Thanks to visit codestin.com
Credit goes to github.com

Skip to content

ensured: MsTdsLogin7 UTF-18 fields use RubySMB String16 #20896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cdelafuente-r7 merged 2 commits into from
Jan 26, 2026
Merged

ensured: MsTdsLogin7 UTF-18 fields use RubySMB String16 #20896

cdelafuente-r7 merged 2 commits into from
Jan 26, 2026
+1 −11

Conversation

@rudraditya21
Copy link
Contributor

@rudraditya21 rudraditya21 commented Jan 25, 2026

Fixes: #20874

This change ensures MsTdsLogin7 UTF‑16 buffer fields are represented as RubySMB::Field::String16 objects rather than raw strings. It updates buffer field handling to use the RubySMB String16 class for UTF‑16 fields and makes the buffer parsing logic work with both registered symbols and class types.

All Tests Pass

bundle exec rspec --seed 10152 spec/lib/rex/proto/ms_tds/ms_tds_login7_spec.rb spec/api/json_rpc_spec.rb

Output

Overriding user environment variable 'OPENSSL_CONF' to enable legacy functions.
Run options:
  include {:focus=>true}
  exclude {:acceptance=>true}

All examples were filtered out; ignoring {:focus=>true}

Randomized with seed 10152
Metasploit's json-rpc ...............
Rex::Proto::MsTds::MsTdsLogin7 .......................................

Top 10 slowest examples (57.83 seconds, 98.1% of total time):
  Metasploit's json-rpc analyze when there are modules available with no options returns the list of known modules associated with a reported host
    30.1 seconds ./spec/api/json_rpc_spec.rb:456
  Metasploit's json-rpc analyze when there are modules available when payloads requirements are specified returns the list of known modules associated with a reported host
    24.08 seconds ./spec/api/json_rpc_spec.rb:516
  Metasploit's json-rpc health status when using the REST health check functionality passes the health check
    1.11 seconds ./spec/api/json_rpc_spec.rb:129
  Metasploit's json-rpc Running a check job and verifying results when the module returns check code safe returns successful job results
    0.69375 seconds ./spec/api/json_rpc_spec.rb:209
  Metasploit's json-rpc Running a check job and verifying results when the check command raises a known msf error returns the error results
    0.67201 seconds ./spec/api/json_rpc_spec.rb:268
  Metasploit's json-rpc Running a check job and verifying results when the check command has an unexpected error returns the error results
    0.67008 seconds ./spec/api/json_rpc_spec.rb:301
  Metasploit's json-rpc analyze when there are no modules found returns an empty list of modules
    0.32274 seconds ./spec/api/json_rpc_spec.rb:588
  Metasploit's json-rpc health status when using the RPC health check functionality when there is an issue fails the health check
    0.06814 seconds ./spec/api/json_rpc_spec.rb:183
  Metasploit's json-rpc health status when using the RPC health check functionality when the service is healthy passes the health check
    0.0567 seconds ./spec/api/json_rpc_spec.rb:163
  Metasploit's json-rpc Running a check job and verifying results when the module does not support a check method returns successful job results
    0.05419 seconds ./spec/api/json_rpc_spec.rb:244

Top 2 slowest example groups:
  Metasploit's json-rpc
    3.9 seconds average (58.49 seconds / 15 examples) ./spec/api/json_rpc_spec.rb:10
  Rex::Proto::MsTds::MsTdsLogin7
    0.01151 seconds average (0.44904 seconds / 39 examples) ./spec/lib/rex/proto/ms_tds/ms_tds_login7_spec.rb:1

Finished in 58.95 seconds (files took 10.7 seconds to load)
54 examples, 0 failures

Randomized with seed 10152
Coverage report generated for RSpec to /Users/apple/Desktop/metasploit-framework/coverage.
Line Coverage: 34.52% (29563 / 85647)

@cdelafuente-r7 cdelafuente-r7 self-assigned this Jan 26, 2026
@cdelafuente-r7 cdelafuente-r7 moved this from Todo to In Progress in Metasploit Kanban Jan 26, 2026
@cdelafuente-r7
Copy link
Contributor

cdelafuente-r7 commented Jan 26, 2026

Thank you @rudraditya21 for fixing this. I looked into this and found out the issue is much deeper. Your fix is good, but it only fixes the MsTdsLogin7 and other BinData structures might also be affected.

