Skip to content

Commit

Permalink
Fixed capture buffer overflow read/writes and viewer XSS
Browse files Browse the repository at this point in the history 
- capture - fixed multiple smtp, smb and ssh buffer overflow read/writes (reported by jbremer)
- viewer - fixed multiple XSS injections (reported by jbremer)
- viewer - fixed crash when viewing large mime messages
- capture - irc detection improvement
  • Loading branch information
@awick
awick committed Nov 7, 2015
1 parent 415cfb2 commit 4a2d638
Show file tree
Hide file tree
Showing 25 changed files with 724 additions and 131 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG
View file
Expand Up @@ -29,6 +29,10 @@
- db - Added warning for ES below 1.6.2
- wise - use native hashtable, required for threatstream
- viewer - fixed addTags to work with session that have no tags
- capture - fixed multiple smtp, smb and ssh buffer overflow read/writes (reported by jbremer)
- viewer - fixed multiple XSS injections (reported by jbremer)
- viewer - fixed crash when viewing large mime messages
- capture - irc detection improvement

0.11.5 2015/06/02
- NOTICE: Only ES 1.[45].x is supported by this version.
Expand Down
73 changes: 55 additions & 18 deletions capture/bsb.h
View file
Expand Up @@ -21,9 +21,11 @@ do { \
(b).end = (unsigned char*)buffer + size; \
} while (0)

#define BSB_SET_ERROR(b) ((b).end = NULL)
#define BSB_IS_ERROR(b) ((b).end == NULL)
#define BSB_NOT_ERROR(b) ((b).end != NULL)
#define BSB_LENGTH(b) ((b).ptr - (b).buf)
#define BSB_POSITION BSB_LENGTH
#define BSB_SIZE(b) ((b).end - (b).buf)
#define BSB_REMAINING(b) ((b).end?(b).end-(b).ptr:0)
#define BSB_WORK_PTR(b) ((b).ptr)
Expand All @@ -33,7 +35,7 @@ do { \
if ((b).ptr + 1 <= (b).end) { \
*(((b).ptr)++) = (unsigned char)x; \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_EXPORT_u16(b, x) \
Expand All @@ -43,7 +45,7 @@ do { \
*(((b).ptr)++) = (t & 0xff00) >> 8; \
*(((b).ptr)++) = (t & 0x00ff); \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_EXPORT_u32(b, x) \
Expand All @@ -55,7 +57,7 @@ do { \
*(((b).ptr)++) = (t & 0x0000ff00) >> 8; \
*(((b).ptr)++) = (t & 0x000000ff); \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_EXPORT_ptr(b, x, size) \
Expand All @@ -64,7 +66,18 @@ do { \
memcpy((b).ptr, x, size); \
(b).ptr += size; \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_EXPORT_ptr_some(b, x, size) \
do { \
if ((b).ptr + size <= (b).end) { \
memcpy((b).ptr, x, size); \
(b).ptr += size; \
} else if (BSB_NOT_ERROR(b)) { \
memcpy((b).ptr, x, BSB_REMAINING(b)); \
(b).ptr += BSB_REMAINING(b); \
} \
} while (0)

#define BSB_EXPORT_cstr(b, x) \
Expand All @@ -74,7 +87,7 @@ do { \
memcpy((b).ptr, x, size); \
(b).ptr += size; \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_EXPORT_skip(b, size) \
Expand All @@ -84,7 +97,7 @@ do { \
if ((b).ptr < (b).buf) \
(b).end = 0; \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_EXPORT_rewind(b, size) \
Expand All @@ -94,7 +107,7 @@ do { \
if ((b).ptr < (b).buf) \
(b).end = 0; \
} else { \
(b).end = 0; \
BSB_SET_ERROR(b); \
} \
} while (0)

