Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer when authenticating as guest #792

Open
dkocher opened this issue Sep 4, 2023 · 22 comments
Open

Null pointer when authenticating as guest #792

dkocher opened this issue Sep 4, 2023 · 22 comments

Comments

@dkocher
Copy link

dkocher commented Sep 4, 2023

Attempting to authenticate as guest using AuthenticationContext.guest() results in an exception

Caused by: java.lang.NullPointerException
	at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKey(SMBSessionBuilder.java:324)
	at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKeys(SMBSessionBuilder.java:290)
	at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:174)
	at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:152)
	at com.hierynomus.smbj.connection.SMBSessionBuilder.establish(SMBSessionBuilder.java:119)
	at com.hierynomus.smbj.connection.Connection.authenticate(Connection.java:197)

The server is running SMB_3_1_1 (Windows Server 2022)
@hierynomus
Copy link
Owner

@dkocher Which version? I fixed a similar bug for anonymous authentication in v0.12.2, and I thought I had checked guest then also.

@dkocher
Copy link
Author

dkocher commented Sep 4, 2023

@dkocher Which version? I fixed a similar bug for anonymous authentication in v0.12.2, and I thought I had checked guest then also.

Running 0.12.2.

@hierynomus
Copy link
Owner

@dkocher Which authenticator are you using?

@dkocher
Copy link
Author

dkocher commented Sep 5, 2023

@dkocher Which authenticator are you using?

This is using NtlmAuthenticator.

@karthik-119
Copy link

karthik-119 commented Sep 6, 2023
edited
Loading

Even, I'm facing the same Nullpointer exception when trying with anonymous login:

java.lang.NullPointerException
  at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKey(SMBSessionBuilder.java:324)
  at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKeys(SMBSessionBuilder.java:290)
  at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:174)
  at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:152)
  at com.hierynomus.smbj.connection.SMBSessionBuilder.establish(SMBSessionBuilder.java:119)
  at com.hierynomus.smbj.connection.Connection.authenticate(Connection.java:202)

It is happening after upgrade to smbj library 0.12.2 and my target server Windows 11 (protocol: SMB_3_1_1), I've tried to allow insecure guest logons as well in my Local group policy editor.

Not sure if this is relevant but found this while debugging that this can be the cause:

if (!ctx.authContext.isAnonymous() && !ctx.authContext.isGuest()) {
                context.setSessionKey(new SecretKeySpec(ctx.sessionKey, HMAC_SHA256_ALGORITHM));
 }

session key is set to context when it is neither anonymous nor guest, meaning only for user context, thus later in the derivekeys, this ended up in NullPointer.

Is there any update on the issue, whether if it's server configuration issue or bug in the actual code?

@karthik-119 karthik-119 mentioned this issue Sep 6, 2023
Closed
@dkocher dkocher mentioned this issue Sep 6, 2023
Open
@dkocher
Copy link
Author

dkocher commented Sep 20, 2023

@karthik-119 points out this may be a regression of 4633709.

hierynomus added a commit that referenced this issue Sep 26, 2023
@hierynomus
Set sessionKey whenever we have it from authentication (Fixes #792)
a1e1d79 
This should fix the NPE that occurs when authenticating with guest or anonymous credentials and the server treating it as a regular account
@hierynomus
Copy link
Owner

@dkocher @karthik-119 Can you try with the fix from #800?

@bubbleguuum
Copy link

bubbleguuum commented Sep 26, 2023
edited
Loading

I tested and:

So that issue has already been fixed by a commit post v0.12.2 it seems.

@hierynomus
Copy link
Owner

@bubbleguuum Now that's even weirder, as Git doesn't show any change which could have anything to do with that on the current master branch 🤔

@bubbleguuum
Copy link

Yes please disregard, I did my testing wrong (was actually using v0.11.1 instead of git master!).
Will do it again properly with the PR applied.

@bubbleguuum
Copy link

bubbleguuum commented Sep 26, 2023
edited
Loading

Still crashing using master git + the 1 line PR.
Double checked that everything is correct this time, with even a logged "LALA" line just before the if (ctx.sessionKey != null) { line change:

smb: resolved FOOBAR -> 192.168.1.157
        PacketEncryptor  I  Initialized PacketEncryptor with Cipher << AES_128_CCM >>
             Connection  I  Successfully connected to: 192.168.1.157
           SMBShareInfo  I  smb: \\FOOBAR\: NegotiatedProtocol{dialect=SMB_3_0_2, maxTransactSize=8388608, maxReadSize=8388608, maxWriteSize=8388608}
      SMBSessionBuilder  I  LALA
           SMBShareInfo  W  java.lang.NullPointerException: Attempt to invoke interface method 'byte[] javax.crypto.SecretKey.getEncoded()' on a null object reference
                         W      at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKey(SMBSessionBuilder.java:326)
                         W      at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKeys(SMBSessionBuilder.java:294)
                         W      at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:176)
                         W      at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:152)
                         W      at com.hierynomus.smbj.connection.SMBSessionBuilder.establish(SMBSessionBuilder.java:119)
                         W      at com.hierynomus.smbj.connection.Connection.authenticate(Connection.java:202)
                      ...

@karthik-119
Copy link

@dkocher @karthik-119 Can you try with the fix from #800?

@hierynomus , let me try to verify the fix.

@karthik-119
Copy link

I realized that this project needs to be built with gradle which I'm not used to and have no correct configuration on my system. I'm afraid I can't verify the fix when it is still on issue branch.

