Security #2427


Suricata 3.x.x and 4.x.x do not parse HTTP responses if tcp data was sent before 3-way-handshake completed

Added by ajaxtpm ajaxtpm over 6 years ago. Updated almost 4 years ago.

Target version:
Affected Versions:
Git IDs:


Disclosure Date:


If we break a normal tcp packets flow order and send data before client sends ACK packet and thus complete tcp 3whs then both currently active Suricata versions will not recognize it as HTTP response data. The impact is a complete http response signatures bypass - if an attacker is close to a web client enough he can spoof http response from a legitimate server and send an exploit payload instead of legitimate one and this attack will no be detected by IDS signatures.

Such TCP packets scheme looks as the following:

Client    ->  [SYN] [Seq=0 Ack= 0]           ->  Evil Server     # Client starts a TCP 3-way handshake
Client    <-  [SYN, ACK] [Seq=0 Ack= 1]      <-  Evil Server     # Server responses as it should, but ...
Client    <-  [PSH, ACK] [Seq=1 Ack= 1]      <-  Evil Server     # It sends HTTP response before the 3whs is completed
Client    <-  [FIN, ACK] [Seq=83 Ack= 1]     <-  Evil Server     # Moreover it finishes TCP session 
Client    ->  [ACK] [Seq=1 Ack= 84]          ->  Evil Server     # Client finishes TCP 3whs by sending ACK packet and confirms data from server
Client    ->  [PSH, ACK] [Seq=1 Ack= 84]     ->  Evil Server     # Then it sends a HTTP GET request as nothing wrong happened

In spite of broken TCP flow client accepts "injected" data from server and process it as a normal HTTP Response. Browsers and cli tools like wget/curl were confirmed to process this normally.

If we apply the following signatures agains PCAP file in attachment:

alert tcp any any -> any any (msg: "TCP BEEN RULE"; content: "been"; sid: 5; )
alert http any any -> any any (msg: "HTTP BEEN RULE"; content: "been"; sid: 6; )
alert tcp any any -> any any (msg: "TCP GET RULE"; content: "GET"; sid: 7; )
alert http any any -> any any (msg: "HTTP GET RULE"; content: "GET"; sid: 8; )

We will see only sids 5, 7 and 8 in alerts log file.

Also we see no sid 2260001 alert ("SURICATA Applayer Wrong direction first Data") there.


test.pcap (7.24 KB) test.pcap example of broken tcp flow ajaxtpm ajaxtpm, 01/25/2018 11:38 AM

Also available in: Atom PDF