Actions
Security #2894
closedsmb 1 create andx request does not parse the filename correctly.
Git IDs:
8dbb6253f812808de21ae8d7f03220ea940186d4
39fd6587eac21b4753ca101e2888f4e288b1481e
Severity:
Disclosure Date:
Description
I noticed that for the filenames of smb 1 create_andx_requests the first character of the filename was missing. I have isolated a flow from a pcap which it was pretty clear the first character was missing: Filename 'rowser' != 'browser' in packet 14.
{"timestamp":"2018-06-29T18:57:58.255379+0200","flow_id":202610335734381,"pcap_cnt":16,"event_type":"smb","src_ip":"172.16.1.102","src_port":49473,"dest_ip":"172.16.1.8","dest_port":445,"proto":"TCP","smb":{"id":6,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_NT_CREATE_ANDX","status":"STATUS_ACCESS_DENIED","status_code":"0xc0000022","session_id":2048,"tree_id":2048,"filename":"rowser","disposition":"FILE_OPEN","access":"normal","created":0,"accessed":0,"modified":0,"changed":0,"size":0,"fuid":""}}
In the function parse_smb_create_andx_request_record in smb1_records.rs the second _skip is skipping 1 byte to much.
"_skip2: take!(8)" should be "_skip2: take!(7)"
From after the parsing of the create_options we should skip:
impersonation (4)
security_flags (2)
byte_count (1)
file_name: (file_len)
Files
Actions