BinData uses some kind of DSL that maps field types as an under_scored name to a registered class. In this case, :string16 is mapped to the class String16. The problem is that name collisions are very likely to happen. The original ruby_smb class for :string16 is implemented here. However, the Msf::Post::Windows::FileSystem mixin also implement a String16 class and registered it with BinData:

metasploit-framework/lib/msf/core/post/windows/file_system.rb

Lines 31 to 39 in 591b3ea

class String16 < BinData::String
def assign(val)
super(val.encode('utf-16le'))
end
def snapshot
super.force_encoding('utf-16le')
end
end

This is the root cause of all these issues. Once a module that includes this mixin is loaded, the class overwrites the original ruby_smb class in the BinData registered classes cache. As a result, the fields declared as :string16 are now Msf::Post::Windows::FileSystem::String16 instead of RubySMB::Field::String16.

Since the implementation of String16 in the mixin is similar to the original one, the fix would be to simply delete this extra implementation. I went ahead and removed the String16 class in lib/msf/core/post/windows/file_system.rb and confirmed the specs are working again.

Unfortunately, there is no specs written for this mixin and the only way to test if these modifications won't break anything else is to actually to test a module that uses the mixin. I successfully tested the CVE-2022-21999 SpoolFool Privesc, which uses the the BinData structures implemented in the Msf::Post::Windows::FileSystem mixin, including those with :string16 fields (a call to #create_junction). This makes me feel quite confident that removing the String16 class from the mixin is the right fix.

I would prefer having this fix in place, since it would solve the issue for any BinData structures that uses :string16 type in Metasploit Framework. Please, let me know your thoughts.

@cdelafuente-r7 cdelafuente-r7 moved this from In Progress to Waiting on Contributor in Metasploit Kanban Jan 26, 2026
@rudraditya21
Copy link
Contributor Author

rudraditya21 commented Jan 26, 2026

If the mixin’s String16 registration is overriding RubySMB’s and causing the broader issue, removing the duplicate class seems like the right fix. I’m good proceeding with that change. I can update the PR to remove the mixin’s String16 and keep the MsTdsLogin7 fix minimal or revert it if it’s no longer needed. Let me know your preference on the PR structure.

@cdelafuente-r7
Copy link
Contributor

cdelafuente-r7 commented Jan 26, 2026
edited
Loading

Sounds good to me! Please, go ahead and remove the String16 class in the mixin. It should be enough to fix this. Thank you! You can revert your changes in MsTdsLogin7, if you don't mind.

@cdelafuente-r7 cdelafuente-r7 added bug rn-fix release notes fix labels Jan 26, 2026
@rudraditya21
removed: the mixin's String16 class to stop BinData registry collisio…
93b0c30 
…ns and reverted: MsTdsLogin7 to its original :string16
@cdelafuente-r7
Copy link
Contributor

cdelafuente-r7 commented Jan 26, 2026

Thanks for updating this @rudraditya21 ! Everything looks good to me now. I retested the specs and it's all good. I'll go ahead and land it.

@github-project-automation github-project-automation bot moved this from Waiting on Contributor to In Progress in Metasploit Kanban Jan 26, 2026
@cdelafuente-r7 cdelafuente-r7 added rn-no-release-notes no release notes and removed rn-fix release notes fix labels Jan 26, 2026
@cdelafuente-r7 cdelafuente-r7 merged commit f6d0f40 into rapid7:master Jan 26, 2026
45 of 48 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban Jan 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 approved these changes

Assignees

@cdelafuente-r7 cdelafuente-r7

Labels

bug rn-no-release-notes no release notes

Projects

Metasploit Kanban
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TDS tests failing

2 participants

@rudraditya21 @cdelafuente-r7