Japanese Windows Security Log Encoding Issue #1788
Description
Configuration
impacket version: 0.11.0
Python version: 3.10
Target OS: UBUNTU 22.04
Debug Output With Command String
We have adapted this for our needs, but it
is initiated by: pEnum = iEnum.Next(0xFFFFFFFF, 1)[0].
What we do, is to perform a query:
FROM Win32_NTLogEvent WHERE(LogFile='security') And (TimeGenerated>='SOME TIMESTAMP')
from NTLogEvent from security logfile.
The log files contains Japanese characters.
Traceback (most recent call last):
File "/bin/wmic.py", line 132, in printReply
pEnum = iEnum.Next(0xFFFFFFFF, 1)[0]
File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2950, in Next
interfaces.append(IWbemClassObject(
File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2330, in __init__
self.parseObject()
File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2369, in parseObject
self.encodingUnit['ObjectBlock'].parseObject()
File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 990, in parseObject
self.ctCurrent = self.parseClass(ctCurrent, self['InstanceType'])
File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 978, in parseClass
classDict['values'] = cInstance.getValues(classDict['properties'])
File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 843, in getValues
value = ENCODED_VALUE.getValue( properties[key]['type'], itemValue, heap)
File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 335, in getValue
item = ENCODED_STRING(heapData)
File "/usr/local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 158, in __init__
self.fromString(data)
File "/usr/local/lib/python3.10/site-packages/impacket/structure.py", line 152, in fromString
self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
File "/usr/local/lib/python3.10/site-packages/impacket/structure.py", line 370, in unpack
raise Exception("%s 'u' field is not NUL-NUL terminated: %r" % (field, data))
Exception: ("Character 'u' field is not NUL-NUL terminated: b'\n\x00\t\x00ag\xf6N \x00I\x00D\x00:\x00\t\x00{\x00d\x007\x008\x00e\x001\x00e\x008\x007\x00-\x008\x006\x004\x004\x00-\x004\x00e\x00a\x005\x00-\x009\x004\x003\x007\x00-\x001\x002\x003\x00f\x00a\x00s\x00d\x001\x002\x003\x002\x00}\x00\n\x00\t\x00\x00N' "When unpacking field 'Character | u | ... (truncated on purpose)
Additional context
I have done myself an analysis and concluded that it could be a problem with utf-16-le encoding.
This is the string that causes the problem, decoded:
'\n\t条件 ID:\t{d78e1e87-8644-4ea5-9437-123fasd1232}\n\t一'.encode('utf_16_le')
If further I encode it as shown above, it results in the string caught in that error.
The encoding is in utf_16_le, and corresponding string should be: '\n\t条件 ID:\t{d78e1e87-8644-4ea5-9437-123fasd1232}\n\t一'
A naive solution would be to check for ending \x00\x00\N. Do you think this is an appropriate solution to support additional encodings?