sp_asn1_detect.c

著名的入侵检测系统snort的最新版本的源码

/* $Id$ */
/*
 ** Copyright (C) 2002-2006 Sourcefire, Inc.
 ** Author: Daniel Roelker
 **
 ** This program is free software; you can redistribute it and/or modify
 ** it under the terms of the GNU General Public License Version 2 as
 ** published by the Free Software Foundation.  You may not use, modify or
 ** distribute this program under any other version of the GNU General
 ** Public License.
 **
 ** This program is distributed in the hope that it will be useful,
 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 ** GNU General Public License for more details.
 **
 ** You should have received a copy of the GNU General Public License
 ** along with this program; if not, write to the Free Software
 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/**
**  @file        sp_asn1_detect.c
**
**  @author      Daniel Roelker <droelker@sourcefire.com>
** 
**  @brief       Decode and detect ASN.1 types, lengths, and data.
**
**  This detection plugin adds ASN.1 detection functions on a per rule
**  basis.  ASN.1 detection plugins can be added by editing this file and
**  providing an interface in the configuration code.
**  
**  Detection Plugin Interface:
**
**  asn1: [detection function],[arguments],[offset type],[size]
**
**  Detection Functions:
**
**  bitstring_overflow: no arguments
**  double_overflow:    no arguments
**  oversize_length:    max size (if no max size, then just return value)
**
**  alert udp any any -> any 161 (msg:"foo"; \
**      asn1: oversize_length 10000, absolute_offset 0;)
**
**  alert tcp any any -> any 162 (msg:"foo2"; \
**      asn1: bitstring_overflow, oversize_length 500, relative_offset 7;)
**
**
**  Note that further general information about ASN.1 can be found in
**  the file doc/README.asn1.
*/

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include <sys/types.h>
#include <stdlib.h>
#include <ctype.h>

#ifndef SF_SNORT_ENGINE_DLL
#include "debug.h"
#else
/* Ignore debug statements */
#include <stdint.h>
#define DEBUG_WRAP(x)
#endif

#include "../sfutil/asn1.h"
#include "sp_asn1_detect.h"

#define BITSTRING_OPT  "bitstring_overflow"
#define DOUBLE_OPT     "double_overflow"
#define LENGTH_OPT     "oversize_length"
#define DBL_FREE_OPT   "double_free"

#define ABS_OFFSET_OPT "absolute_offset"
#define REL_OFFSET_OPT "relative_offset"
#define PRINT_OPT      "print"

#define ABS_OFFSET 1
#define REL_OFFSET 2

#define DELIMITERS " ,\t\n"

extern const u_int8_t *doe_ptr;


/*
 * Check to make sure that p is less than or equal to the ptr range
 * pointers
 *
 * 1 means it's in bounds, 0 means it's not
 */
static int inBounds(const u_int8_t *start, const u_int8_t *end, const u_int8_t *p)
{
    if(p >= start && p < end)
    {
        return 1;
    }
    
    return 0;
}

/*
**  NAME
**    BitStringOverflow::
*/
/**
**  The neccessary info to detect possible bitstring overflows.  Thanks
**  once again to microsoft for keeping us in business.
**
**  @return integer
**
**  @retval 0 failed
**  @retval 1 detected
*/
static int BitStringOverflow(ASN1_TYPE *asn1, void * user)
{
    if(!asn1)
        return 0;

    /*
    **  Here's what this means:
    **
    **  If the ASN.1 type is a non-constructed bitstring (meaning that
    **  there is only one encoding, not multiple encodings).  And
    **  the number of bits to ignore (this is taken from the first byte)
    **  is greater than the total number of bits, then we have an
    **  exploit attempt.
    */
    if(asn1->ident.tag == SF_ASN1_TAG_BIT_STR && !asn1->ident.flag)
    {
        if(asn1->len.size && asn1->data && 
           (((asn1->len.size - 1)<<3) < (unsigned int)asn1->data[0]))
        {
            return 1;
        }
    }

    return 0;
}

/*
**  NAME
**    DetectBitStringOverflow::
*/
/**
**  This is just a wrapper to the traverse function.  It's important because
**  this allows us to do more with individual nodes in the future.
**
**  @return integer
**
**  @retval 0 failed
**  @rteval 1 detected
*/
static int DetectBitStringOverflow(ASN1_TYPE *asn1)
{
    return asn1_traverse(asn1, NULL, BitStringOverflow);
}

/*
**  NAME
**    DoubleOverflow::
*/
/**
**  This is the info to detect double overflows.  This may not be a
**  remotely exploitable (remote services may not call the vulnerable
**  microsoft function), but better safe than sorry.
**
**  @return integer
**
**  @retval 0 failed
**  @retval 1 detected
*/
static int DoubleOverflow(ASN1_TYPE *asn1, void *user)
{
    if(!asn1)
        return 0;

    /*
    **  Here's what this does.
    **
    **  There is a vulnerablity in the MSASN1 library when decoding
    **  a double (real) type.  If the encoding is ASCII (specified by
    **  not setting bit 7 or 8), and the buffer is greater than 256,
    **  then you overflow the array in the function.
    */
    if(asn1->ident.tag == SF_ASN1_TAG_REAL && !asn1->ident.flag)
    {
        if(asn1->len.size && asn1->data &&
           ((asn1->data[0] & 0xc0) == 0x00) && 
           (asn1->len.size > 256))
        {
            return 1;
        }
    }

    return 0;
}

/*
**  NAME
**    DetectDoubleOverflow::
*/
/**
**  This is just a wrapper to the traverse function.  It's important because
**  this allows us to do more with individual nodes in the future.
**
**  @return integer
**
**  @retval 0 failed
**  @rteval 1 detected
*/
static int DetectDoubleOverflow(ASN1_TYPE *asn1)
{
    return asn1_traverse(asn1, NULL, DoubleOverflow);
}

