web-client_quicktimejpeg-underflow.c

This is the snapshot of Snot Latest Rules

/*
 * QuickTime JPEG Huffman Table Integer Underflow
 *
 * Copyright (C) 2006 Sourcefire, Inc. All Rights Reserved
 *
 * Writen by Alex Kirk, Sourcefire VRT <akirk@sourcefire.com>
 *
 * This file may contain proprietary rules that were created, tested and
 * certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
 * rules that were created by Sourcefire and other third parties and
 * distributed under the GNU General Public License (the "GPL Rules").  The
 * VRT Certified Rules contained in this file are the property of
 * Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
 * The GPL Rules created by Sourcefire, Inc. are the property of
 * Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
 * Reserved.  All other GPL Rules are owned and copyrighted by their
 * respective owners (please see www.snort.org/contributors for a list of
 * owners and their respective copyrights).  In order to determine what
 * rules are VRT Certified Rules or GPL Rules, please refer to the VRT
 * Certified Rules License Agreement.
 */

#include "sf_snort_plugin_api.h"
#include "sf_snort_packet.h"

/* declare detection functions */
int ruleQUICKTIMEJPEGeval(void *p);

/* declare rule data structures */
/* precompile the stuff that needs pre-compiled */
/* flow:established,to_client; */
static FlowFlags ruleQUICKTIMEJPEGflow0 = 
{
    FLOW_ESTABLISHED | FLOW_TO_CLIENT
};

static RuleOption ruleQUICKTIMEJPEGoption0 =
{
    OPTION_TYPE_FLOWFLAGS,
    {
        &ruleQUICKTIMEJPEGflow0
    }
};

/* flowbits:isset,http.jpeg; */
static FlowBitsInfo ruleQUICKTIMEJPEGflow1 = 
{
    "http.jpeg", /* name of flowbit */
    FLOWBIT_ISSET, /* operation */
    0, /* id - set internally by Snort*/
    0 /* flags - compatibility only, unused*/
};

static RuleOption ruleQUICKTIMEJPEGoption1 =
{
    OPTION_TYPE_FLOWBIT,
    {
        &ruleQUICKTIMEJPEGflow1
    }
};

// content:"|FF C2|"; 
static ContentInfo ruleQUICKTIMEJPEGcontent2 = 
{
    (u_int8_t *)"|FF C2|", /* pattern (now in snort content format) */
    0, /* depth */
    0, /* offset */
    CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
    NULL, /* holder for boyer/moore PTR */
    NULL, /* more holder info - byteform */
    0 /* byteform length */
};

static RuleOption ruleQUICKTIMEJPEGoption2 = 
{
    OPTION_TYPE_CONTENT,
    {
        &ruleQUICKTIMEJPEGcontent2
    }
};

// content:"|FF C4|"; 
static ContentInfo ruleQUICKTIMEJPEGcontent3 = 
{
    (u_int8_t *)"|FF C4|", /* pattern (now in snort content format) */
    0, /* depth */
    0, /* offset */
    CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
    NULL, /* holder for boyer/moore PTR */
    NULL, /* more holder info - byteform */
    0 /* byteform length */
};

static RuleOption ruleQUICKTIMEJPEGoption3 = 
{
    OPTION_TYPE_CONTENT,
    {
        &ruleQUICKTIMEJPEGcontent3
    }
};

static CursorInfo cursorInfo1 =
{
        3,
        CONTENT_BUF_RAW | CONTENT_RELATIVE
};

static CursorInfo cursorInfo2 =
{
        17,
        CONTENT_BUF_RAW | CONTENT_RELATIVE
};

static CursorInfo cursorInfo3 =
{
        1,
        CONTENT_BUF_RAW | CONTENT_RELATIVE
};

static RuleOption ruleQUICKTIMEJPEGoption4 =
{
    OPTION_TYPE_CURSOR,
    {
        &cursorInfo1
    }
};

static RuleOption ruleQUICKTIMEJPEGoption5 = 
{
    OPTION_TYPE_CURSOR,
    {
        &cursorInfo2
    }
};

static RuleOption ruleQUICKTIMEJPEGoption6 = 
{
    OPTION_TYPE_CURSOR,
    {
        &cursorInfo3
    }
};


/* references for.ruleid QUICKTIMEJPEG */
static RuleReference ruleQUICKTIMEJPEGref1 =
{
    "cve", /* type */
    "2005-0903" /* value XXX - update me */
};

static RuleReference ruleQUICKTIMEJPEGref2 =
{
    "bugtraq", /* type */
    "12905" /* value XXX - update me */
};

static RuleReference *ruleQUICKTIMEJPEGrefs[] =
{
    &ruleQUICKTIMEJPEGref1,
    &ruleQUICKTIMEJPEGref2,
    NULL
};

