Bug #6
closedThe Logging subsystem does not perform proper bounds checking on msg strings
Description
**move of bug from bugzilla****
patch to display sigstr on signature parse failure
It appears as if the logging subsystem does not perform proper bounds checking
on strings passed to the various logging interfaces that are larger than
SC_LOG_MAX_LOG_FORMAT_LEN.
I discovered this when adding a run time option to display a signature to a
user when parsing of the signature failed. As you can see in the gdb output
eip and ebp get overwritten with our series of A's. Attached is the patch to
display the sigstr for testing.
Rules that can trigger this...
alert tcp any ->
$AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
any (msg:"SCLog Buffer overflow test"; sid: 1;)
alert ip $HOME_NET any ->
[112.141.90.7,113.212.114.8,113.34.82.17,115.146.18.137,115.146.19.233,12.204.121.73,12.31.165.81,12.31.165.82,122.144.2.20,122.155.6.185,122.155.6.186,123.164.66.39,123.242.183.2,124.158.128.129,124.40.3.92,125.160.17.71,125.160.17.72,125.87.1.88,128.121.20.113,128.194.112.48,128.237.157.136,128.39.2.28,129.125.101.62,130.237.188.200,130.237.188.216,130.240.22.201,137.82.84.68,140.211.166.64,141.213.238.252,145.89.150.59,145.97.193.206,147.32.127.200,148.208.212.232,148.245.157.217,149.9.1.16,151.189.0.165,158.36.131.20,158.38.8.251,163.22.73.7,173.45.226.241,174.129.201.145,174.129.231.136,174.132.181.27,174.132.181.28,174.132.242.67,174.133.157.214,174.133.173.90,174.133.57.54,174.137.57.29,174.138.58.102,174.143.208.107,174.143.212.148,174.143.240.27,174.34.187.34,174.34.187.36,174.34.187.37,174.34.187.46,188.40.228.228,188.40.240.35,188.40.240.42]
any (msg:"ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE";
reference:url,www.shadowserver.org; threshold: type limit, track by_src,
seconds 3600, count 1; classtype:trojan-activity; sid:2405000; rev:1631; fwsam:
dst, 30 days;)
Output...
16/9/2009 -- 16:55:09 - (detect-parse.c:550) <Info> -- SigInit: alert tcp any
->
$AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)
GDB output....
[root@seclap oisfnew]# gdb -q src/eidps core.32739
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libpcap.so.0.9.7...Reading symbols from
/usr/lib/debug/usr/lib/libpcap.so.0.9.7.debug...done.
done.
Loaded symbols for /usr/lib/libpcap.so.0.9.7
Reading symbols from /usr/lib/libpfring.so...Reading symbols from
/usr/lib/debug/usr/lib/libpfring.so.debug...done.
done.
Loaded symbols for /usr/lib/libpfring.so
Reading symbols from /usr/local/lib/libnet.so.1...done.
Loaded symbols for /usr/local/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.0...done.
Loaded symbols for /lib/libpcre.so.0
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Core was generated by `src/eidps -i eth1 -s blah.rules -l ./
--display-sig-on-fail'.
Program terminated with signal 11, Segmentation fault.
[New process 32739]
#0 0x41414141 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0x1 1
edx 0x98 152
ebx 0x41414141 1094795585
esp 0xbf9201b0 0xbf9201b0
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141
eflags 0x210246 [ PF ZF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0xc040007b -1069547397
fs 0x0 0
gs 0x33 51
Files