[Snort-sigs] ASN1 question

James Lay jlay at ...3266...
Tue Dec 18 15:44:08 EST 2012


On 2012-12-18 13:39, Patrick Mullen wrote:
> James,
>
> ASN.1 stuff really has to be done using an SO rule.  Thankfully, Ive
> written a collection of functions that you can get with the SO Rules
> distribution to make handling the BER data much, much easier.  If you
> go through the history of SO Rules, you can see how the library
> developed into something that makes going through ASN.1 much faster
> and easier.
>
> The functions Im referring to are in dos_ber.[ch] (and duplicated in
> exploit_ber.* and snmp_ber.*).
>
> There are other rules that use ASN.1 that dont use the library, but 
> if
> you want a brief view of the visible history of the progression of
> those helper functions, first look at dos_linux-snmp-nat-netfilter.c
> and dos_openldap-bind-request-dos.c, then look
> at dos_oracle-ldap-bind-request-version.c
> and dos_tivoli-director-bind-string-overflow.c.  The former are
> presented as a warning and as insight into the nitty gritty, and the
> latter are examples of how it can be clean.  Youll probably want a
> mix of the two for the example you are trying to do.
>
> For the particular example you are referring to, you should be able 
> to
> traverse the structure using the utility functions and just check for
> sizes > 0x7FFFFF (or, more simply, size & 0x800000).
>
> Whats left, of course, is properly traversing the structure, which
> given that youre going through a cert, could be painful and slow, and
> I didnt necessarily read that advisory closely enough to see if there
> is a subset of places you need to check the size value or if you need
> to do that after every single read.  Using the utility functions I
> mention, the size value would be in ber_element.size, so accessing
> that information is easy, but still the validation will be slow.
>
> Good luck,
>
> ~Patrick
>
> On Tue, Dec 18, 2012 at 12:53 PM, James Lay <jlay at ...3266...
> [7]> wrote:
>
>> Hey all,
>>
>> Im trying to craft a sig that revolves around:
>>
>> http://seclists.org/fulldisclosure/2012/Apr/210 [1]
>>
>> but Im not exactly sure on where to start.  Im guessing that
>> asn1:bitstring_overflow 10000 may be the ticket, but I wanted to
>> get
>> some input from here.  Any hints on if this is the right way to
>> go?
>> Thank you.
>>
>> James

Thanks Patrick...sounds like fun ;)  I'll give it a go.

James




More information about the Snort-sigs mailing list