The SMB server fails when a SMBv1 malformed query is received. The examples/list_directory.rb script can be used to reproduce the issue:
ruby examples/list_directory.rb 127.0.0.1 myuser mypasswd public /
This will send \/\* as search pattern and will end up with path equal to // after being parsed. This will break the logic and raise a RuntimeError ("Directory traversal detected..."). Note that Windows returns a STATUS_OBJECT_NAME_INVALID error when it receives the same malformed pattern.
Step to reproduce
start the server using the example/file_server.rb script:
ruby examples/list_directory.rb 127.0.0.1 myuser 123456 public /
You should see the following stack trace:
D, [2022-04-11T13:30:26.371725 #65281] DEBUG -- : Received SMB_COM_TRANSACTION2 request for share: public
#<Thread:0x00007fae369759a0 /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server.rb:56 run> terminated with exception (report_on_exception is true):
/Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/share/provider/disk/processor.rb:100:in `get_local_path': Directory traversal detected to: / (RuntimeError)
from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/share/provider/disk/processor/query.rb:177:in `transaction2_smb1_find_first2'
from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/share/provider/disk/processor/query.rb:19:in `do_transactions2_smb1'
from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/server_client/share_io.rb:14:in `proxy_share_io_smb1'
from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/server_client.rb:317:in `handle_smb1'
from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/server_client.rb:81:in `handle_smb'
from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/server_client.rb:164:in `block in run'
from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/server_client.rb:153:in `loop'
from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server/server_client.rb:153:in `run'
from /Users/cdelafuente/dev/src/ruby_smb/lib/ruby_smb/server.rb:56:in `block (2 levels) in run'
The SMB server fails when a SMBv1 malformed query is received. The
examples/list_directory.rbscript can be used to reproduce the issue:This will send
\/\*as search pattern and will end up with path equal to//after being parsed. This will break the logic and raise a RuntimeError ("Directory traversal detected..."). Note that Windows returns aSTATUS_OBJECT_NAME_INVALIDerror when it receives the same malformed pattern.Step to reproduce
example/file_server.rbscript:examples/list_directory.rbscript:You should see the following stack trace: