Open CERT-ENEDIS opened 2 years ago
sc-anssi
commented
2 years ago Hi, Thanks for the report, we can reproduce the second issue and it will be fixed in an upcoming release.
However we cannot reproduce the first one so this might take a bit longer to troubleshoot. Can you provide us with the full log and json file ? Also, does deleting the network connection between the two runs works around the issue ? (net use /del \\filer\share_name)
Thanks,
Regards
CERT-ENEDIS
commented
2 years ago Thanks.
Sadly, i'm not able to test (modify account password) myself. Delay may be important...
I had tried the command net use /del \\share, as far as I remember the responses was something like "no connexion with this name". I'm pretty confident about the failure before "password submission" as the attribut bad-pwd-count was not incremented.
I assume you are requesting xml local configuration file as json file ?
I will provide more information as soon as possible.
Thanks,
Regards
jeanga
commented
2 years ago Hi,
Quick question: can you detail the scenario for Error1? Especially, for steps 1,2,3, are 1&3 the same dfir-orc run ? or separate runs? (I mean between two archives of the same collection or you run dfir-orc.exe twice?)
For the same dfir-orc run, this behavior is expected (i.e. the smb share is connected at dfir-orc's launch).
For two successive dfir-orc runs, the smb share could remain connected after dfir-orc's run. Can you run a "net use" command between the two runs to check this? (make sure you run the command from the exact same user context as dfir-orc as they are (now) user session related)
In all cases, "WideCharToMultiByte failed" is a bogus error message worth checking....
Thank you for your report :-)
sc-anssi
commented
2 years ago I assume you are requesting xml local configuration file as json file ?
You can give us the local configuration as well, but we are especially interested in the .log and .json files that were produced by the different ORC runs
fabienfl-orc
commented
2 years ago Hello, could you try with the new v10.0.24 ? By looking the code I was able to fix a bug but I am not sure this will be enough to fix your issue.
Thank you
CERT-ENEDIS
commented
2 years ago Hello,
We will try the new version as soon as possible.
Concerning the first issue (the "WideCharToMultiByte failed" issue) we did better tests. We hope information below will be helpfull. At this time we choose to not include Json files due to the specific data inside, we hope it will not be too annoying (any specific parts needed ?)...
Each run of DFIR-ORC is a separate run with the same configuration except the password in upload balise in the local configuration file. 1) Orc runs with no error, upload to network share is Ok 2) password modification with the AD console (no more specific details) 3) next run will trigger the error BUT the upload will indeed succeed.... (new information)
ERROR WideCharToMultiByte failed :xxxxxxxxx
Failed to add a connection to \\server\shareAs you say above, "...exact same user context as dfir-orc..." , we messed the test the first time. the net use \del share command will remove the share and correct the WildeCharToMultiByte error....
Hope this information will be sufficient.
I will come back as soon as possible with the test result for the new version
Thank you
Regards
CERT-ENEDIS
commented
2 years ago Hello,
With version 10.0.24.
passwords with 25 caracteres are Ok but somes caracteres (< and >) are not allowed in configuration file du to lack of xml escapment.
ERROR (hr=0xc00cee26): XmlLite: well - formedness constraint : no '<' in attribute value (line=32,pos=44)
ERROR (hr=0xc00cee26): Error parsing root 'dfir-orc' element
ERROR (hr=0xc00cee26): Failed to read config file c:\Users\.....OrcCollector.xml
ERROR (hr=0xc00cee26): Failed to lookup and read item schemaThe error related to cache is still here.
ERROR WideCharToMultiByte failed :xxxxxxxxx
Failed to add a connection to \\server\shareBut file upload is Ok.
If any information is required to debug (json or log file), feel free to ask.
thanks again
Regards
Cert-Enedis
Hello,
With Orc version v10.0.22, we are facing two errors related to the local configuration file, the upload balise and the password to authenticate on a network SMB share.
Error 1: 1) upload to a network SMB share with filecopy and negotiate with a valid account 2) modify account's password 3) next upload will failed before submit the login/password with the following error "WideCharToMultiByte failed" (WideAnsi) 4) reboot the machine will correct the "bug"
Any help will be appreciate on this topic (maybe Windows related.... cached mechanism ? )
Error 2: All authentication with a password greater than 20 characteres will failed (20 char is OK, 25 char is KO), could you plz confirme, there is no size or characteres restrictions in the password field in the local configuration file ?
Thanks you for your work.
Regards,
CERT-ENEDIS