[Snort-devel] bug in spp_http_decode.c - patch included

Oliver Friesen oliver_friesen at ...445...
Sat Mar 30 20:34:03 EST 2002


System Architecture: x86
Operating System and version: Linux 2.4.5
What rules (if any) you were using: out of the box defaults
What command line switches you were using: -X -c -l
Any Snort error messages: n/a

http_decode doesn't correctly adjust the packet size or move forward the 
remainder of the request after it has converted escaped characters. I 
discovered this problem due to an actual attack.

For example:
GET /%61%61%61/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%65tc/p%61sswd 
HTTP/1.1

./snort -c snort.conf -l . -X

[**] WEB-MISC /etc/passwd [**]
03/31-15:23:34.735152 10.0.0.1:1061 -> 10.0.0.2:80
TCP TTL:64 TOS:0x0 ID:29362 IpLen:20 DgmLen:314 DF
***AP*** Seq: 0xC69CD89C  Ack: 0xB701A165  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1223211 1182773
0x0000: 00 10 4B 07 D9 FD 00 A0 CC 78 FA BB 08 00 45 00  ..K......x....E.
0x0010: 01 3A 72 B2 40 00 40 06 B3 09 0A 00 00 01 0A 00  .:r. at ...300...@.........
0x0020: 00 02 04 25 00 50 C6 9C D8 9C B7 01 A1 65 80 18  ...%.P.......e..
0x0030: 16 D0 3D 8F 00 00 01 01 08 0A 00 12 AA 2B 00 12  ..=..........+..
0x0040: 0C 35 47 45 54 20 2F 61 61 61 2F 2E 2E 2F 2E 2E  .5GET /aaa/../..
0x0050: 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 65 74 63 2F 70 61  /../../../etc/pa
0x0060: 73 73 77 64 20 45 25 32 45 25 32 46 25 32 45 25  sswd E%2E%2F%2E%
0x0070: 32 45 25 32 46 25 32 45 25 32 45 25 32 46 25 36  2E%2F%2E%2E%2F%6
0x0080: 35 74 63 2F 70 25 36 31 73 73 77 64 20 48 54 54  5tc/p%61sswd HTT
0x0090: 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E  P/1.1..User-Agen
0x00A0: 74 3A 20 63 75 72 6C 2F 37 2E 39 2E 32 20 28 69  t: curl/7.9.2 (i
0x00B0: 36 38 36 2D 70 63 2D 6C 69 6E 75 78 2D 67 6E 75  686-pc-linux-gnu
0x00C0: 29 20 6C 69 62 63 75 72 6C 20 37 2E 39 2E 32 20  ) libcurl 7.9.2
0x00D0: 28 4F 70 65 6E 53 53 4C 20 30 2E 39 2E 36 63 29  (OpenSSL 0.9.6c)
0x00E0: 0D 0A 48 6F 73 74 3A 20 64 61 72 6B 73 74 61 72  ..Host: darkstar
0x00F0: 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F 2D 63 61 63  ..Pragma: no-cac
0x0100: 68 65 0D 0A 41 63 63 65 70 74 3A 20 69 6D 61 67  he..Accept: imag
0x0110: 65 2F 67 69 66 2C 20 69 6D 61 67 65 2F 78 2D 78  e/gif, image/x-x
0x0120: 62 69 74 6D 61 70 2C 20 69 6D 61 67 65 2F 6A 70  bitmap, image/jp
0x0130: 65 67 2C 20 69 6D 61 67 65 2F 70 6A 70 65 67 2C  eg, image/pjpeg,
0x0140: 20 2A 2F 2A 0D 0A 0D 0A                           */*....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Notice the request that is logged:
GET /aaa/../../../../../etc/passwd E%2E%2F%2E%2E%2F%2E%2E%2F%65tc/p%61sswd 
HTTP/1.1
The length of the extra part, " E%2E%2F%2E%2E%2F%2E%2E%2F%65tc/p%61sswd" is 
exactly equal to the number of characters that were removed, 40. ie it's 
some kind of buffer problem.

capturing only the application layer it looks even worse, because 40 
characters are truncated.
./snort -c snort.conf -l . -d

[**] WEB-MISC /etc/passwd [**]
03/31-15:23:40.602592 10.0.0.1:1062 -> 10.0.0.2:80
TCP TTL:64 TOS:0x0 ID:52738 IpLen:20 DgmLen:314 DF
***AP*** Seq: 0xC7246276  Ack: 0xB7692CDE  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1223797 1183360
47 45 54 20 2F 61 61 61 2F 2E 2E 2F 2E 2E 2F 2E  GET /aaa/../../.
2E 2F 2E 2E 2F 2E 2E 2F 65 74 63 2F 70 61 73 73  ./../../etc/pass
77 64 20 45 25 32 45 25 32 46 25 32 45 25 32 45  wd E%2E%2F%2E%2E
25 32 46 25 32 45 25 32 45 25 32 46 25 36 35 74  %2F%2E%2E%2F%65t
63 2F 70 25 36 31 73 73 77 64 20 48 54 54 50 2F  c/p%61sswd HTTP/
31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  1.1..User-Agent:
20 63 75 72 6C 2F 37 2E 39 2E 32 20 28 69 36 38   curl/7.9.2 (i68
36 2D 70 63 2D 6C 69 6E 75 78 2D 67 6E 75 29 20  6-pc-linux-gnu)
6C 69 62 63 75 72 6C 20 37 2E 39 2E 32 20 28 4F  libcurl 7.9.2 (O
70 65 6E 53 53 4C 20 30 2E 39 2E 36 63 29 0D 0A  penSSL 0.9.6c)..
48 6F 73 74 3A 20 64 61 72 6B 73 74 61 72 0D 0A  Host: darkstar..
50 72 61 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 65  Pragma: no-cache
0D 0A 41 63 63 65 70 74 3A 20 69 6D 61 67 65 2F  ..Accept: image/
67 69 66 2C 20 69 6D 61 67 65 2F 78 2D 78        gif, image/x-x

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Here's a patch to copy the remainder of the request forward and to adjust 
the packet size. It fixes the problem, though I don't know if anything else 
in the packet structure needs to be adjusted.

