Project

General

Profile

Actions

Security #5254

closed

protocol detection: exploitable type confusion due to concurrent protocol changes

Added by Jeff Lucovsky over 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
CVE:
Git IDs:

e55eeb3bdee1a57f17a21ca509385c84caaa4469

Severity:
MODERATE
Disclosure Date:

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45941&q=label%3AProj-suricata&can=2

If a STMP session has STARTTLS, it requests AppLayerRequestProtocolChange
We call TCPProtoDetect to rerun protocol detection
So far, so good.

But then, if the protocol is HTTP1 requesting an upgrade, HTTP/1.1 101\nUpgrade:h2c
we call again AppLayerRequestProtocolChange which erases values like alproto_orig which leads to type confusion...


Files

range.pcap (621 Bytes) range.pcap Philippe Antoine, 04/08/2022 12:32 PM

Related issues 1 (0 open1 closed)

Copied from Suricata - Security #5243: protocol detection: exploitable type confusion due to concurrent protocol changesClosedPhilippe AntoineActions
Actions #1

Updated by Jeff Lucovsky over 2 years ago

  • Copied from Security #5243: protocol detection: exploitable type confusion due to concurrent protocol changes added
Actions #2

Updated by Shivani Bhardwaj over 2 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Shivani Bhardwaj
Actions #3

Updated by Shivani Bhardwaj over 2 years ago

  • Status changed from Assigned to In Progress
Actions #4

Updated by Shivani Bhardwaj over 2 years ago

  • Status changed from In Progress to In Review
Actions #5

Updated by Jason Ish over 2 years ago

  • Status changed from In Review to Closed
Actions #6

Updated by Jason Ish over 2 years ago

  • Git IDs updated (diff)
Actions #7

Updated by Victor Julien about 2 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF