Actions
Bug #4232
closedProtocol detection evasion enip-SMB
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport, Needs backport to 5.0, Needs backport to 6.0
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28388
Problem is that rs_smb_probe_tcp
uses search_smb_record
. which searches a SMB record at any position
Before this record, there might be another valid protocol such as ENIP
Why is not parse_nbss_record_partial
good enough ?
Files
Updated by Victor Julien almost 4 years ago
- Status changed from New to Feedback
- Assignee changed from Victor Julien to Philippe Antoine
Philippe can you craft a pcap for this?
Actions
#2
Updated by Philippe Antoine almost 4 years ago
- File input.pcap input.pcap added
- File input2.pcap input2.pcap added
Updated by Philippe Antoine almost 4 years ago
Reproduced with suricata -r input2.pcap -k none -c suricata.yaml -l log
. with enip activated in suricata.yaml
Then jq '.app_proto' log/eve.json
To produce the pcaps, I used this script
#!/usr/bin/env python
from scapy.all import *
import binascii
pktsTCP3WHS = []
pktsTCP3WHS += Ether(dst='00:01:02:03:04:07', src='00:01:02:03:04:05')/ \
IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=44818, dport=445, flags='S',seq=1000)
pktsTCP3WHS += Ether(src='00:01:02:03:04:07', dst='00:01:02:03:04:05')/ \
IP(src='1.2.3.4', dst='5.6.7.8')/TCP(dport=44818, sport=445, flags='S''A', seq=2000, ack=1001)
pktsTCP3WHS += Ether(dst='00:01:02:03:04:07', src='00:01:02:03:04:05')/ \
IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=44818, dport=445, flags='A',seq=1001, ack=2001)
payloadSMB = "FF534D42202020202020"
payloadBase = "04002020202020206A0000002020202020202020202020202020"
pktSMB = [Ether(dst='00:01:02:03:04:07', src='00:01:02:03:04:05')/ \
IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=44818, dport=445, flags='P''A',seq=1001, ack=2001)/binascii.unhexlify(payloadBase+payloadSMB)]
pktsSMB = pktsTCP3WHS + pktSMB
wrpcap('input.pcap', pktsSMB)
pktENIP = [Ether(dst='00:01:02:03:04:07', src='00:01:02:03:04:05')/ \
IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=44818, dport=445, flags='P''A',seq=1001, ack=2001)/binascii.unhexlify(payloadBase)]
pktsENIP = pktsTCP3WHS + pktENIP
wrpcap('input2.pcap', pktsENIP)
Updated by Philippe Antoine almost 4 years ago
Fix may be that rs_smb_probe_tcp
should use the flag to check if they have STREAM_MIDSTREAM
or STREAM_START
Updated by Philippe Antoine almost 4 years ago
Also https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29919 is a problem against rs_smb_probe_tcp
Updated by Victor Julien almost 4 years ago
- Target version changed from 6.0.2 to 7.0.0-beta1
Updated by Philippe Antoine almost 4 years ago
- Label Needs backport, Needs backport to 5.0, Needs backport to 6.0 added
Updated by Jeff Lucovsky almost 4 years ago
- Copied to Bug #4343: Protocol detection evasion enip-SMB added
Updated by Jeff Lucovsky almost 4 years ago
- Copied to Bug #4344: Protocol detection evasion enip-SMB added
Updated by Victor Julien almost 4 years ago
- Status changed from In Review to Closed
Actions