Skip to content
This repository has been archived by the owner on Apr 1, 2024. It is now read-only.

Include Zeek scripts commonly found on Corelight Sensor #12

Closed
philrz opened this issue Apr 7, 2020 · 1 comment
Closed

Include Zeek scripts commonly found on Corelight Sensor #12

philrz opened this issue Apr 7, 2020 · 1 comment
Labels
wontfix This will not be worked on

Comments

@philrz
Copy link

philrz commented Apr 7, 2020
edited
Loading

Corelight is a major contributor to open source Zeek, and users of their Sensor product are likely to also be users of the Brim app. It may be helpful for the Zeek included with Brim to invoke scripts commonly found in a Corelight Sensor so the experience will be familiar to Corelight users and enriched for Zeek users in general.

Our current plan is to get JA3/HASSH into the Zeek artifact that's included with Brim (#11) and as users (at Corelight, or otherwise) tell us of other scripts they wish they'd had, we'll add them over time.

If/when we add such scripts, scope of the implementation includes:

  1. Including the licenses in the Acknowledgments that ship with the app
  2. Ensuring the scripts are packaged correctly into artifacts on all supported Brim platforms
  3. Ensuring Zeek logs generated on all supported Brim platforms include the expected additional logs/fields
@philrz philrz self-assigned this Apr 10, 2020
nwt pushed a commit that referenced this issue Apr 24, 2020
@MaxKellermann
analyzer/protocol/ssh: fix crash vulnerability after duplicate KEX pa…
98c5053 
…cket

An attacker can make Zeek crash by posting the KEX packet twice, which
will result in an assertion failure in binpac::datastring::init():

 #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 #1  0x00007ffff5196535 in __GI_abort () at abort.c:79
 #2  0x00007ffff519640f in __assert_fail_base (fmt=0x7ffff52f86e0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x1d33530 "!data_",
     file=0x1d33537 "aux/binpac/lib/binpac_bytestring.h", line=108, function=<optimized out>) at assert.c:92
 #3  0x00007ffff51a3b92 in __GI___assert_fail (assertion=0x1d33530 "!data_", file=0x1d33537 "aux/binpac/lib/binpac_bytestring.h",
     line=108, function=0x1d3356c "void binpac::datastring<unsigned char>::init(const T *, int) [T = unsigned char]") at assert.c:101
 #4  0x0000000000c1e970 in binpac::datastring<unsigned char>::init (this=0x608000d609d0, begin=0x603001bdd1d0 "diffie-hellman-group16-sha512", length=29)
     at aux/binpac/lib/binpac_bytestring.h:108
 #5  0x0000000000e9ab60 in binpac::SSH::SSH_Conn::update_kex (this=0x608000d609a0, algs=..., orig=true) at src/analyzer/protocol/ssh/ssh_pac.cc:205
 #6  0x0000000000ea0d06 in binpac::SSH::SSH2_KEXINIT::Parse (this=0x60b000734680,
     t_begin_of_data=0x621000004753 "\200\275\a%\223\023Y8\204t\235\363!\031I.", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>,
     t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:1598
 #7  0x0000000000e9f8f4 in binpac::SSH::SSH2_Message::Parse (this=0x608000d60ea0,
     t_begin_of_data=0x621000004753 "\200\275\a%\223\023Y8\204t\235\363!\031I.", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>,
     t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:1326
 #8  0x0000000000e9d7e1 in binpac::SSH::SSH2_Key_Exchange::Parse (this=0x604001779850,
     t_begin_of_data=0x621000004751 "\006\024\200\275\a%\223\023Y8\204t\235\363!\031I.", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>,
     t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:1210
 #9  0x0000000000e9c981 in binpac::SSH::SSH_Key_Exchange::ParseBuffer (this=0x603001bdccc0, t_flow_buffer=0x608000d60a20, t_context=0x603001bdcc90,
     t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:628
 #10 0x0000000000e9c26c in binpac::SSH::SSH_PDU::ParseBuffer (this=0x604001779810, t_flow_buffer=0x608000d60a20, t_context=0x603001bdcc90)
     at src/analyzer/protocol/ssh/ssh_pac.cc:446
 #11 0x0000000000ea6f04 in binpac::SSH::SSH_Flow::NewData (this=0x604001774690, t_begin_of_data=0x62100000474d "",
     t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>) at src/analyzer/protocol/ssh/ssh_pac.cc:3071
 #12 0x0000000000e9a38f in binpac::SSH::SSH_Conn::NewData (this=0x608000d609a0, is_orig=true, begin=0x62100000474d "",
     end=0x621000004b85 "ޭ\276", <incomplete sequence \357>) at src/analyzer/protocol/ssh/ssh_pac.cc:63
 #13 0x0000000000e98335 in analyzer::SSH::SSH_Analyzer::DeliverStream (this=0x7fffffffdd40, len=1080, data=0x62100000474d "", orig=true)
     at src/analyzer/protocol/ssh/SSH.cc:68

With assertions turned off, this would "only" be a memory leak.

This commit fixes the vulnerability by freeing and clearing the
`binpac::datastring` before assigning a new value.
@philrz philrz removed their assignment Apr 27, 2020
@philrz
Copy link
Author

philrz commented May 6, 2020

With the release of Brim v0.9.1, we expect we'll be hearing from Corelight if/when there's additional scripts beyond JA3/HASSH that they feel should be included by default in the Brim-embedded Zeek. The "bring your own Zeek" option tracked in brimdata/zui#731 will also provide a path for users to use their own arbitrary scripts without waiting for them to be added to the Brim-embedded Zeek. Therefore we're closing this one as a "won't do".

@philrz philrz closed this as completed May 6, 2020
@philrz philrz added the wontfix This will not be worked on label May 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@philrz