Snort mailing list archives
Re: ASN1 question
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 18 Dec 2012 13:44:08 -0700
On 2012-12-18 13:39, Patrick Mullen wrote:
James, ASN.1 stuff really has to be done using an SO rule. Thankfully, Ive written a collection of functions that you can get with the SO Rules distribution to make handling the BER data much, much easier. If you go through the history of SO Rules, you can see how the library developed into something that makes going through ASN.1 much faster and easier. The functions Im referring to are in dos_ber.[ch] (and duplicated in exploit_ber.* and snmp_ber.*). There are other rules that use ASN.1 that dont use the library, but if you want a brief view of the visible history of the progression of those helper functions, first look at dos_linux-snmp-nat-netfilter.c and dos_openldap-bind-request-dos.c, then look at dos_oracle-ldap-bind-request-version.c and dos_tivoli-director-bind-string-overflow.c. The former are presented as a warning and as insight into the nitty gritty, and the latter are examples of how it can be clean. Youll probably want a mix of the two for the example you are trying to do. For the particular example you are referring to, you should be able to traverse the structure using the utility functions and just check for sizes > 0x7FFFFF (or, more simply, size & 0x800000). Whats left, of course, is properly traversing the structure, which given that youre going through a cert, could be painful and slow, and I didnt necessarily read that advisory closely enough to see if there is a subset of places you need to check the size value or if you need to do that after every single read. Using the utility functions I mention, the size value would be in ber_element.size, so accessing that information is easy, but still the validation will be slow. Good luck, ~Patrick On Tue, Dec 18, 2012 at 12:53 PM, James Lay <jlay () slave-tothe-box net [7]> wrote:Hey all, Im trying to craft a sig that revolves around: http://seclists.org/fulldisclosure/2012/Apr/210 [1] but Im not exactly sure on where to start. Im guessing that asn1:bitstring_overflow 10000 may be the ticket, but I wanted to get some input from here. Any hints on if this is the right way to go? Thank you. James
Thanks Patrick...sounds like fun ;) I'll give it a go. James ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- ASN1 question James Lay (Dec 18)
- Re: ASN1 question Patrick Mullen (Dec 18)
- Re: ASN1 question James Lay (Dec 18)
- Re: ASN1 question Eric G (Dec 19)
- Re: ASN1 question Joel Esler (Dec 19)
- Re: ASN1 question Eric G (Dec 19)
- Re: ASN1 question Patrick Mullen (Dec 18)