Expand All @@ -109,7 +122,7 @@ do { \
if (l <= (b).end - (b).ptr) { \
(b).ptr += l; \
} else { \
(b).end = 0; \
BSB_SET_ERROR(b); \
} \
} \
} while (0)
Expand All @@ -125,7 +138,7 @@ do { \
if (l <= (b).end - (b).ptr) { \
(b).ptr += l; \
} else { \
(b).end = 0; \
BSB_SET_ERROR(b); \
} \
} \
} while (0)
Expand All @@ -136,7 +149,7 @@ do { \
if ((b).ptr + 1 <= (b).end) { \
x = *(((b).ptr)++); \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_IMPORT_u16(b, x) \
Expand All @@ -146,7 +159,7 @@ do { \
((b).ptr)[1]); \
(b).ptr += 2; \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_IMPORT_u24(b, x) \
Expand All @@ -157,7 +170,7 @@ do { \
((b).ptr)[2]); \
(b).ptr += 3; \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_IMPORT_u32(b, x) \
Expand All @@ -169,7 +182,31 @@ do { \
((b).ptr)[3]); \
(b).ptr += 4; \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_LEXPORT_u08(b, x) BSB_EXPORT_u08(b, x)

#define BSB_LEXPORT_u16(b, x) \
do { \
if ((b).ptr + 2 <= (b).end) { \
uint16_t t = (uint16_t)x; \
*(((b).ptr)++) = (t & 0x00ff); \
*(((b).ptr)++) = (t & 0xff00) >> 8; \
} else \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_LEXPORT_u32(b, x) \
do { \
if ((b).ptr + 4 <= (b).end) { \
uint32_t t = x; \
*(((b).ptr)++) = (t & 0x000000ff); \
*(((b).ptr)++) = (t & 0x0000ff00) >> 8; \
*(((b).ptr)++) = (t & 0x00ff0000) >> 16; \
*(((b).ptr)++) = (t & 0xff000000) >> 24; \
} else \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_LIMPORT_u08(b, x) BSB_IMPORT_u08(b, x)
Expand All @@ -181,7 +218,7 @@ do { \
((b).ptr)[0]); \
(b).ptr += 2; \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_LIMPORT_u24(b, x) \
Expand All @@ -192,7 +229,7 @@ do { \
((b).ptr)[0]); \
(b).ptr += 3; \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_LIMPORT_u32(b, x) \
Expand All @@ -204,7 +241,7 @@ do { \
((b).ptr)[0]); \
(b).ptr += 4; \
} else \
(b).end = 0; \
BSB_SET_ERROR(b); \
} while (0)

#define BSB_IMPORT_ptr(b, x, size) \
Expand All @@ -213,7 +250,7 @@ do { \
(x) = (b).ptr; \
(b).ptr += size; \
} else { \
(b).end = 0; \
BSB_SET_ERROR(b); \
x = 0; \
} \
} while (0)
Expand All @@ -228,7 +265,7 @@ do { \
(x)[size] = 0; \
(b).ptr += size; \
} else { \
(b).end = 0; \
BSB_SET_ERROR(b); \
(x)[0] = 0; \
} \
} while (0)
Expand Down
2 changes: 1 addition & 1 deletion capture/moloch.h
View file
Expand Up @@ -493,7 +493,7 @@ void moloch_db_exit();

void moloch_parsers_init();
void moloch_parsers_initial_tag(MolochSession_t *session);
unsigned char *moloch_parsers_asn_get_tlv(BSB *bsb, int *apc, int *atag, int *alen);
unsigned char *moloch_parsers_asn_get_tlv(BSB *bsb, uint32_t *apc, uint32_t *atag, uint32_t *alen);
void moloch_parsers_asn_decode_oid(char *buf, int bufsz, unsigned char *oid, int len);
void moloch_parsers_classify_tcp(MolochSession_t *session, const unsigned char *data, int remaining, int which);
void moloch_parsers_classify_udp(MolochSession_t *session, const unsigned char *data, int remaining, int which);
Expand Down
5 changes: 1 addition & 4 deletions capture/parsers.c
View file
Expand Up @@ -82,7 +82,7 @@ void moloch_parsers_initial_tag(MolochSession_t *session)

