Skip to content
This repository has been archived by the owner on Apr 1, 2024. It is now read-only.

add brim specific readme #2

Merged
merged 1 commit into from
Mar 2, 2020
Merged

add brim specific readme #2

merged 1 commit into from
Mar 2, 2020

Conversation

alfred-landrum
Copy link

No description provided.

@alfred-landrum alfred-landrum requested a review from a team March 2, 2020 14:59
@alfred-landrum alfred-landrum merged commit 8d2c2dc into master Mar 2, 2020
@alfred-landrum alfred-landrum deleted the brim-readme branch March 2, 2020 22:51
nwt pushed a commit that referenced this pull request Apr 24, 2020
…cket

An attacker can make Zeek crash by posting the KEX packet twice, which
will result in an assertion failure in binpac::datastring::init():

 #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 #1  0x00007ffff5196535 in __GI_abort () at abort.c:79
 #2  0x00007ffff519640f in __assert_fail_base (fmt=0x7ffff52f86e0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x1d33530 "!data_",
     file=0x1d33537 "aux/binpac/lib/binpac_bytestring.h", line=108, function=<optimized out>) at assert.c:92
 #3  0x00007ffff51a3b92 in __GI___assert_fail (assertion=0x1d33530 "!data_", file=0x1d33537 "aux/binpac/lib/binpac_bytestring.h",
     line=108, function=0x1d3356c "void binpac::datastring<unsigned char>::init(const T *, int) [T = unsigned char]") at assert.c:101
 #4  0x0000000000c1e970 in binpac::datastring<unsigned char>::init (this=0x608000d609d0, begin=0x603001bdd1d0 "diffie-hellman-group16-sha512", length=29)
     at aux/binpac/lib/binpac_bytestring.h:108
 #5  0x0000000000e9ab60 in binpac::SSH::SSH_Conn::update_kex (this=0x608000d609a0, algs=..., orig=true) at src/analyzer/protocol/ssh/ssh_pac.cc:205
 #6  0x0000000000ea0d06 in binpac::SSH::SSH2_KEXINIT::Parse (this=0x60b000734680,
     t_begin_of_data=0x621000004753 "\200\275\a%\223\023Y8\204t\235\363!\031I.", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>,
     t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:1598
 #7  0x0000000000e9f8f4 in binpac::SSH::SSH2_Message::Parse (this=0x608000d60ea0,
     t_begin_of_data=0x621000004753 "\200\275\a%\223\023Y8\204t\235\363!\031I.", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>,
     t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:1326
 #8  0x0000000000e9d7e1 in binpac::SSH::SSH2_Key_Exchange::Parse (this=0x604001779850,
     t_begin_of_data=0x621000004751 "\006\024\200\275\a%\223\023Y8\204t\235\363!\031I.", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>,
     t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:1210
 #9  0x0000000000e9c981 in binpac::SSH::SSH_Key_Exchange::ParseBuffer (this=0x603001bdccc0, t_flow_buffer=0x608000d60a20, t_context=0x603001bdcc90,
     t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:628
 #10 0x0000000000e9c26c in binpac::SSH::SSH_PDU::ParseBuffer (this=0x604001779810, t_flow_buffer=0x608000d60a20, t_context=0x603001bdcc90)
     at src/analyzer/protocol/ssh/ssh_pac.cc:446
 #11 0x0000000000ea6f04 in binpac::SSH::SSH_Flow::NewData (this=0x604001774690, t_begin_of_data=0x62100000474d "",
     t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>) at src/analyzer/protocol/ssh/ssh_pac.cc:3071
 #12 0x0000000000e9a38f in binpac::SSH::SSH_Conn::NewData (this=0x608000d609a0, is_orig=true, begin=0x62100000474d "",
     end=0x621000004b85 "ޭ\276", <incomplete sequence \357>) at src/analyzer/protocol/ssh/ssh_pac.cc:63
 #13 0x0000000000e98335 in analyzer::SSH::SSH_Analyzer::DeliverStream (this=0x7fffffffdd40, len=1080, data=0x62100000474d "", orig=true)
     at src/analyzer/protocol/ssh/SSH.cc:68

With assertions turned off, this would "only" be a memory leak.

This commit fixes the vulnerability by freeing and clearing the
`binpac::datastring` before assigning a new value.
nwt pushed a commit that referenced this pull request Apr 24, 2020
The following source code:

 function foo(foo: int) {}
 function foo() {}

... first produces this error:

 error in crash.zeek, line 1 and crash.zeek, line 2: incompatible types (function(foo:int;) : void and function() : void)

... and then crashes:

 Thread 1 "zeek" received signal SIGSEGV, Segmentation fault.
 0x000055555617d970 in RecordType::FieldDecl (this=0x555557cbdd80, field=0) at ../src/Type.cc:735
 735		return (*types)[field];
 (gdb) bt
 #0  0x000055555617d970 in RecordType::FieldDecl (this=0x555557cbdd80, field=0) at ../src/Type.cc:735
 #1  0x000055555619c0e2 in transfer_arg_defaults (args=0x555557cbf270, recv=0x555557cbdd80) at ../src/Var.cc:315
 #2  0x000055555619c40c in begin_func (id=0x555557cbf070, module_name=0x5555579dd4a0 "GLOBAL", flavor=FUNC_FLAVOR_FUNCTION, is_redef=0, t=0x555557cbde00,
     attrs=0x0) at ../src/Var.cc:371
 #3  0x0000555555f5723b in yyparse () at parse.y:1174
 #4  0x0000555556038bf6 in main (argc=5, argv=0x7fffffffe658) at ../src/main.cc:646

This is because `begin_func()` checks if the old and new functions
have the same type via same_type(), but continues anyway, and then
transfer_arg_defaults() crashes because both `Args()` have different
lengths.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants