Actions
Bug #5223
closed
BM
SB
base64_decode does not populate base64_data buffer once hitting non-base64 chars
Bug #5223:
base64_decode does not populate base64_data buffer once hitting non-base64 chars
Affected Versions:
Effort:
Difficulty:
Label:
Description
consider the following rules and the attached pcap.
The rules are designed to test the behavior of when non-base64 characters are encountered by the base64_decode.
Pay particular attention to sid:4 and sid:2 where the only difference is how far into the base64 encoded string are decoded.
if the base64_decode was populating the base64_data buffer with data upto the non-base64 char, we expect the first byte of the base64 decoded value (|9d|) to be populated into base64_data
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"base64 decode - no url_decode"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:relative; base64_data; content:"|9e|"; startswith; sid:1; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"base64 decode - url_decode"; flow:established,to_server; http.cookie; url_decode; content:"foobar="; base64_decode:relative; base64_data; content:"|9e|"; sid:2; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"base64 decode - no url_decode, proves no base64_data buffer via pcre"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:relative; base64_data; pcre:"/./"; sid:3; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"base64 decode - no url_decode grab only the first two bytes"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:bytes 2,relative; base64_data; content:"|9e|"; startswith; sid:4; rev:1;)
Files
Actions