456a457,469
>
>                         /* copy the rest of the request forward if 
>characters
>                          * have been removed
>                          */
>                         if(p->dsize != psize)
>                         {
>                             while(index < (end-1))
>                             {
>                                 url++;
>                                 index++;
>                                 *url = *index;
>                             }
>                         }
484a498,499
>             /* set the packet size to reflect the new size */             
>p->pkth->caplen = p->pkth->caplen - (p->dsize - psize);

Running with the patch

./snort -c snort.conf -l . -X

[**] WEB-MISC /etc/passwd [**]
03/31-15:24:24.078409 10.0.0.1:1063 -> 10.0.0.2:80
TCP TTL:64 TOS:0x0 ID:23100 IpLen:20 DgmLen:314 DF
***AP*** Seq: 0xC9BDE74C  Ack: 0xB99AC156  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1228146 1187708
0x0000: 00 10 4B 07 D9 FD 00 A0 CC 78 FA BB 08 00 45 00  ..K......x....E.
0x0010: 01 3A 5A 3C 40 00 40 06 CB 7F 0A 00 00 01 0A 00  .:Z<@. at ...1227...
0x0020: 00 02 04 27 00 50 C9 BD E7 4C B9 9A C1 56 80 18  ...'.P...L...V..
0x0030: 16 D0 E2 A3 00 00 01 01 08 0A 00 12 BD 72 00 12  .............r..
0x0040: 1F 7C 47 45 54 20 2F 61 61 61 2F 2E 2E 2F 2E 2E  .|GET /aaa/../..
0x0050: 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 65 74 63 2F 70 61  /../../../etc/pa
0x0060: 73 73 77 64 20 48 54 54 50 2F 31 2E 31 0D 0A 55  sswd HTTP/1.1..U
0x0070: 73 65 72 2D 41 67 65 6E 74 3A 20 63 75 72 6C 2F  ser-Agent: curl/
0x0080: 37 2E 39 2E 32 20 28 69 36 38 36 2D 70 63 2D 6C  7.9.2 (i686-pc-l
0x0090: 69 6E 75 78 2D 67 6E 75 29 20 6C 69 62 63 75 72  inux-gnu) libcur
0x00A0: 6C 20 37 2E 39 2E 32 20 28 4F 70 65 6E 53 53 4C  l 7.9.2 (OpenSSL
0x00B0: 20 30 2E 39 2E 36 63 29 0D 0A 48 6F 73 74 3A 20   0.9.6c)..Host:
0x00C0: 64 61 72 6B 73 74 61 72 0D 0A 50 72 61 67 6D 61  darkstar..Pragma
0x00D0: 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 41 63 63 65  : no-cache..Acce
0x00E0: 70 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69  pt: image/gif, i
0x00F0: 6D 61 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20  mage/x-xbitmap,
0x0100: 69 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67  image/jpeg, imag
0x0110: 65 2F 70 6A 70 65 67 2C 20 2A 2F 2A 0D 0A 0D 0A  e/pjpeg, */*....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

./snort -c snort.conf -l . -d

[**] WEB-MISC /etc/passwd [**]
03/31-15:24:28.093404 10.0.0.1:1064 -> 10.0.0.2:80
TCP TTL:64 TOS:0x0 ID:1402 IpLen:20 DgmLen:314 DF
***AP*** Seq: 0xCA90BA7C  Ack: 0xBA2CBEB8  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1228547 1188109
47 45 54 20 2F 61 61 61 2F 2E 2E 2F 2E 2E 2F 2E  GET /aaa/../../.
2E 2F 2E 2E 2F 2E 2E 2F 65 74 63 2F 70 61 73 73  ./../../etc/pass
77 64 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65  wd HTTP/1.1..Use
72 2D 41 67 65 6E 74 3A 20 63 75 72 6C 2F 37 2E  r-Agent: curl/7.
39 2E 32 20 28 69 36 38 36 2D 70 63 2D 6C 69 6E  9.2 (i686-pc-lin
75 78 2D 67 6E 75 29 20 6C 69 62 63 75 72 6C 20  ux-gnu) libcurl
37 2E 39 2E 32 20 28 4F 70 65 6E 53 53 4C 20 30  7.9.2 (OpenSSL 0
2E 39 2E 36 63 29 0D 0A 48 6F 73 74 3A 20 64 61  .9.6c)..Host: da
72 6B 73 74 61 72 0D 0A 50 72 61 67 6D 61 3A 20  rkstar..Pragma:
6E 6F 2D 63 61 63 68 65 0D 0A 41 63 63 65 70 74  no-cache..Accept
3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61  : image/gif, ima
67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D  ge/x-xbitmap, im
61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F  age/jpeg, image/
70 6A 70 65 67 2C 20 2A 2F 2A 0D 0A 0D 0A        pjpeg, */*....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Oliver Friesen


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com





More information about the Snort-devel mailing list