/*
**  NAME
**    OversizeLength::
*/
/**
**  This is the most generic of our ASN.1 detection functionalities.  This
**  will compare the ASN.1 type lengths against the user defined max
**  length and alert if the length is greater than the user supplied length.
**  
**  @return integer
**
**  @retval 0 failed
**  @retval 1 detected
*/
static int OversizeLength(ASN1_TYPE *asn1, void *user)
{
    unsigned int *max_size;

    if(!asn1 || !user)
        return 0;

    max_size = (unsigned int *)user;

    if(*max_size && *max_size <= asn1->len.size)
        return 1;

    return 0;
}

/*
**  NAME
**    DetectOversizeLength::
*/
/**
**  This is just a wrapper to the traverse function.  It's important because
**  this allows us to do more with individual nodes in the future.
**
**  @return integer
**
**  @retval 0 failed
**  @rteval 1 detected
*/
static int DetectOversizeLength(ASN1_TYPE *asn1, unsigned int max_size)
{
    return asn1_traverse(asn1, (void *)&max_size, OversizeLength);
}

/*
**  NAME
**    Asn1DetectFuncs::
*/
/**
**  The main function for adding ASN.1 detection type functionality.
**
**  @return integer
**
**  @retval 0 failed
**  @retval 1 detected
*/
static int Asn1DetectFuncs(ASN1_TYPE *asn1, ASN1_CTXT *ctxt, int dec_ret_val)
{
    int iRet = 0;

    /*
    **  Print first, before we do other detection.  If print is the only
    **  option, then we want to evaluate this option as true and continue.
    **  Otherwise, if another option is wrong, then we 
    */
    if(ctxt->print)
    {
        asn1_traverse(asn1, NULL, asn1_print_types);
        iRet = 1;
    }

    /*
    **  Let's check the bitstring overflow.
    */
    if(ctxt->bs_overflow)
    {
        iRet = DetectBitStringOverflow(asn1);
        if(iRet)
            return 1;
    }

    if(ctxt->double_overflow)
    {
        iRet = DetectDoubleOverflow(asn1);
        if(iRet)
            return 1;
    }

    if(ctxt->length)
    {
        iRet = DetectOversizeLength(asn1, ctxt->max_length);

        /*
        **  If we didn't detect any oversize length in the decoded structs,
        **  that might be because we had a really overlong length that is
        **  bigger than our data type could hold.  In this case, it's 
        **  overlong too.
        */
        if(!iRet && dec_ret_val == ASN1_ERR_OVERLONG_LEN)
            iRet = 1;

        /*
        **  We add this return in here, so that we follow suit with the
        **  previous detections.  Just trying to short-circuit any future
        **  problems if we change the code flow here.
        */
        if(iRet)
            return 1;
    }

    return iRet;
}

/*
**  NAME
**    Asn1DoDetect::
*/
/**
**  Workhorse detection function.  Does not depend on OTN.
**  We check all the offsets to make sure we're in bounds, etc.
**
**  @return integer
**
**  @retval 0 failed
**  @retval 1 detected
*/
int Asn1DoDetect(const u_int8_t *data, u_int16_t dsize, ASN1_CTXT *ctxt, const u_int8_t *rel_ptr)
{
    ASN1_TYPE *asn1;
    int iRet;
    unsigned int size;
    const u_int8_t *start;
    const u_int8_t *end;
    const u_int8_t *offset = NULL;

    /*
    **  Failed if there is no data to decode.
    */
    if(!data)
        return 0;

    start = data;
    end   = start + dsize;

    switch(ctxt->offset_type)
    {
        case REL_OFFSET:
            if(!rel_ptr)
            {
                DEBUG_WRAP(DebugMessage(DEBUG_ASN1, "[*] No rel_ptr for "
                           "relative offset, so we are bailing.\n"););
                return 0;
            }
                           
            /*
            **  Check that it is in bounds first.
            */
            if(!inBounds(start, end, rel_ptr))
            {
                DEBUG_WRAP(DebugMessage(DEBUG_ASN1, "[*] ASN.1 bounds "
                           "check failed for rel_ptr.\n"););
                return 0;
            }

            if(!inBounds(start, end, rel_ptr+ctxt->offset))
            {
                DEBUG_WRAP(DebugMessage(DEBUG_ASN1, "[*] ASN.1 bounds "
                           "check failed rel_ptr+offset.\n"););
                return 0;
            }

            offset = rel_ptr+ctxt->offset;
            break;

        case ABS_OFFSET:
        default:
            if(!inBounds(start, end, start+ctxt->offset))
            {
                DEBUG_WRAP(DebugMessage(DEBUG_ASN1, "[*] ASN.1 bounds "
                           "check failed.\n"););
                return 0;
            }

            offset = start+ctxt->offset;
            break;
    }

    /*
    **  Final Check.  We are good to go now.
    */
    if(!inBounds(start,end,offset))
    {
        DEBUG_WRAP(DebugMessage(DEBUG_ASN1, "[*] ASN.1 bounds "
                   "check failed.\n"););
        return 0;
    }

    /*
    **  Set size for asn1_decode().  This should never be -1 since
    **  we do the previous in bounds check.
    */
    size = end - offset;

    iRet = asn1_decode(offset, size, &asn1);
    if(iRet && !asn1)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_ASN1, "[*] ASN.1 decode failed "
                   "miserably.\n"););
        return 0;
    }

    /*
    **  Let's do detection now.
    */
    return Asn1DetectFuncs(asn1, ctxt, iRet);
}