fortra/impacket

Japanese Windows Security Log Encoding Issue

vvdanila opened this issue · 0 comments

vvdanila commented

Configuration

impacket version: 0.11.0
Python version: 3.10
Target OS: UBUNTU 22.04

Debug Output With Command String

We have adapted this for our needs, but it
is initiated by: pEnum = iEnum.Next(0xFFFFFFFF, 1)[0].

What we do, is to perform a query:

FROM Win32_NTLogEvent WHERE(LogFile='security') And (TimeGenerated>='SOME TIMESTAMP')

from NTLogEvent from security logfile.
The log files contains Japanese characters.

Traceback (most recent call last):
   File "/bin/wmic.py", line 132, in printReply
    pEnum = iEnum.Next(0xFFFFFFFF, 1)[0]
  File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2950, in Next
    interfaces.append(IWbemClassObject(
  File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2330, in __init__
    self.parseObject()
  File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2369, in parseObject
    self.encodingUnit['ObjectBlock'].parseObject()
  File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 990, in parseObject
    self.ctCurrent = self.parseClass(ctCurrent, self['InstanceType'])
  File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 978, in parseClass
    classDict['values'] = cInstance.getValues(classDict['properties'])
  File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 843, in getValues
    value = ENCODED_VALUE.getValue( properties[key]['type'], itemValue, heap)
  File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 335, in getValue
    item = ENCODED_STRING(heapData)
  File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 158, in __init__
    self.fromString(data)
  File "/usr/local/lib/python3.10/site-packages/impacket/structure.py", line 152, in fromString
    self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
  File "/usr/local/lib/python3.10/site-packages/impacket/structure.py", line 370, in unpack
    raise Exception("%s 'u' field is not NUL-NUL terminated: %r" % (field, data))
Exception: ("Character 'u' field is not NUL-NUL terminated: b'\n\x00\t\x00ag\xf6N \x00I\x00D\x00:\x00\t\x00{\x00d\x007\x008\x00e\x001\x00e\x008\x007\x00-\x008\x006\x004\x004\x00-\x004\x00e\x00a\x005\x00-\x009\x004\x003\x007\x00-\x001\x002\x003\x00f\x00a\x00s\x00d\x001\x002\x003\x002\x00}\x00\n\x00\t\x00\x00N' "When unpacking field 'Character | u | ... (truncated on purpose)

Additional context

I have done myself an analysis and concluded that it could be a problem with utf-16-le encoding.
This is the string that causes the problem, decoded:
'\n\t条件 ID:\t{d78e1e87-8644-4ea5-9437-123fasd1232}\n\t一'.encode('utf_16_le')
If further I encode it as shown above, it results in the string caught in that error.

The encoding is in utf_16_le, and corresponding string should be: '\n\t条件 ID:\t{d78e1e87-8644-4ea5-9437-123fasd1232}\n\t一'

A naive solution would be to check for ending \x00\x00\N. Do you think this is an appropriate solution to support additional encodings?