Actions
Security #2894
closedsmb 1 create andx request does not parse the filename correctly.
Git IDs:
8dbb6253f812808de21ae8d7f03220ea940186d4
39fd6587eac21b4753ca101e2888f4e288b1481e
Severity:
Disclosure Date:
Description
I noticed that for the filenames of smb 1 create_andx_requests the first character of the filename was missing. I have isolated a flow from a pcap which it was pretty clear the first character was missing: Filename 'rowser' != 'browser' in packet 14.
{"timestamp":"2018-06-29T18:57:58.255379+0200","flow_id":202610335734381,"pcap_cnt":16,"event_type":"smb","src_ip":"172.16.1.102","src_port":49473,"dest_ip":"172.16.1.8","dest_port":445,"proto":"TCP","smb":{"id":6,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_NT_CREATE_ANDX","status":"STATUS_ACCESS_DENIED","status_code":"0xc0000022","session_id":2048,"tree_id":2048,"filename":"rowser","disposition":"FILE_OPEN","access":"normal","created":0,"accessed":0,"modified":0,"changed":0,"size":0,"fuid":""}}
In the function parse_smb_create_andx_request_record in smb1_records.rs the second _skip is skipping 1 byte to much.
"_skip2: take!(8)" should be "_skip2: take!(7)"
From after the parsing of the create_options we should skip:
impersonation (4)
security_flags (2)
byte_count (1)
file_name: (file_len)
Files
Updated by Victor Julien over 5 years ago
- Status changed from New to Assigned
- Target version set to 4.1.4
- Affected Versions 4.1.3 added
- Affected Versions deleted (
4.0beta1)
Updated by Victor Julien over 5 years ago
- Copied to Security #2896: smb 1 create andx request does not parse the filename correctly (master) added
Updated by Wesley van der Ree over 5 years ago
Pull request: https://github.com/OISF/suricata/pull/3734
Updated by Victor Julien over 5 years ago
- Status changed from Assigned to Closed
Updated by Victor Julien about 4 years ago
- Tracker changed from Bug to Security
- Effort deleted (
low) - Difficulty deleted (
low) - CVE set to 2019-10051
- Git IDs updated (diff)
Actions