Project

General

Profile

Actions

Bug #4343

closed

Protocol detection evasion enip-SMB

Added by Jeff Lucovsky almost 4 years ago. Updated about 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28388

Problem is that rs_smb_probe_tcp uses search_smb_record. which searches a SMB record at any position
Before this record, there might be another valid protocol such as ENIP

Why is not parse_nbss_record_partial good enough ?


Files

input.pcap (340 Bytes) input.pcap SMB detected Philippe Antoine, 01/21/2021 11:13 AM
input2.pcap (330 Bytes) input2.pcap ENIP detected on shorter payload Philippe Antoine, 01/21/2021 11:13 AM

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #4232: Protocol detection evasion enip-SMBClosedPhilippe AntoineActions
Actions #1

Updated by Jeff Lucovsky almost 4 years ago

  • Copied from Bug #4232: Protocol detection evasion enip-SMB added
Actions #2

Updated by Jeff Lucovsky almost 4 years ago

  • Status changed from Assigned to In Review
Actions #4

Updated by Victor Julien almost 4 years ago

  • Status changed from In Review to Assigned
  • Target version changed from 5.0.6 to 5.0.7
  • Affected Versions 5.0.5, 5.0.6 added
  • Affected Versions deleted (6.0.1)

Postponing this as the suggested fix breaks other tests for me, and backporting a requirement (https://github.com/OISF/suricata/commit/c6aadf0dfa0d438e3a4a46db2de893b62e76d7ce) is too intrusive for the age of this branch.

Actions #5

Updated by Jason Ish over 3 years ago

Does this still need a 5.0 backport? 5.0.x contains commit https://github.com/OISF/suricata/commit/83070102557d2755b9ffc67bb14b9b4d48b039e9 which appears to be part of this fix. And master-5.0.x appears to pass the repo steps listed in this ticket. Remove that commit and master-5.0.x and it appears to fail.

Actions #6

Updated by Jeff Lucovsky over 3 years ago

  • Status changed from Assigned to Rejected

I'm closing this
- Not able to reproduce the issue in master-5.0.x

Actions #7

Updated by Victor Julien over 3 years ago

  • Target version deleted (5.0.7)
Actions #8

Updated by Victor Julien about 3 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF