Security #5243: protocol detection: exploitable type confusion due to concurrent protocol changes - Suricata - Open Information Security Foundation

Actions

Copy link

Security #5243

closed

protocol detection: exploitable type confusion due to concurrent protocol changes

Added by Philippe Antoine over 2 years ago. Updated almost 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

7.0.0-beta1

Affected Versions:

Label:

CVE:

Git IDs:

cedffdf14cf1fdd4d551f16c331e5b3e7f0a6927

Severity:

HIGH

Disclosure Date:

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45941&q=label%3AProj-suricata&can=2

If a STMP session has STARTTLS, it requests AppLayerRequestProtocolChange
We call TCPProtoDetect to rerun protocol detection
So far, so good.

But then, if the protocol is HTTP1 requesting an upgrade, HTTP/1.1 101\nUpgrade:h2c
we call again AppLayerRequestProtocolChange which erases values like alproto_orig which leads to type confusion...

Files

range.pcap (621 Bytes) range.pcap

Philippe Antoine, 04/08/2022 12:32 PM

Related issues 2 (0 open — 2 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Security #5243

protocol detection: exploitable type confusion due to concurrent protocol changes

Updated by Philippe Antoine over 2 years ago

Updated by Philippe Antoine over 2 years ago

Updated by Jeff Lucovsky over 2 years ago

Updated by Victor Julien over 2 years ago

Updated by Victor Julien over 2 years ago

Updated by Victor Julien over 2 years ago

Updated by Philippe Antoine over 2 years ago

Updated by Victor Julien almost 2 years ago