Project

General

Profile

Actions

Bug #4232

closed

Protocol detection evasion enip-SMB

Added by Philippe Antoine almost 4 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport, Needs backport to 5.0, Needs backport to 6.0

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28388

Problem is that rs_smb_probe_tcp uses search_smb_record. which searches a SMB record at any position
Before this record, there might be another valid protocol such as ENIP

Why is not parse_nbss_record_partial good enough ?


Files

input.pcap (340 Bytes) input.pcap SMB detected Philippe Antoine, 01/21/2021 11:13 AM
input2.pcap (330 Bytes) input2.pcap ENIP detected on shorter payload Philippe Antoine, 01/21/2021 11:13 AM

Related issues 2 (0 open2 closed)

Copied to Suricata - Bug #4343: Protocol detection evasion enip-SMBRejectedJeff LucovskyActions
Copied to Suricata - Bug #4344: Protocol detection evasion enip-SMBClosedVictor JulienActions
Actions #1

Updated by Victor Julien almost 4 years ago

  • Status changed from New to Feedback
  • Assignee changed from Victor Julien to Philippe Antoine

Philippe can you craft a pcap for this?

Actions #3

Updated by Philippe Antoine almost 4 years ago

Reproduced with suricata -r input2.pcap -k none -c suricata.yaml -l log. with enip activated in suricata.yaml
Then jq '.app_proto' log/eve.json

To produce the pcaps, I used this script

#!/usr/bin/env python
from scapy.all import *
import binascii

pktsTCP3WHS = []

pktsTCP3WHS += Ether(dst='00:01:02:03:04:07', src='00:01:02:03:04:05')/ \
    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=44818, dport=445, flags='S',seq=1000)
pktsTCP3WHS += Ether(src='00:01:02:03:04:07', dst='00:01:02:03:04:05')/ \
    IP(src='1.2.3.4', dst='5.6.7.8')/TCP(dport=44818, sport=445, flags='S''A', seq=2000, ack=1001)
pktsTCP3WHS += Ether(dst='00:01:02:03:04:07', src='00:01:02:03:04:05')/ \
    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=44818, dport=445, flags='A',seq=1001, ack=2001)

payloadSMB = "FF534D42202020202020" 
payloadBase = "04002020202020206A0000002020202020202020202020202020" 
pktSMB = [Ether(dst='00:01:02:03:04:07', src='00:01:02:03:04:05')/ \
    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=44818, dport=445, flags='P''A',seq=1001, ack=2001)/binascii.unhexlify(payloadBase+payloadSMB)]
pktsSMB = pktsTCP3WHS + pktSMB

wrpcap('input.pcap', pktsSMB)

pktENIP = [Ether(dst='00:01:02:03:04:07', src='00:01:02:03:04:05')/ \
    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=44818, dport=445, flags='P''A',seq=1001, ack=2001)/binascii.unhexlify(payloadBase)]
pktsENIP = pktsTCP3WHS + pktENIP

wrpcap('input2.pcap', pktsENIP)

Actions #4

Updated by Philippe Antoine almost 4 years ago

Fix may be that rs_smb_probe_tcp should use the flag to check if they have STREAM_MIDSTREAM or STREAM_START

Actions #5

Updated by Philippe Antoine almost 4 years ago

Also https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29919 is a problem against rs_smb_probe_tcp

Actions #6

Updated by Philippe Antoine almost 4 years ago

  • Status changed from Feedback to In Review

Gitlab

Actions #7

Updated by Victor Julien almost 4 years ago

  • Target version changed from 6.0.2 to 7.0.0-beta1
Actions #8

Updated by Philippe Antoine almost 4 years ago

  • Label Needs backport, Needs backport to 5.0, Needs backport to 6.0 added
Actions #9

Updated by Jeff Lucovsky almost 4 years ago

  • Copied to Bug #4343: Protocol detection evasion enip-SMB added
Actions #10

Updated by Jeff Lucovsky almost 4 years ago

  • Copied to Bug #4344: Protocol detection evasion enip-SMB added
Actions #11

Updated by Victor Julien almost 4 years ago

  • Status changed from In Review to Closed
Actions #12

Updated by Victor Julien about 3 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF