Snort mailing list archives
Re: [PATCH]: Correctly detect the end of payload in base64_decode
From: "Hui Cao (huica)" <huica () cisco com>
Date: Fri, 7 Mar 2014 14:59:01 +0000
Hi Joshhua, Thanks for reporting this issue and providing the patch. We will address this issue. Best, Hui. On 3/7/14, 5:21 AM, "Joshua Kinard" <kumba () gentoo org> wrote:
Hi snort-devel, So I ran into a curious use case w/ base64_decode, and I think it's a bug. In the attached patch, in Base64DecodeEval(), I modified the check for the end of the payload to use '>=' instead of '>'. I had a case where a content match was at the end of the payload, but I forgot to use an isdataat/relative keyword before base64_decode/relative to verify that there was actually data at the end before attempting to decode. base64_decode was relative, had no 'offset', and 'bytes' was a value >1. I thought base64_decode would've failed at this point and returned DETECTION_NO_MATCH, but if start_ptr == (p->data + p->dsize), it passed the condition, and somehow, Snort was either wrapping around to the beginning of the payload or meandering off somewhere else in memory. Changing the condition to '>=' corrects this, and subsequent tests show the problem disappears if you omit an isdataat call. I also corrected a similar case in snort_plugin_api.c::base64Decode(). detection-plugins/sp_base64_decode.c | 2 +- dynamic-plugins/sf_engine/sf_snort_plugin_api.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [PATCH]: Correctly detect the end of payload in base64_decode Joshua Kinard (Mar 07)
- Re: [PATCH]: Correctly detect the end of payload in base64_decode Hui Cao (huica) (Mar 07)
- Re: [PATCH]: Correctly detect the end of payload in base64_decode Joshua Kinard (Mar 07)
- Re: [PATCH]: Correctly detect the end of payload in base64_decode Hui Cao (huica) (Mar 09)
- Re: [PATCH]: Correctly detect the end of payload in base64_decode Joshua Kinard (Mar 09)
- Re: [PATCH]: Correctly detect the end of payload in base64_decode Joel Esler (jesler) (Mar 09)
- Re: [PATCH]: Correctly detect the end of payload in base64_decode Joshua Kinard (Mar 09)
- Re: [PATCH]: Correctly detect the end of payload in base64_decode Joel Esler (jesler) (Mar 09)
- Re: [PATCH]: Correctly detect the end of payload in base64_decode Joshua Kinard (Mar 07)
- Re: [PATCH]: Correctly detect the end of payload in base64_decode Hui Cao (huica) (Mar 07)