Actions
Security #2896
closedsmb 1 create andx request does not parse the filename correctly (master)
Git IDs:
cc50908f8d8beabaae3a60ee72412d704a024c2d
f7a41412d6fe0fbf285c538ae9d6d02eb63adb21
Severity:
Disclosure Date:
Description
I noticed that for the filenames of smb 1 create_andx_requests the first character of the filename was missing. I have isolated a flow from a pcap which it was pretty clear the first character was missing: Filename 'rowser' != 'browser' in packet 14.
{"timestamp":"2018-06-29T18:57:58.255379+0200","flow_id":202610335734381,"pcap_cnt":16,"event_type":"smb","src_ip":"172.16.1.102","src_port":49473,"dest_ip":"172.16.1.8","dest_port":445,"proto":"TCP","smb":{"id":6,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_NT_CREATE_ANDX","status":"STATUS_ACCESS_DENIED","status_code":"0xc0000022","session_id":2048,"tree_id":2048,"filename":"rowser","disposition":"FILE_OPEN","access":"normal","created":0,"accessed":0,"modified":0,"changed":0,"size":0,"fuid":""}}
In the function parse_smb_create_andx_request_record in smb1_records.rs the second _skip is skipping 1 byte to much.
"_skip2: take!(8)" should be "_skip2: take!(7)"
From after the parsing of the create_options we should skip:
impersonation (4)
security_flags (2)
byte_count (1)
file_name: (file_len)
Files
Updated by Victor Julien over 5 years ago
- Copied from Security #2894: smb 1 create andx request does not parse the filename correctly. added
Updated by Wesley van der Ree over 5 years ago
Pull request: https://github.com/OISF/suricata/pull/3734
Updated by Victor Julien over 5 years ago
- Status changed from Assigned to Closed
Updated by Victor Julien about 4 years ago
- Tracker changed from Bug to Security
- Effort deleted (
low) - Difficulty deleted (
low) - CVE set to 2019-10051
- Git IDs updated (diff)
Actions