Bug #115702 for Net-LDAP-Class: Possible bug in _string2sid and

Tue Jun 28 13:50:47 2016 ftalabi [...] cisco.com - Ticket created

Subject:	Possible bug in _string2sid and _sid2string
Date:	Tue, 28 Jun 2016 17:50:30 +0000
To:	"bug-Net-LDAP-Class [...] rt.cpan.org" <bug-Net-LDAP-Class [...] rt.cpan.org>
From:	"Femi Talabi (ftalabi)" <ftalabi [...] cisco.com>

Hello, I recently came across an ObjectSid binary that failed parsing in _sid2string in Net::LDAP::Class::User::AD (01020000110b4911e0e4ed2601020000/S-1-285952273-653124832-513) Google search led me to this from MSDN blog: https://blogs.msdn.microsoft.com/oldnewthing/20040315-00/?p=40253, and if that is to be believed, sub_authority_count is only 8 bits and authority is 48 bits, so the way the way the parser is currently implemented will only work correctly if the authority field has none of the 40 most significant bits set. If up to 24 bits are set, bits 7 to 23 are ignored in authority, making it incorrect, but it won't die. If up to or more than 32 bits are set, some of that seeps into sub_authority_count and it will die. I made the following changes that seem to fix the issue: in _string2sid 168,172c168 < # bit shifting does not work on 32-bit platforms < my $authority_high = int($authority / 4294967296); < my $authority_low = $authority - ($authority_high * 4294967296); < < my $sid = pack 'C C n N V*', $revision_level, $authority_high, $authority_low, --- Show quoted text

> my $sid = pack 'C Vxx C V*', $revision_level, $authority,

And in _sid2string 186c182 < my ($revision_level, $authority_high, $authority_low, --- Show quoted text

> my ($revision_level, $authority,

188c184 < ) = unpack 'C C n N V*', $sid; --- Show quoted text

> ) = unpack 'C Vxx C V*', $sid;

192,193d187 < my $authority = ($authority_high * 4294967296) + $authority_low; #bit shifting does not work for 32-bit platforms < I tested the changes with my problematic sid, others that had worked previously and contrived ones with bits set it works (verified against https://sidtranslator.codeplex.com/ which uses native microsoft C# APIs to do the conversion) Thanks, BFT

Wed Jun 29 17:48:24 2016 karman [...] cpan.org - Correspondence added

This is lovely, thank you. I realized in searching for the source for this module that it had never been ported to git, which I have now done: https://github.com/karpet/net-ldap-class If you could turn this into a PR, I'd be happy to review/merge. The tests rely on corresponding code in Net::LDAP::Server::Test: https://github.com/karpet/net-ldap-server-test/blob/master/lib/Net/LDAP/Server/Test.pm#L586 which will also need to be patched. As I no longer have a AD server to do real-life testing against, I will trust that these changes make sense in that context.

Wed Jun 29 17:48:24 2016 The RT System itself - Status changed from 'new' to 'open'

Thu Jun 30 10:13:13 2016 karman [...] cpan.org - Correspondence added

Looking at this now (8 years later) it seems like this would be a good time to refactor both Net::LDAP::Class and Net::LDAP::Server::Test and pull out a new module called Net::LDAP::SID which both the original modules can delegate to. If you'd care to try that, let me know. Otherwise, I will try and get to it later this week.

Thu Jun 30 15:51:36 2016 karman [...] cpan.org - Correspondence added

I went ahead and started on pulling out the SID stuff into its own module, and created a PR using the patch you sent: https://github.com/karpet/net-ldap-sid/pull/1 I am not seeing tests pass. Perhaps I didn't interpret your email+patch correctly.

Fri Jul 01 12:22:57 2016 karman [...] cpan.org - Correspondence added

Thanks again for identifying this bug and providing a patch. I figured out that the original SID binary template I was working from was flawed, and it is now fixed in Net::LDAP::SID 0.001 -- which has been released along with Net::LDAP::Class 0.27 and Net::LDAP::Server::Test 0.20. cheers!

Fri Jul 01 12:23:07 2016 karman [...] cpan.org - Status changed from 'open' to 'resolved'

Bug #115702 for Net-LDAP-Class: Possible bug in _string2sid and _sid2string