Project

General

Profile

Actions

Security #6441

closed

detect: heap use after free with http.request_header keyword

Added by Philippe Antoine 12 months ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:

bc422c17d6961f03f673f2999a949913e89fc2d0

Severity:
CRITICAL
Disclosure Date:

Description

Reproducer is with rules from #6415

alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Host"; fast_pattern; classtype:web-application-attack; sid:41; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:42; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:43; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:44; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:45; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:46; rev:1;)

Problem is that multi-buffer http.request_header sets up different InspectionBuffer all pointing to the same HttpHeaderBuffer which can get reallocated if a new header is bigger than 1024 cf HttpHeaderExpandBuffer


Files

lol.pcap (1.66 KB) lol.pcap Philippe Antoine, 11/07/2023 07:52 AM

Subtasks 1 (0 open1 closed)

Security #6657: detect: heap use after free with http.request_header keyword (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 3 (0 open3 closed)

Related to Suricata - Bug #6415: http.header, http.header.raw and http.request_header buffers not populated when malformed header value existsClosedPhilippe AntoineActions
Related to Suricata - Bug #6736: http.request_header and http.response_header behavior with HTTP1 trafficClosedPhilippe AntoineActions
Related to Suricata - Bug #6483: http.request_headers - odd behavior with multiple signtures ClosedPhilippe AntoineActions
Actions #1

Updated by Philippe Antoine 12 months ago

To assess severity, we need to check the scope : maybe this can be abused for other keywords than http.request_header (and response header)

Actions #2

Updated by Philippe Antoine 12 months ago

Stack trace is

==11146==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000010490 at pc 0x0001088b0630 bp 0x7ff7b7af71b0 sp 0x7ff7b7af71a8
READ of size 1 at 0x619000010490 thread T0
    #0 0x1088b062f in BMScan util-spm-bm.c:459
    #1 0x1085d35a8 in DetectEngineContentInspection detect-engine-content-inspection.c:294
    #2 0x108645364 in DetectEngineInspectHttp1Header detect-http-header.c:709
    #3 0x1085653af in DetectRun detect.c:160
    #4 0x1085600b5 in Detect detect.c
    #5 0x1086f14d7 in FlowWorker flow-worker.c:626
    #6 0x10840ba7a in LLVMFuzzerTestOneInput fuzz_sigpcap.c:183
    #7 0x108e54510 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:614
    #8 0x108e3f144 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) FuzzerDriver.cpp:324
    #9 0x108e44aa9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:859
    #10 0x108e71482 in main FuzzerMain.cpp:20
    #11 0x7ff80b7d33a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)

0x619000010490 is located 16 bytes inside of 1024-byte region [0x619000010480,0x619000010880)
freed by thread T0 here:
    #0 0x10a6fcf02 in realloc+0xa2 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xe0f02)
    #1 0x108871578 in SCReallocFunc util-mem.c:46
    #2 0x1086481c6 in HttpHeaderExpandBuffer detect-http-header-common.c:90
    #3 0x1086479d7 in GetHttp1HeaderData detect-http-header.c:616
    #4 0x108647441 in PrefilterTxHttp1Header detect-http-header.c:655
    #5 0x10860250b in DetectRunPrefilterTx detect-engine-prefilter.c:121
    #6 0x108563e4b in DetectRun detect.c:160
    #7 0x1085600b5 in Detect detect.c
    #8 0x1086f14d7 in FlowWorker flow-worker.c:626
    #9 0x10840ba7a in LLVMFuzzerTestOneInput fuzz_sigpcap.c:183
    #10 0x108e54510 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:614
    #11 0x108e3f144 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) FuzzerDriver.cpp:324
    #12 0x108e44aa9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:859
    #13 0x108e71482 in main FuzzerMain.cpp:20
    #14 0x7ff80b7d33a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)

previously allocated by thread T0 here:
    #0 0x10a6fcf02 in realloc+0xa2 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xe0f02)
    #1 0x108871578 in SCReallocFunc util-mem.c:46
    #2 0x108647fe6 in HttpHeaderThreadDataInit detect-http-header-common.c:69
    #3 0x1085c824c in ThreadCtxDoInit detect-engine.c:3282
    #4 0x1085c909a in DetectEngineThreadCtxInitForReload detect-engine.c:3398
    #5 0x10840b66f in LLVMFuzzerTestOneInput fuzz_sigpcap.c:139
    #6 0x108e54510 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:614
    #7 0x108e3f144 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) FuzzerDriver.cpp:324
    #8 0x108e44aa9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:859
Actions #3

Updated by Philippe Antoine 12 months ago

  • Status changed from New to In Review

Gitlab

Actions #4

Updated by Victor Julien 12 months ago

  • Target version changed from 7.0.3 to 8.0.0-beta1
Actions #5

Updated by Victor Julien 10 months ago

  • Severity changed from MODERATE to CRITICAL

Can be triggered by evil client or evil server if rules with http.request_header or http.response_header are present, so CRITICAL.

Actions #6

Updated by Victor Julien 10 months ago

  • Label Needs backport to 7.0 added
Actions #7

Updated by OISF Ticketbot 10 months ago

  • Subtask #6657 added
Actions #8

Updated by OISF Ticketbot 10 months ago

  • Label deleted (Needs backport to 7.0)
Actions #9

Updated by Philippe Antoine 9 months ago

  • Related to Bug #6415: http.header, http.header.raw and http.request_header buffers not populated when malformed header value exists added
Actions #10

Updated by Victor Julien 9 months ago

  • Status changed from In Review to Resolved
  • CVE set to 2024-23839
Actions #11

Updated by Victor Julien 9 months ago

  • Related to Bug #6736: http.request_header and http.response_header behavior with HTTP1 traffic added
Actions #12

Updated by Philippe Antoine 9 months ago

  • Status changed from Resolved to Closed
  • Git IDs updated (diff)
Actions #13

Updated by Philippe Antoine 9 months ago

  • Related to Bug #6483: http.request_headers - odd behavior with multiple signtures added
Actions #14

Updated by Victor Julien 8 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF