A wrong structure was used for the :maximal_access field of a TREE_CONNECT Response. Before this fix, a file_access_mask was used even for disk directory shares. Now, the structure sets either a file_access_mask or a directory_access_mask according to the share type.
This can be tested using Metasploit auxiliary/scanner/smb/smb_login module, as described in https://github.com/rapid7/metasploit-framework/issues/16745. This module checks the Tree add_file permission on the ADMIN$ share is set to detect if the user has Administrator level. The add_file field only exists in directory_access_mask, which was failing before since file_access_mask was returned by the TREE_CONNECT Response.
Before
The module successfully login with the Administrator credentials but does not report it with Administrator access level:
Fixes https://github.com/rapid7/metasploit-framework/issues/16745
A wrong structure was used for the
:maximal_access
field of a TREE_CONNECT Response. Before this fix, afile_access_mask
was used even for disk directory shares. Now, the structure sets either afile_access_mask
or adirectory_access_mask
according to the share type.This can be tested using Metasploit
auxiliary/scanner/smb/smb_login
module, as described in https://github.com/rapid7/metasploit-framework/issues/16745. This module checks the Treeadd_file
permission on theADMIN$
share is set to detect if the user has Administrator level. Theadd_file
field only exists indirectory_access_mask
, which was failing before sincefile_access_mask
was returned by the TREE_CONNECT Response.Before
The module successfully login with the Administrator credentials but does not report it with Administrator access level:
After
Now, it is reported with the Administrator access level: