Project

General

Profile

Actions

Security #2896

closed

smb 1 create andx request does not parse the filename correctly (master)

Added by Victor Julien almost 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
Git IDs:

cc50908f8d8beabaae3a60ee72412d704a024c2d
f7a41412d6fe0fbf285c538ae9d6d02eb63adb21

Severity:
Disclosure Date:

Description

I noticed that for the filenames of smb 1 create_andx_requests the first character of the filename was missing. I have isolated a flow from a pcap which it was pretty clear the first character was missing: Filename 'rowser' != 'browser' in packet 14.

{"timestamp":"2018-06-29T18:57:58.255379+0200","flow_id":202610335734381,"pcap_cnt":16,"event_type":"smb","src_ip":"172.16.1.102","src_port":49473,"dest_ip":"172.16.1.8","dest_port":445,"proto":"TCP","smb":{"id":6,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_NT_CREATE_ANDX","status":"STATUS_ACCESS_DENIED","status_code":"0xc0000022","session_id":2048,"tree_id":2048,"filename":"rowser","disposition":"FILE_OPEN","access":"normal","created":0,"accessed":0,"modified":0,"changed":0,"size":0,"fuid":""}}

In the function parse_smb_create_andx_request_record in smb1_records.rs the second _skip is skipping 1 byte to much.

"_skip2: take!(8)" should be "_skip2: take!(7)"

From after the parsing of the create_options we should skip:
impersonation (4)
security_flags (2)
byte_count (1)
file_name: (file_len)


Files

smb.pcap (3.06 KB) smb.pcap Wesley van der Ree, 03/21/2019 01:10 PM

Related issues 1 (0 open1 closed)

Copied from Suricata - Security #2894: smb 1 create andx request does not parse the filename correctly.ClosedWesley van der ReeActions
Actions #1

Updated by Victor Julien almost 6 years ago

  • Copied from Security #2894: smb 1 create andx request does not parse the filename correctly. added
Actions #3

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to Closed
Actions #4

Updated by Victor Julien over 4 years ago

  • Tracker changed from Bug to Security
  • Effort deleted (low)
  • Difficulty deleted (low)
  • CVE set to 2019-10051
  • Git IDs updated (diff)
Actions

Also available in: Atom PDF