Bug #6104: detect/multi-buffer: Heap-buffer-overflow in SigMatchAppendSMToList - Suricata - Open Information Security Foundation

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
#1

Rule minimized

drop ip :: 6 <> :: 3 filEext:uext;file.name:;content:" ";filename:Q;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:Qn;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;content:" ";filename:Qn;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:Qn;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:o;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename: an;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:"( ";filename:n;file.name:;base64_decode;content:" ";filename:t9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:"( ";filename:n;file.name:;base64_decode;content:" ";filename:th I;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:Qt: an;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:1;

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
#2

cf code

// return -1; TODO error handle

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
#3

Target version changed from TBD to 7.0.0-rc2

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
#4

Assignee changed from Victor Julien to OISF Dev
Priority changed from Normal to High

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
#5

Target version changed from 7.0.0-rc2 to 7.0.0

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
#6

Related to Optimization #6194: detect: modernize filename fileext filemagic added

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
#7

Status changed from New to Closed
Assignee deleted (~~OISF Dev~~)
Priority changed from High to Normal
Target version deleted (~~7.0.0~~)

Possibly fixed unintentionally. We can reopen if oss-fuzz finds another vector.

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#8

Assignee set to Philippe Antoine
Target version set to 7.0.2

Reopening as oss-fuzz found https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61147&q=label%3AProj-suricata

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#9

Status changed from Closed to Assigned

Reproducer is

alert tcp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tsebisfL;filestore:ive;metadata:s:oOdrOpstring,relative 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp>any any <> any 0  uricontenT:+!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp i:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tsebisfL;filestore:ive;metadata:s:oOdrOpstring,relative 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp>any any <> any 0  uricontenT:+!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtefn*onlny <> any 0  uricontefL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp Op^Mip :iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tseb*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTt,2335,150!1,150!0erncp any any <> aoy 0  uricontefL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqO,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL{filestore:ive;metadata:s:oOdrOp ipict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pit,string,relative;metadata:s:oOdqOp _tseb*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp>any any <> any 0  uricontenT:+!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0stream_sizep iaTtefn*onlny <> any 0  uricontefL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOpy:r;byte_extract:2,5,pict,string,relative;metadata:s 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tseb*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTt,2335,150!1,150!0erncp any any <> aoy 0  uricontefL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqO,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ipict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pit,string,relative;metadata:s:oOdqOp _tseb*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOdnp3_indncp>any any <> any 0  uricontenT:+!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnl <> any sebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tsebisfL;filestore:ive;metadata:s:oOdrOpstring,relative 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp>any any <> any 0  uricontenT:+!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp i:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tsebisfL;filestore:ive;metadata:s:oOdrOpstring,relative 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: t,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pit,string,relative;metadata:s:oOdqOp _tseb*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp>any any <> any 0  uricontenT:+!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtefn*onlny <> any 0  uricontefL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOpy:r;byte_extract:2,5,pict,string,relative;metadata:s 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tseb*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTt,2335,150!1,150!0erncp any any <> aoy 0  uricontefL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqO,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;meOdrOpnly:;metadata:slestore:ive;metadata:s:oOdrOpstring,relative;metadata:s:oOdrOp _tsebisfL;filestore^@dve;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,stringp _tsebisfL;filestore:ive;metadata:s:oOdrOpstri<B5>g,relative;metadata:slestore:ive;metadata:s:oOdrOpstring,relative;metadata:s:oOdrOp ^@^T^U<A4>bisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";

With lots or uricontent

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#10

Status changed from Assigned to In Progress

https://github.com/OISF/suricata/pull/9453

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#11

Status changed from In Progress to In Review
Target version changed from 7.0.2 to 7.0.1

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#12

Target version changed from 7.0.1 to 7.0.2

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#13

Status changed from In Review to Resolved

https://github.com/OISF/suricata/pull/9528

Another version for 8 ?

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#14

Status changed from Resolved to Closed

https://github.com/OISF/suricata/commit/986a4417c6cf28ebc2485e20dbb567feddc2a1f7

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#15

Should we have a new ticket for https://github.com/OISF/suricata/pull/9588 ?

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#16

Private changed from Yes to No

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#17

https://github.com/OISF/suricata/pull/9852 good version for 8

Project

General

Profile

Suricata

Custom queries

Bug #6104

detect/multi-buffer: Heap-buffer-overflow in SigMatchAppendSMToList

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
#1

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
#2

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
#3

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
#4

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
#5

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
#6

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
#7

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#8

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#9

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#10

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#11

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#12

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#13

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#14

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#15

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#16

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#17

Project

General

Profile

Suricata

Custom queries

Bug #6104

detect/multi-buffer: Heap-buffer-overflow in SigMatchAppendSMToList

PA Updated by Philippe Antoine almost 3 years ago ActionsCopy link #1

PA Updated by Philippe Antoine almost 3 years ago ActionsCopy link #2

PA Updated by Philippe Antoine almost 3 years ago ActionsCopy link #3

VJ Updated by Victor Julien almost 3 years ago ActionsCopy link #4

VJ Updated by Victor Julien almost 3 years ago ActionsCopy link #5

PA Updated by Philippe Antoine almost 3 years ago ActionsCopy link #6

VJ Updated by Victor Julien almost 3 years ago ActionsCopy link #7

PA Updated by Philippe Antoine over 2 years ago ActionsCopy link #8

PA Updated by Philippe Antoine over 2 years ago ActionsCopy link #9

PA Updated by Philippe Antoine over 2 years ago ActionsCopy link #10

PA Updated by Philippe Antoine over 2 years ago ActionsCopy link #11

VJ Updated by Victor Julien over 2 years ago ActionsCopy link #12

PA Updated by Philippe Antoine over 2 years ago ActionsCopy link #13

VJ Updated by Victor Julien over 2 years ago ActionsCopy link #14

PA Updated by Philippe Antoine over 2 years ago ActionsCopy link #15

VJ Updated by Victor Julien over 2 years ago ActionsCopy link #16

PA Updated by Philippe Antoine over 2 years ago ActionsCopy link #17

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
#1

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
#2

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
#3

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
#4

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
#5

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
#6

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
#7

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#8

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#9

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#10

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#11

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#12

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#13

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#14

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#15

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#16

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#17