Project

General

Profile

Actions
Copy link

Security #6441

closed
PA PA

detect: heap use after free with http.request_header keyword

Security #6441: detect: heap use after free with http.request_header keyword

Added by Philippe Antoine over 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
Label:
CVE:
2024-23839
Git IDs:

bc422c17d6961f03f673f2999a949913e89fc2d0

Severity:
CRITICAL
Disclosure Date:
GHSA:

Description

Reproducer is with rules from #6415

alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Host"; fast_pattern; classtype:web-application-attack; sid:41; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:42; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:43; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:44; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:45; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:46; rev:1;)

Problem is that multi-buffer http.request_header sets up different InspectionBuffer all pointing to the same HttpHeaderBuffer which can get reallocated if a new header is bigger than 1024 cf HttpHeaderExpandBuffer

Files

lol.pcap (1.66 KB) lol.pcap Philippe Antoine, 11/07/2023 07:52 AM

Subtasks 1 (0 open1 closed)

Security #6657: detect: heap use after free with http.request_header keyword (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 3 (0 open3 closed)

Related to Suricata - Bug #6415: http: various header buffer not populated when malformed header value existsClosedPhilippe AntoineActions
Related to Suricata - Bug #6736: http.request_header and http.response_header behavior with HTTP1 trafficClosedPhilippe AntoineActions
Related to Suricata - Bug #6483: http.request_headers - odd behavior with multiple signtures ClosedPhilippe AntoineActions
Actions
Copy link

Also available in: PDF Atom