>> if( connect_err == EACCES )
>> {
>> - if (var_Type(p_access, "smb-dialog-failed") != 0)
>> - {
>> - /* A higher priority smb module (likely smb2) already requested
>> - * credentials to the users. It is useless to request it again. */
>> - goto error;
>> - }
>> while( connect_err == EACCES
>> && vlc_credential_get( &credential, p_access, "smb-user", "smb-pwd",
>> SMB_LOGIN_DIALOG_TITLE,
>> @@ -365,6 +359,15 @@ static int login( stream_t *p_access )
>> if( connect_err != 0 )
>> {
>> msg_Err( p_access, "Unable to login" );
>> +
>> + if (credential.i_get_order == GET_FROM_DIALOG)
>> + {
>> + /* Tell other smb modules (likely smb2) that we already
>> + * requested credential to the users and that it it useless to
>> + * try again. This avoid to show 2 login dialogs for the same
>> + * access. */
>> + var_Create(p_access, "smb-dialog-failed", VLC_VAR_VOID);
>> + }
>> goto error;
>> }
>> }
>> diff --git a/modules/access/smb2.c b/modules/access/smb2.c
>> index 923e6d57e04..7f9b614d006 100644
>> --- a/modules/access/smb2.c
>> +++ b/modules/access/smb2.c
>> @@ -664,6 +664,13 @@ Open(vlc_object_t *p_obj)
>> NULL);
>> ret = vlc_smb2_open_share(access, smb2_url, &credential);
>>
>> + if (ret == -1 && var_Type(access, "smb-dialog-failed"))
>> + {
>> + /* A higher priority smb module (likely dsm) already requested
>> + * credentials to the users. It is useless to request it again. */
>> + goto error;
>> + }
>> +
>> while (ret == -1
>> && (!sys->error_status || VLC_SMB2_STATUS_DENIED(sys->error_status))
>> && vlc_credential_get(&credential, access, "smb-user", "smb-pwd",
>> @@ -683,13 +690,6 @@ Open(vlc_object_t *p_obj)
>> if (error && *error)
>> vlc_dialog_display_error(access,
>> _("SMB2 operation failed"), "%s", error);
>> - if (credential.i_get_order == GET_FROM_DIALOG)
>> - {
>> - /* Tell other smb modules (likely dsm) that we already requested
>> - * credential to the users and that it it useless to try again.
>> - * This avoid to show 2 login dialogs for the same access. */
>> - var_Create(access, "smb-dialog-failed", VLC_VAR_VOID);
>> - }
>> goto error;
>> }
>
> --
> Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20191016/f0190674/attachment.html>
More information about the vlc-devel
mailing list