Project

General

Profile

Actions

Bug #5223

closed

base64_decode does not populate base64_data buffer once hitting non-base64 chars

Added by Brandon Murphy 8 months ago. Updated 10 days ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

consider the following rules and the attached pcap.

The rules are designed to test the behavior of when non-base64 characters are encountered by the base64_decode.

Pay particular attention to sid:4 and sid:2 where the only difference is how far into the base64 encoded string are decoded.

if the base64_decode was populating the base64_data buffer with data upto the non-base64 char, we expect the first byte of the base64 decoded value (|9d|) to be populated into base64_data

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"base64 decode - no url_decode"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:relative; base64_data; content:"|9e|"; startswith; sid:1; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"base64 decode - url_decode"; flow:established,to_server; http.cookie; url_decode; content:"foobar="; base64_decode:relative; base64_data; content:"|9e|"; sid:2; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"base64 decode - no url_decode, proves no base64_data buffer via pcre"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:relative; base64_data; pcre:"/./"; sid:3; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"base64 decode - no url_decode grab only the first two bytes"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:bytes 2,relative; base64_data; content:"|9e|"; startswith; sid:4; rev:1;)

Files

2bfb4e704fd597e.pcap (474 Bytes) 2bfb4e704fd597e.pcap Brandon Murphy, 06/15/2022 04:24 PM

Subtasks 1 (0 open1 closed)

Bug #5607: base64_decode does not populate base64_data buffer once hitting non-base64 chars (6.0.x backport)ClosedVictor JulienActions
Actions

Also available in: Atom PDF