Bug #3615: Protocol detection evasion by packet splitting - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #3615

closed

Protocol detection evasion by packet splitting

Added by Philippe Antoine over 4 years ago. Updated over 3 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

6.0.0beta1

Affected Versions:

5.0.2

Effort:

Difficulty:

Label:

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21462

Output of fuzz target gives :
Assertion failure : With input length 24, found enip instead of dns
on attached input

Files

clusterfuzz-testcase-minimized-fuzz_applayerprotodetectgetproto-5121705677946880.fuzz (34 Bytes) clusterfuzz-testcase-minimized-fuzz_applayerprotodetectgetproto-5121705677946880.fuzz

Philippe Antoine, 04/06/2020 03:19 PM

Related issues 3 (0 open — 3 closed)

Actions

Copy link

Updated by Philippe Antoine over 4 years ago

Patch could be to improve the ENIP probing parser

diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c
index 282294536..b9e3b32db 100644
--- a/src/app-layer-enip.c
+++ b/src/app-layer-enip.c
@@ -393,8 +393,24 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
         SCLogDebug("length too small to be a ENIP header");
         return ALPROTO_UNKNOWN;
     }
-
-    return ALPROTO_ENIP;
+    uint16_t cmd;
+    ByteExtractUint16(&cmd, BYTE_LITTLE_ENDIAN, sizeof(uint16_t),
+                      (const uint8_t *) (input));
+    switch(cmd) {
+            //fallthrough
+        case NOP:
+        case LIST_SERVICES:
+        case LIST_IDENTITY:
+        case LIST_INTERFACES:
+        case REGISTER_SESSION:
+        case UNREGISTER_SESSION:
+        case SEND_RR_DATA:
+        case SEND_UNIT_DATA:
+        case INDICATE_STATUS:
+        case CANCEL:
+            return ALPROTO_ENIP;
+    }
+    return ALPROTO_FAILED;
 }

 /**

Actions

Copy link