Bug #6008: smb: wrong offset when parse SMB_COM_WRITE_ANDX record - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #6008

closed

smb: wrong offset when parse SMB_COM_WRITE_ANDX record

Added by b1 tg over 1 year ago. Updated over 1 year ago.

Status:

Closed

Priority:

Normal

Assignee:

b1 tg

Target version:

7.0.0-rc2

Affected Versions:

Effort:

Difficulty:

Label:

Description

In function parse_smb1_write_andx_request_record, when wct == 12, offset should use 32-bits value rather than stay 0.

Bug location: https://github.com/OISF/suricata/blob/a94ca4462093c0b41f87a7d8433801a0abbb4390/rust/src/smb/smb1_records.rs#L110-L117

If WordCount is 0x0C, this field represents a 32-bit offset, measured in
bytes, of where the write SHOULD start relative to the beginning of the file. If WordCount
is 0xE, this field represents the lower 32 bits of a 64-bit offset.
[MS-CIFS].pdf (p.246) 2.2.4.43 SMB_COM_WRITE_ANDX (0x2F)
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CIFS/%5bMS-CIFS%5d.pdf

Files

Download all files

2018-04-30-Trickbot-goes-from-client-to-domain-controller.pcap (22.2 MB) 2018-04-30-Trickbot-goes-from-client-to-domain-controller.pcap		b1 tg, 04/19/2023 03:43 AM
smb1_write_andx_request_data_offset.pcap (85.9 KB) smb1_write_andx_request_data_offset.pcap		b1 tg, 05/15/2023 11:30 AM
smb_bug_padding.pcap (10.8 KB) smb_bug_padding.pcap		b1 tg, 05/17/2023 02:03 AM

Subtasks 1 (0 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #6008

smb: wrong offset when parse SMB_COM_WRITE_ANDX record

Updated by b1 tg over 1 year ago

Updated by b1 tg over 1 year ago

Updated by b1 tg over 1 year ago

Updated by Philippe Antoine over 1 year ago

Updated by Philippe Antoine over 1 year ago

Updated by Victor Julien over 1 year ago

Updated by OISF Ticketbot over 1 year ago

Updated by OISF Ticketbot over 1 year ago

Updated by Philippe Antoine over 1 year ago