Is there any possibility to build the project using maven?

@hierynomus
Copy link
Owner

There should be no need to set it up. You can use ./gradlew build to build the project. This will use the Gradle wrapper. There is no Maven build files included

@karthik-119
Copy link

Yes, I did the same but see errors (Java version: 1.8):
image

@hierynomus
Copy link
Owner

For building you need to use Java11 (or higher)

@karthik-119
Copy link

Thanks, I'm able to build project with Java 11, can you please update Readme, it still says Java 7? thanks.

I'll test the jar and update results here.

@karthik-119
Copy link

karthik-119 commented Sep 28, 2023
edited
Loading

Verified and can still see same NullPointerException.

java.lang.NullPointerException
	at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKey(SMBSessionBuilder.java:324)
	at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKeys(SMBSessionBuilder.java:290)
	at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:174)
	at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:152)
	at com.hierynomus.smbj.connection.SMBSessionBuilder.establish(SMBSessionBuilder.java:119)
	at com.hierynomus.smbj.connection.Connection.authenticate(Connection.java:202)

I think the issue is within NtlmAuthenticatior logic itself (in doAuthenticate()):

 // [MS-NLMP] 3.2.2 -- Special case for anonymous authentication
        if (context.isAnonymous()) {
            NtlmAuthenticate msg = new NtlmAuthenticate(null, null, context.getUsername(), context.getDomain(),
                config.getWorkstationName(), null, negotiateFlags, config.getWindowsVersion());
            response.setNegToken(negTokenTarg(msg));
            return response;
        }

for anonymous context, response neither have any session key set nor sessions flags updated later in authentication logic of SMBSessionBuilder.

Compared to older 11.x version where for anonymous context, session key is set based on ntlm server challenge response.
On the other hand, in the deriveKeys() logic, you make checks for smb3

if (dialect.isSmb3x() &&
            !response.getSessionFlags().contains(SMB2SessionSetup.SMB2SessionFlags.SMB2_SESSION_FLAG_IS_NULL) &&
            !response.getSessionFlags().contains(SMB2SessionSetup.SMB2SessionFlags.SMB2_SESSION_FLAG_IS_GUEST)) {

where it looks like this logic is not required for anonymous or guest context but session flags for response is not updated anywhere if that is proven.

((Note: I'm no expert in smb subject or this lib code, just trying to infer based on my understanding in debug sessions, I might be wrong in my statements, please correct me))

@hellivan
Copy link

hellivan commented Dec 4, 2023

Any update on this?

@HubertOT
Copy link

Indeed any update on this issue?
As karthik-119 mentioned within method derivedKeys the sessionFlags are checked for anonymous (SMB2_SESSION_FLAG_IS_NULL) or guest (SMB2_SESSION_FLAG_IS_GUEST) login request.

Using SMBj 0.11.5 when an anonymous logon (no username nor password set) was done the sessionFlag SMB2_SESSION_FLAG_IS_GUEST was set and the logon succeeded. Doubt if this was for the correct reason, would have expected that sessionFlag "SMB2_SESSION_FLAG_IS_NULL" was set instead of "SMB2_SESSION_FLAG_IS_GUEST".
However with SMBj 0.12.x it fails as none of these sessionFlags are set, hence for signing it is tried to set the deriveKey, based on context. The context however does not contain a sessionKey as it's an anonymous login which is not able to sign or encrypt.

@zhanghai zhanghai mentioned this issue Apr 7, 2024
Closed
zhanghai added a commit to zhanghai/MaterialFiles that referenced this issue Apr 7, 2024
@zhanghai
Revert "[Feature] Update SMBJ."
2d425a6 
To work around regression in SMB anonymous authentication.

See also hierynomus/smbj#792

This reverts commit d9ce4e6.

Bug: #1181
XayahSuSuSu added a commit to XayahSuSuSu/Android-DataBackup that referenced this issue Jun 28, 2024
@XayahSuSuSu
fix: Downgrade smbj to 0.11.5
0ae5cfd 
* Ref: hierynomus/smbj#792
* Related: zhanghai/MaterialFiles@2d425a6

Change-Id: I82b9ae5e9f61e5c2886e782537579a9347e92b70
@dsforcam
Copy link

Any update on this?

@bio-mjukis
Copy link

There is an open PR for this issue: #800
Does anyone know a workaround for this issue (to use until the PR is merged to master)?

We can't get unauthenticated samba connection to work using smbj 0.13.0 due to this issue. Here is a stack trace:

java.lang.NullPointerException: Cannot invoke "javax.crypto.SecretKey.getEncoded()" because "derivationKey" is null at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKey(SMBSessionBuilder.java:324) at com.hierynomus.smbj.connection.SMBSessionBuilder.deriveKeys(SMBSessionBuilder.java:290) at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:174) at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:152) at com.hierynomus.smbj.connection.SMBSessionBuilder.establish(SMBSessionBuilder.java:119) at com.hierynomus.smbj.connection.Connection.authenticate(Connection.java:202)

XayahSuSuSu pushed a commit to XayahSuSuSu/smbj that referenced this issue Nov 17, 2024
@hierynomus @XayahSuSuSu
Set sessionKey whenever we have it from authentication (Fixes hieryno…
74e47d9 
…mus#792)

This should fix the NPE that occurs when authenticating with guest or anonymous credentials and the server treating it as a regular account
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@dkocher @hierynomus @bubbleguuum @hellivan @karthik-119 @HubertOT @dsforcam @bio-mjukis