/******************************************************************************/
unsigned char *
moloch_parsers_asn_get_tlv(BSB *bsb, int *apc, int *atag, int *alen)
moloch_parsers_asn_get_tlv(BSB *bsb, uint32_t *apc, uint32_t *atag, uint32_t *alen)
{

if (BSB_REMAINING(*bsb) < 2)
Expand Down Expand Up @@ -121,9 +121,6 @@ moloch_parsers_asn_get_tlv(BSB *bsb, int *apc, int *atag, int *alen)
(*alen) = ch;
}

if (*alen < 0)
goto get_tlv_error;

if (*alen > BSB_REMAINING(*bsb))
*alen = BSB_REMAINING(*bsb);

Expand Down
6 changes: 3 additions & 3 deletions capture/parsers/http.c
View file
Expand Up @@ -460,7 +460,7 @@ moloch_hp_cb_on_headers_complete (http_parser *parser)
char *str = g_uri_unescape_segment(start, ch, NULL);
if (!str) {
moloch_field_string_add(field, session, start, ch-start, TRUE);
} else if (!moloch_field_string_add(field, session, str, strlen(str), FALSE)) {
} else if (!moloch_field_string_add(field, session, str, -1, FALSE)) {
g_free(str);
}
}
Expand All @@ -472,7 +472,7 @@ moloch_hp_cb_on_headers_complete (http_parser *parser)
char *str = g_uri_unescape_segment(start, ch, NULL);
if (!str) {
moloch_field_string_add(field, session, start, ch-start, TRUE);
} else if (!moloch_field_string_add(field, session, str, strlen(str), FALSE)) {
} else if (!moloch_field_string_add(field, session, str, -1, FALSE)) {
g_free(str);
}
}
Expand All @@ -484,7 +484,7 @@ moloch_hp_cb_on_headers_complete (http_parser *parser)
char *str = g_uri_unescape_segment(start, ch, NULL);
if (!str) {
moloch_field_string_add(field, session, start, ch-start, TRUE);
} else if (!moloch_field_string_add(field, session, str, strlen(str), FALSE)) {
} else if (!moloch_field_string_add(field, session, str, -1, FALSE)) {
g_free(str);
}
}
Expand Down
7 changes: 5 additions & 2 deletions capture/parsers/irc.c
View file
Expand Up @@ -82,11 +82,14 @@ void irc_free(MolochSession_t UNUSED(*session), void *uw)
/******************************************************************************/
void irc_classify(MolochSession_t *session, const unsigned char *data, int len, int which)
{
if (len < 8)
return;

if (data[0] == ':' && !moloch_memstr((char *)data, len, " NOTICE ", 8))
return;

//If a USER packet must have NICK with it so we don't pickup FTP
if (data[0] == 'U' && !moloch_memstr((char *)data, len, "\nNICK ", 6)) {
//If a USER packet must have NICK or +iw with it so we don't pickup FTP
if (data[0] == 'U' && !moloch_memstr((char *)data, len, "\nNICK ", 6) && !moloch_memstr((char *)data, len, " +iw ", 5)) {
return;
}

Expand Down
2 changes: 1 addition & 1 deletion capture/parsers/misc.c
View file
Expand Up @@ -60,7 +60,7 @@ void other220_classify(MolochSession_t *session, const unsigned char *data, int
if (g_strstr_len((char *)data, len, "LMTP") != NULL) {
moloch_nids_add_protocol(session, "lmtp");
}
else if (g_strstr_len((char *)data, len, "SMTP") == NULL) {
else if (g_strstr_len((char *)data, len, "SMTP") == NULL && g_strstr_len((char *)data, len, " TLS") == NULL) {
moloch_nids_add_protocol(session, "ftp");
}
}
Expand Down

0 comments on commit 4a2d638

Please sign in to comment.