📄 dos_tivoli-director-bind-string-overflow.c
字号:
/* * MISC IBM Tivoli director invalid DN message buffer overflow attempt * * Copyright (C) 2007 Sourcefire, Inc. All Rights Reserved * * Writen by Patrick Mullen <pmullen@sourcefire.com> * * This file may contain proprietary rules that were created, tested and * certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as * rules that were created by Sourcefire and other third parties and * distributed under the GNU General Public License (the "GPL Rules"). The * VRT Certified Rules contained in this file are the property of * Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. * The GPL Rules created by Sourcefire, Inc. are the property of * Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights * Reserved. All other GPL Rules are owned and copyrighted by their * respective owners (please see www.snort.org/contributors for a list of * owners and their respective copyrights). In order to determine what * rules are VRT Certified Rules or GPL Rules, please refer to the VRT * Certified Rules License Agreement. */#include "sf_snort_plugin_api.h"#include "sf_snort_packet.h"#include "dos_ber.h"/* declare detection functions */int ruleTIVOLI_LDAP_BIND_DN_OVERFLOWeval(void *p);static RuleReference ruleTIVOLI_LDAP_BIND_DN_OVERFLOWref0 = { "url", /* type */ "www-1.ibm.com/support/docview.wss?uid=swg21230820" /* value */};static RuleReference ruleTIVOLI_LDAP_BIND_DN_OVERFLOWref1 ={ "cve", /* type */ "2006-0717"};static RuleReference ruleTIVOLI_LDAP_BIND_DN_OVERFLOWref2 ={ "bugtraq", /* type */ "16593"};static RuleReference *ruleTIVOLI_LDAP_BIND_DN_OVERFLOWrefs[] ={ &ruleTIVOLI_LDAP_BIND_DN_OVERFLOWref0, &ruleTIVOLI_LDAP_BIND_DN_OVERFLOWref1, &ruleTIVOLI_LDAP_BIND_DN_OVERFLOWref2, NULL};static FlowFlags ruleTIVOLI_LDAP_BIND_DN_OVERFLOWflow ={ FLOW_ESTABLISHED|FLOW_TO_SERVER};static RuleOption ruleTIVOLI_LDAP_BIND_DN_OVERFLOWoption0 ={ OPTION_TYPE_FLOWFLAGS, { &ruleTIVOLI_LDAP_BIND_DN_OVERFLOWflow }};static ContentInfo ruleTIVOLI_LDAP_BIND_DN_OVERFLOWcontent ={ (u_int8_t *)"|30|", /* pattern to search for */ 1, /* depth */ 0, /* offset */ 0, /* flags */ NULL, /* holder for boyer/moore info */ NULL, /* holder for byte representation of "NetBus" */ 0, /* holder for length of byte representation */ 0 /* holder of increment length */};static RuleOption ruleTIVOLI_LDAP_BIND_DN_OVERFLOWoption1 ={ OPTION_TYPE_CONTENT, { &ruleTIVOLI_LDAP_BIND_DN_OVERFLOWcontent }};RuleOption *ruleTIVOLI_LDAP_BIND_DN_OVERFLOWoptions[] ={ &ruleTIVOLI_LDAP_BIND_DN_OVERFLOWoption0, &ruleTIVOLI_LDAP_BIND_DN_OVERFLOWoption1, NULL};Rule ruleTIVOLI_LDAP_BIND_DN_OVERFLOW = { /* rule header */ { IPPROTO_TCP, /* proto */ "any", /* SRCIP */ "any", /* SRCPORT */ 0, /* DIRECTION */ HOME_NET, /* DSTIP */ "389", /* DSTPORT */ }, /* metadata */ { 3, /* genid (HARDCODED!!!) */ 13418, /* sigid f65693a2-8c00-47a2-8e41-5513e47cb519 */ 1, /* revision adac787d-3f34-4f4b-95d6-d1c0c1f417d4 */ "attempted-dos", /* classification, generic */ 0, /* hardcoded priority XXX NOT PROVIDED BY GRAMMAR YET! */ "DOS IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt", /* message */ ruleTIVOLI_LDAP_BIND_DN_OVERFLOWrefs /* ptr to references */#ifdef HAS_METADATA ,NULL#endif }, ruleTIVOLI_LDAP_BIND_DN_OVERFLOWoptions, /* ptr to rule options */ &ruleTIVOLI_LDAP_BIND_DN_OVERFLOWeval, /* ptr to rule detection function */ 0, /* am I initialized yet? */ 0, /* number of options */ 0 /* don't alert */};/* detection functions */int ruleTIVOLI_LDAP_BIND_DN_OVERFLOWeval(void *p) { u_int32_t retval; u_int32_t size_len, size; const u_int8_t *cursor_normal, *end_of_payload; SFSnortPacket *sp = (SFSnortPacket *) p; BER_ELEMENT element; end_of_payload = sp->payload + sp->payload_size; if(sp == NULL) return RULE_NOMATCH; if(sp->payload == NULL) return RULE_NOMATCH; if(sp->payload_size < 16) /* Minimum exploit request length */ return RULE_NOMATCH; /* call flow match */ if (checkFlow(sp, ruleTIVOLI_LDAP_BIND_DN_OVERFLOWoptions[0]->option_u.flowFlags) <= 0 ) return RULE_NOMATCH; /* call content match */ if (contentMatch(sp, ruleTIVOLI_LDAP_BIND_DN_OVERFLOWoptions[1]->option_u.content, &cursor_normal) <= 0) { return RULE_NOMATCH; } /* our contentMatch already assures us the first byte is \x30, so we're pointing at the size */ /* Begin packet structure processing */ retval = ber_get_size(p, cursor_normal, &size_len, &size); if(retval < 0) return(RULE_NOMATCH); cursor_normal += size_len; /* Message number (only care about width of the specifier) */ retval = ber_get_element(p, cursor_normal, &element); if(retval < 0 || element.type != 0x02) return(RULE_NOMATCH); cursor_normal += element.total_len; /* bind request */ retval = ber_get_element(p, cursor_normal, &element); if(element.type != 0x60 || retval < 0) return RULE_NOMATCH; /* We're inside the bind request. Now we need to parse the internals */ cursor_normal = element.data.data_ptr; /* Skip over the LDAP version */ retval = ber_get_element(p, cursor_normal, &element); if(element.type != 0x02 || retval < 0) return RULE_NOMATCH; cursor_normal += element.total_len; /* Here is the actual exploit detection. Technically, the exploit is for when the string length is exactly 0xFFFFFFFF bytes long, which results in an integer overflow. However, we're going to be more stringent and mirror what we do for Domino and flag if the string is longer than 0xFFFF bytes long. Why would a DN be more than 65k bytes? */ retval = ber_get_element(p, cursor_normal, &element); /* retval == -2 means element data is > 0xFFFFFFFF bytes long */ if(element.type != 0x04 || (retval < 0 && retval != -2)) return RULE_NOMATCH; if(element.data_len > 0xFFFF || retval == -2) return RULE_MATCH; return RULE_NOMATCH;}/*Rule *rules[] = { &ruleTIVOLI_LDAP_BIND_DN_OVERFLOW, NULL};*/⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -