Project

General

Profile

Actions

Security #6441

closed

detect: heap use after free with http.request_header keyword

Added by Philippe Antoine about 1 year ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:

bc422c17d6961f03f673f2999a949913e89fc2d0

Severity:
CRITICAL
Disclosure Date:

Description

Reproducer is with rules from #6415

alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Host"; fast_pattern; classtype:web-application-attack; sid:41; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:42; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:43; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:44; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:45; rev:1;)
alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:46; rev:1;)

Problem is that multi-buffer http.request_header sets up different InspectionBuffer all pointing to the same HttpHeaderBuffer which can get reallocated if a new header is bigger than 1024 cf HttpHeaderExpandBuffer


Files

lol.pcap (1.66 KB) lol.pcap Philippe Antoine, 11/07/2023 07:52 AM

Subtasks 1 (0 open1 closed)

Security #6657: detect: heap use after free with http.request_header keyword (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 3 (0 open3 closed)

Related to Suricata - Bug #6415: http.header, http.header.raw and http.request_header buffers not populated when malformed header value existsClosedPhilippe AntoineActions
Related to Suricata - Bug #6736: http.request_header and http.response_header behavior with HTTP1 trafficClosedPhilippe AntoineActions
Related to Suricata - Bug #6483: http.request_headers - odd behavior with multiple signtures ClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF