Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password related error in local configuration file #60

Open
CERT-ENEDIS opened this issue Feb 16, 2022 · 7 comments
Open

Password related error in local configuration file #60

CERT-ENEDIS opened this issue Feb 16, 2022 · 7 comments

Comments

@CERT-ENEDIS
Copy link

Hello,

With Orc version v10.0.22, we are facing two errors related to the local configuration file, the upload balise and the password to authenticate on a network SMB share.

Error 1:

  1. upload to a network SMB share with filecopy and negotiate with a valid account
  2. modify account's password
  3. next upload will failed before submit the login/password with the following error "WideCharToMultiByte failed" (WideAnsi)
  4. reboot the machine will correct the "bug"

Any help will be appreciate on this topic (maybe Windows related.... cached mechanism ? )

Error 2:
All authentication with a password greater than 20 characteres will failed (20 char is OK, 25 char is KO), could you plz confirme, there is no size or characteres restrictions in the password field in the local configuration file ?

Thanks you for your work.

Regards,

CERT-ENEDIS
@sc-anssi
Copy link

Hi,
Thanks for the report, we can reproduce the second issue and it will be fixed in an upcoming release.

However we cannot reproduce the first one so this might take a bit longer to troubleshoot. Can you provide us with the full log and json file ? Also, does deleting the network connection between the two runs works around the issue ? (net use /del \\filer\share_name)
Thanks,

Regards

@CERT-ENEDIS
Copy link
Author

Thanks.

Sadly, i'm not able to test (modify account password) myself. Delay may be important...

I had tried the command net use /del \\share, as far as I remember the responses was something like "no connexion with this name". I'm pretty confident about the failure before "password submission" as the attribut bad-pwd-count was not incremented.

I assume you are requesting xml local configuration file as json file ?

I will provide more information as soon as possible.

Thanks,

Regards

@jeanga
Copy link

jeanga commented Feb 16, 2022

Hi,

Quick question: can you detail the scenario for Error1?
Especially, for steps 1,2,3, are 1&3 the same dfir-orc run ? or separate runs?
(I mean between two archives of the same collection or you run dfir-orc.exe twice?)

For the same dfir-orc run, this behavior is expected (i.e. the smb share is connected at dfir-orc's launch).

For two successive dfir-orc runs, the smb share could remain connected after dfir-orc's run.
Can you run a "net use" command between the two runs to check this?
(make sure you run the command from the exact same user context as dfir-orc as they are (now) user session related)

In all cases, "WideCharToMultiByte failed" is a bogus error message worth checking....

Thank you for your report :-)

@sc-anssi
Copy link

I assume you are requesting xml local configuration file as json file ?

You can give us the local configuration as well, but we are especially interested in the .log and .json files that were produced by the different ORC runs

@fabienfl-orc
Copy link
Collaborator

Hello, could you try with the new v10.0.24 ? By looking the code I was able to fix a bug but I am not sure this will be enough to fix your issue.

Thank you

@CERT-ENEDIS
Copy link
Author

Hello,

We will try the new version as soon as possible.

Concerning the first issue (the "WideCharToMultiByte failed" issue) we did better tests. We hope information below will be helpfull. At this time we choose to not include Json files due to the specific data inside, we hope it will not be too annoying (any specific parts needed ?)...

Each run of DFIR-ORC is a separate run with the same configuration except the password in upload balise in the local configuration file.

  1. Orc runs with no error, upload to network share is Ok
  2. password modification with the AD console (no more specific details)
  3. next run will trigger the error BUT the upload will indeed succeed.... (new information)
ERROR WideCharToMultiByte failed :xxxxxxxxx
Failed to add a connection to \\server\share

As you say above, "...exact same user context as dfir-orc..." , we messed the test the first time. the net use \del share command will remove the share and correct the WildeCharToMultiByte error....

Hope this information will be sufficient.

I will come back as soon as possible with the test result for the new version

Thank you

Regards

@CERT-ENEDIS
Copy link
Author

Hello,

With version 10.0.24.

passwords with 25 caracteres are Ok but somes caracteres (< and >) are not allowed in configuration file du to lack of xml escapment.

ERROR (hr=0xc00cee26): XmlLite: well - formedness constraint : no '<' in attribute value (line=32,pos=44)
ERROR (hr=0xc00cee26): Error parsing root 'dfir-orc' element
ERROR (hr=0xc00cee26): Failed to read config file c:\Users\.....OrcCollector.xml
ERROR (hr=0xc00cee26): Failed to lookup and read item schema

The error related to cache is still here.

ERROR WideCharToMultiByte failed :xxxxxxxxx
Failed to add a connection to \\server\share

But file upload is Ok.

If any information is required to debug (json or log file), feel free to ask.

thanks again

Regards

Cert-Enedis

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeanga @sc-anssi @fabienfl-orc @CERT-ENEDIS