[Snort-sigs] ASN1 question

Patrick Mullen pmullen at ...435...
Tue Dec 18 15:39:59 EST 2012


ASN.1 stuff really has to be done using an SO rule.  Thankfully, I've
written a collection of functions that you can get with the SO Rules
distribution to make handling the BER data much, much easier.  If you go
through the history of SO Rules, you can see how the library developed into
something that makes going through ASN.1 much faster and easier.

The functions I'm referring to are in dos_ber.[ch] (and duplicated in
exploit_ber.* and snmp_ber.*).

There are other rules that use ASN.1 that don't use the library, but if you
want a brief view of the visible history of the progression of those helper
functions, first look at dos_linux-snmp-nat-netfilter.c
and dos_openldap-bind-request-dos.c, then look
at dos_oracle-ldap-bind-request-version.c
and dos_tivoli-director-bind-string-overflow.c.  The former are presented
as a warning and as insight into the nitty gritty, and the latter are
examples of how it can be clean.  You'll probably want a mix of the two for
the example you are trying to do.

For the particular example you are referring to, you should be able to
traverse the structure using the utility functions and just check for sizes
> 0x7FFFFF (or, more simply, size & 0x800000).

What's left, of course, is properly traversing the structure, which given
that you're going through a cert, could be painful and slow, and I didn't
necessarily read that advisory closely enough to see if there is a subset
of places you need to check the size value or if you need to do that after
every single read.  Using the utility functions I mention, the size value
would be in ber_element.size, so accessing that information is easy, but
still the validation will be slow.

Good luck,


On Tue, Dec 18, 2012 at 12:53 PM, James Lay <jlay at ...3266...>wrote:

> Hey all,
> I'm trying to craft a sig that revolves around:
> http://seclists.org/fulldisclosure/2012/Apr/210
> but I'm not exactly sure on where to start.  I'm guessing that
> asn1:bitstring_overflow 10000 may be the ticket, but I wanted to get
> some input from here.  Any hints on if this is the right way to go?
> Thank you.
> James
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

Patrick Mullen
Response Research Manager
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121218/6431cd01/attachment.html>

More information about the Snort-sigs mailing list