Client#get_key_security_descriptor not working as expected

[joaoalber]

Hello everyone,

I'm having trouble with the #get_key_security_descriptor method, I'm not able to fetch the information properly for a given registry key.

The issue seems to be the way that server's response is being read/parsed.

3.4.2 :003 > byte_stream
 => "\x01\x00\x04\x94\x8C\x00\x00\x00\x9C\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00x\x00\x05\x00\x00\x00\x00\x02\x18\x00\x19\x00\x02\x00\x01\x02\x00\x00\x00\x00\x00\x05 \x00\x00\x00!\x02\x00\x00\x00\x02\x18\x00?\x00\x0F\x00\x01\x02\x00\x00\x00\x00\x00\x05 \x00\x00\x00 \x02\x00\x00\x00\n\x14\x00?\x00\x0F\x00\x01\x01\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x02\x18\x00\x19\x00\x02\x00\x01\x02\x00\x00\x00\x00\x00\x0F\x02\x00\x00\x00\x01\x00\x00\x00\x00\x02\x14\x00?\x00\x0F\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x01\x02\x00\x00\x00\x00\x00\x05 \x00\x00\x00 \x02\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00"

3.4.2 :008 > RubySMB::Field::SecurityDescriptor.read(byte_stream)
 => 
{revision: 1,
 sbz1: 0,
 control:
  {dacl_computed_inheritance: 0, sacl_computed_inheritance: 0, dacl_auto_inherited: 0, sacl_auto_inherited: 0, dacl_protected: 0, sacl_protected: 1, rm_control_valid: 0, self_relative: 0, owner_defaulted: 1, group_defaulted: 0, dacl_present: 0, dacl_defaulted: 1, sacl_present: 0, sacl_defaulted: 1, server_security: 0, dacl_trusted: 0},
 offset_owner: 140,
 offset_group: 156,
 offset_sacl: 0,
 offset_dacl: 20,
 owner_sid: "",
 group_sid: "",
 sacl: "",
 dacl: ""}

Above you can see that things like offsets are set, but there's no information about the DACLs (including DACL_PRESENT is false)

PS: Using the same user I can authenticate to the target machine and see the registry key permissions, but when it comes the usage of WinReg (DCE/RPC) this response appears to be malformed. (It doesn't seem a server-side issue)

PS2: The same happens for querying security descriptor info for files, I get a response.buffer which is a bytestream and when I read it using SecurityDescriptor field, it returns me a broken structure similar to the above one.