Actions
Bug #6008
closedsmb: wrong offset when parse SMB_COM_WRITE_ANDX record
Affected Versions:
Effort:
Difficulty:
Label:
Description
In function parse_smb1_write_andx_request_record, when wct == 12, offset should use 32-bits value rather than stay 0.
Bug location: https://github.com/OISF/suricata/blob/a94ca4462093c0b41f87a7d8433801a0abbb4390/rust/src/smb/smb1_records.rs#L110-L117
If WordCount is 0x0C, this field represents a 32-bit offset, measured in bytes, of where the write SHOULD start relative to the beginning of the file. If WordCount is 0xE, this field represents the lower 32 bits of a 64-bit offset. [MS-CIFS].pdf (p.246) 2.2.4.43 SMB_COM_WRITE_ANDX (0x2F) https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CIFS/%5bMS-CIFS%5d.pdf
Files
Updated by b1 tg about 1 year ago
- File 2018-04-30-Trickbot-goes-from-client-to-domain-controller.pcap 2018-04-30-Trickbot-goes-from-client-to-domain-controller.pcap added
wireshark filter: (smb.cmd 0x2f) && (smb.flags.response 0) no.5923
Updated by b1 tg 11 months ago
- File smb_bug_padding.pcap smb_bug_padding.pcap added
Pcap to show padding bug:
In the origin packet, data_length bcc 20, if we use a proxy to change data_length to 17, Windows still accept it and write 17 bytes to file, but the original `parse_smb1_write_andx_request_record` will take 3 bytes padding to make record.data inconsistent with it in Windows.
Updated by Philippe Antoine 11 months ago
- Status changed from New to In Review
- Target version changed from TBD to 7.0.0-rc2
Updated by Philippe Antoine 11 months ago
- Status changed from In Review to Resolved
https://github.com/OISF/suricata/pull/8938
Should it be back ported ?
Updated by Philippe Antoine 10 months ago
- Status changed from Resolved to Closed
Actions