Re: ASN1 question

[James Lay <jlay () slave-tothe-box net>]

On 2012-12-18 13:39, Patrick Mullen wrote:
> James,
>
> ASN.1 stuff really has to be done using an SO rule.  Thankfully, Ive
> written a collection of functions that you can get with the SO Rules
> distribution to make handling the BER data much, much easier.  If you
> go through the history of SO Rules, you can see how the library
> developed into something that makes going through ASN.1 much faster
> and easier.
>
> The functions Im referring to are in dos_ber.[ch] (and duplicated in
> exploit_ber.* and snmp_ber.*).
>
> There are other rules that use ASN.1 that dont use the library, but 
> if
> you want a brief view of the visible history of the progression of
> those helper functions, first look at dos_linux-snmp-nat-netfilter.c
> and dos_openldap-bind-request-dos.c, then look
> at dos_oracle-ldap-bind-request-version.c
> and dos_tivoli-director-bind-string-overflow.c.  The former are
> presented as a warning and as insight into the nitty gritty, and the
> latter are examples of how it can be clean.  Youll probably want a
> mix of the two for the example you are trying to do.
>
> For the particular example you are referring to, you should be able 
> to
> traverse the structure using the utility functions and just check for
> sizes > 0x7FFFFF (or, more simply, size & 0x800000).
>
> Whats left, of course, is properly traversing the structure, which
> given that youre going through a cert, could be painful and slow, and
> I didnt necessarily read that advisory closely enough to see if there
> is a subset of places you need to check the size value or if you need
> to do that after every single read.  Using the utility functions I
> mention, the size value would be in ber_element.size, so accessing
> that information is easy, but still the validation will be slow.
>
> Good luck,
>
> ~Patrick
>
> On Tue, Dec 18, 2012 at 12:53 PM, James Lay <jlay () slave-tothe-box net
> [7]> wrote:
>
> > Hey all,
> >
> > Im trying to craft a sig that revolves around:
> >
> > http://seclists.org/fulldisclosure/2012/Apr/210 [1]
> >
> > but Im not exactly sure on where to start.  Im guessing that
> > asn1:bitstring_overflow 10000 may be the ticket, but I wanted to
> > get
> > some input from here.  Any hints on if this is the right way to
> > go?
> > Thank you.
> >
> > James

Thanks Patrick...sounds like fun ;)  I'll give it a go.

James

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!