Project

General

Profile

Actions

Security #2894

closed

smb 1 create andx request does not parse the filename correctly.

Added by Wesley van der Ree over 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:

8dbb6253f812808de21ae8d7f03220ea940186d4
39fd6587eac21b4753ca101e2888f4e288b1481e

Severity:
Disclosure Date:

Description

I noticed that for the filenames of smb 1 create_andx_requests the first character of the filename was missing. I have isolated a flow from a pcap which it was pretty clear the first character was missing: Filename 'rowser' != 'browser' in packet 14.

{"timestamp":"2018-06-29T18:57:58.255379+0200","flow_id":202610335734381,"pcap_cnt":16,"event_type":"smb","src_ip":"172.16.1.102","src_port":49473,"dest_ip":"172.16.1.8","dest_port":445,"proto":"TCP","smb":{"id":6,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_NT_CREATE_ANDX","status":"STATUS_ACCESS_DENIED","status_code":"0xc0000022","session_id":2048,"tree_id":2048,"filename":"rowser","disposition":"FILE_OPEN","access":"normal","created":0,"accessed":0,"modified":0,"changed":0,"size":0,"fuid":""}}

In the function parse_smb_create_andx_request_record in smb1_records.rs the second _skip is skipping 1 byte to much.

"_skip2: take!(8)" should be "_skip2: take!(7)"

From after the parsing of the create_options we should skip:
impersonation (4)
security_flags (2)
byte_count (1)
file_name: (file_len)


Files

smb.pcap (3.06 KB) smb.pcap Wesley van der Ree, 03/21/2019 01:10 PM

Related issues 1 (0 open1 closed)

Copied to Suricata - Security #2896: smb 1 create andx request does not parse the filename correctly (master)ClosedVictor JulienActions
Actions

Also available in: Atom PDF