RuleOption *ruleQUICKTIMEJPEGoptions[] =
{
    &ruleQUICKTIMEJPEGoption0,
    &ruleQUICKTIMEJPEGoption1,
    &ruleQUICKTIMEJPEGoption2,
    &ruleQUICKTIMEJPEGoption3,
    &ruleQUICKTIMEJPEGoption4,
    &ruleQUICKTIMEJPEGoption5,
    &ruleQUICKTIMEJPEGoption6,
    NULL
};


/*
static u_int32_t byteExtractValue;

static ByteExtract byteExtract1 =
{
    1,
    0,
    0,
    EXTRACT_AS_BYTE | CONTENT_BUF_RAW | CONTENT_RELATIVE,
    0,
    &byteExtractValue
};
*/

Rule ruleQUICKTIMEJPEG = {
   /* rule header, akin to => tcp any any -> any any */
   {
       IPPROTO_TCP, /* proto */
       EXTERNAL_NET, /* SRCIP     */
       "$HTTP_PORTS", /* SRCPORT   */
       0, /* DIRECTION */
       HOME_NET, /* DSTIP     */
       "any", /* DSTPORT   */
   },
   /* metadata */
   { 
       3,  /* genid (HARDCODED!!!) */
       10126, /* sigid 2bbe974d-876c-4597-80f5-253cd203c7cc */
       3, /* revision 8d7023c7-4ca6-49f5-afe2-da5810f8505b */
   
       "misc-attack", /* classification */
       0,  /* hardcoded priority XXX NOT PROVIDED BY GRAMMAR YET! */
       "WEB-CLIENT QuickTime JPEG Huffman Table integer underflow attempt",     /* message */
       ruleQUICKTIMEJPEGrefs /* ptr to references */
#ifdef HAS_METADATA
        ,NULL
#endif
   },
   ruleQUICKTIMEJPEGoptions, /* ptr to rule options */
   &ruleQUICKTIMEJPEGeval, /* use the built in detection function */
   0, /* am I initialized yet? */
   0, /* number of options */
   0,  /* don't alert */
   NULL /* ptr to internal data... setup during rule registration */
};

/* detection functions */
int ruleQUICKTIMEJPEGeval(void *p) {
    const u_int8_t *cursor = 0;
    u_int32_t huffman_size = 0;
    u_int32_t l_size;
    int i, x;

    // flow:established,to_client;
    if (checkFlow(p, ruleQUICKTIMEJPEGoptions[0]->option_u.flowFlags) > 0 ) {
        // flowbits:isset,http.jpeg;
        if (processFlowbits(p, ruleQUICKTIMEJPEGoptions[1]->option_u.flowBit) > 0) {
            // content:"|FF C2|";
            if (contentMatch(p, ruleQUICKTIMEJPEGoptions[2]->option_u.content, &cursor) > 0) {
                // content:"|FF C4|";
                if (contentMatch(p, ruleQUICKTIMEJPEGoptions[3]->option_u.content, &cursor) > 0) {
                    // Ensure we don't walk off the end of the packet
                    if (!checkCursor(p, ruleQUICKTIMEJPEGoptions[4]->option_u.cursor, cursor)) {
                        return RULE_NOMATCH;
                    }
                    // byte_extract: 2, relative;
                    for (i = 2; i > 0; i--)
                    {
                        huffman_size |= *(cursor + 2 - i) << 8*(i-1);
                    }
                    huffman_size -= 19;
                    setCursor(p, ruleQUICKTIMEJPEGoptions[4]->option_u.cursor, &cursor);
                    for (x = 0; x < 4; x++) {
                        l_size = 0;
                        // Ensure we don't walk off the end of the packet
                        if (!checkCursor(p, ruleQUICKTIMEJPEGoptions[5]->option_u.cursor, cursor)) {
                            return RULE_NOMATCH;
                        }
                        for (i = 0; i < 16; i++) {
                            /* Go ahead and dereference cursor instead of using extractValue, for
                                better performance */
                            l_size += *cursor;
                            cursor++;
                        }
                        huffman_size -= l_size;
                        if (huffman_size == 0) {
                            return RULE_NOMATCH;
                        }
                        setCursor(p, ruleQUICKTIMEJPEGoptions[6]->option_u.cursor, &cursor);
                    }
                    if ((int32_t)huffman_size < 0) {
                        return RULE_MATCH;
                    }
                }
            }
        }
    }
    return RULE_NOMATCH;
}