Snort mailing list archives

Re: [PATCH]: Correctly detect the end of payload in base64_decode

From: "Hui Cao (huica)" <huica () cisco com>
Date: Fri, 7 Mar 2014 14:59:01 +0000

Hi Joshhua,

Thanks for reporting this issue and providing the patch. We will address
this issue.

Best,
Hui.

On 3/7/14, 5:21 AM, "Joshua Kinard" <kumba () gentoo org> wrote:


Hi snort-devel,

So I ran into a curious use case w/ base64_decode, and I think it's a bug.
In the attached patch, in Base64DecodeEval(), I modified the check for the
end of the payload to use '>=' instead of '>'.  I had a case where a
content
match was at the end of the payload, but I forgot to use an
isdataat/relative keyword before base64_decode/relative to verify that
there
was actually data at the end before attempting to decode.  base64_decode
was
relative, had no 'offset', and 'bytes' was a value >1.

I thought base64_decode would've failed at this point and returned
DETECTION_NO_MATCH, but if start_ptr == (p->data + p->dsize), it passed
the
condition, and somehow, Snort was either wrapping around to the beginning
of
the payload or meandering off somewhere else in memory.  Changing the
condition to '>=' corrects this, and subsequent tests show the problem
disappears if you omit an isdataat call.

I also corrected a similar case in snort_plugin_api.c::base64Decode().

detection-plugins/sp_base64_decode.c            |    2 +-
dynamic-plugins/sf_engine/sf_snort_plugin_api.c |    2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.
And
our lives slip away, moment by moment, lost in that vast, terrible
in-between."

--Emperor Turhan, Centauri Republic



------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

[PATCH]: Correctly detect the end of payload in base64_decode Joshua Kinard (Mar 07)
- Re: [PATCH]: Correctly detect the end of payload in base64_decode Hui Cao (huica) (Mar 07)
  - Re: [PATCH]: Correctly detect the end of payload in base64_decode Joshua Kinard (Mar 07)
    - Re: [PATCH]: Correctly detect the end of payload in base64_decode Hui Cao (huica) (Mar 09)
    - Re: [PATCH]: Correctly detect the end of payload in base64_decode Joshua Kinard (Mar 09)
    - Re: [PATCH]: Correctly detect the end of payload in base64_decode Joel Esler (jesler) (Mar 09)
    - Re: [PATCH]: Correctly detect the end of payload in base64_decode Joshua Kinard (Mar 09)
    - Re: [PATCH]: Correctly detect the end of payload in base64_decode Joel Esler (jesler) (Mar 09)