Project

General

Profile

Actions

Bug #3615

closed

Protocol detection evasion by packet splitting

Added by Philippe Antoine over 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21462

Output of fuzz target gives :
Assertion failure : With input length 24, found enip instead of dns
on attached input


Files


Related issues 3 (0 open3 closed)

Copied to Suricata - Bug #3671: Protocol detection evasion by packet splittingClosedVictor JulienActions
Copied to Suricata - Bug #3674: Protocol detection evasion by packet splittingClosedVictor JulienActions
Copied to Suricata - Bug #3689: Protocol detection evasion by packet splitting on enip/nfsClosedPhilippe AntoineActions
Actions #1

Updated by Philippe Antoine over 4 years ago

Patch could be to improve the ENIP probing parser

diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c
index 282294536..b9e3b32db 100644
--- a/src/app-layer-enip.c
+++ b/src/app-layer-enip.c
@@ -393,8 +393,24 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
         SCLogDebug("length too small to be a ENIP header");
         return ALPROTO_UNKNOWN;
     }
-
-    return ALPROTO_ENIP;
+    uint16_t cmd;
+    ByteExtractUint16(&cmd, BYTE_LITTLE_ENDIAN, sizeof(uint16_t),
+                      (const uint8_t *) (input));
+    switch(cmd) {
+            //fallthrough
+        case NOP:
+        case LIST_SERVICES:
+        case LIST_IDENTITY:
+        case LIST_INTERFACES:
+        case REGISTER_SESSION:
+        case UNREGISTER_SESSION:
+        case SEND_RR_DATA:
+        case SEND_UNIT_DATA:
+        case INDICATE_STATUS:
+        case CANCEL:
+            return ALPROTO_ENIP;
+    }
+    return ALPROTO_FAILED;
 }

 /**
Actions #2

Updated by Victor Julien over 4 years ago

  • Affected Versions 5.0.2 added
  • Affected Versions deleted (5.0.3)
Actions #3

Updated by Victor Julien over 4 years ago

  • Status changed from New to In Review
  • Assignee set to Philippe Antoine
Actions #4

Updated by Philippe Antoine over 4 years ago

  • Target version changed from 6.0.0beta1 to 5.0.3
Actions #5

Updated by Philippe Antoine over 4 years ago

  • Label Needs backport to 4.1 added
Actions #6

Updated by Jeff Lucovsky over 4 years ago

  • Copied to Bug #3671: Protocol detection evasion by packet splitting added
Actions #7

Updated by Victor Julien over 4 years ago

  • Target version changed from 5.0.3 to 6.0.0beta1
Actions #8

Updated by Victor Julien over 4 years ago

  • Copied to Bug #3674: Protocol detection evasion by packet splitting added
Actions #10

Updated by Victor Julien over 4 years ago

  • Label deleted (Needs backport to 4.1)
Actions #11

Updated by Philippe Antoine over 4 years ago

  • Copied to Bug #3689: Protocol detection evasion by packet splitting on enip/nfs added
Actions #12

Updated by Jeff Lucovsky almost 4 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF