Project

General

Profile

Actions
Copy link

Bug #7409

closed

http: crash in strip_pseudo_headers transform

Added by Jason Ish 8 months ago. Updated 13 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
git master
Effort:
Difficulty:
Label:

Description

Running current git master (13841c0b9eb39ba245ffeb7b9e42957383e94927), Suricata will crash in strip_pseudo_headers with the provided rule and PCAP (PCAP is TLPW).

thread '<unnamed>' panicked at core/src/panicking.rs:221:5:
unsafe precondition(s) violated: ptr::copy_nonoverlapping requires that both pointer arguments are aligned and non-null and the specified memory ranges do not overlap
stack backtrace:
   0: rust_begin_unwind
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/std/src/panicking.rs:662:5
   1: core::panicking::panic_nounwind_fmt::runtime
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/panicking.rs:112:18
   2: core::panicking::panic_nounwind_fmt
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/panicking.rs:122:5
   3: core::panicking::panic_nounwind
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/panicking.rs:221:5
   4: core::intrinsics::copy_nonoverlapping::precondition_check
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/ub_checks.rs:70:21
   5: core::intrinsics::copy_nonoverlapping
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/ub_checks.rs:77:17
   6: core::slice::<impl [T]>::copy_from_slice
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/slice/mod.rs:3688:13
   7: suricata::detect::transforms::http_headers::strip_pseudo_transform_do
             at ./rust/src/detect/transforms/http_headers.rs:108:13
   8: strip_pseudo_transform
             at ./rust/src/detect/transforms/http_headers.rs:131:19

Requires Rust built in debug mode (./configure --enable-debug). Does not crash in release mode, but could result in undefined behavior: https://doc.rust-lang.org/src/core/intrinsics.rs.html#3300

Below is the rule that initially triggered the issue in my setup, along with a simplified version that triggers the issue:

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Redirect to Generic Credential Phish Landing Page 2024-11-05"; flow:established,to_client; http.stat_code; content:"200"; http.content_len; byte_test:0,<=,500,0,string,dec; http.header_names; to_lowercase; strip_pseudo_headers; content:"|0d 0a|x-guploader-uploadid|0d 0a|"; fast_pattern; http.response_body; content:"http|2d|equiv|3d 22|refresh|22|"; distance:0; content:"URL="; distance:0; content:"/0/0/0/"; distance:0; classtype:credential-theft; sid:2057280; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_11_05, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Phishing, updated_at 2024_11_06, former_sid 2858896, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"TEST"; flow:established,to_client; http.header_names; to_lowercase; strip_pseudo_headers; content:"|0d 0a|"; sid:2057280; rev:1;)

Introduced with commit: 45e0acf772cb30320b960bd4d224e2ec945e7c22

Files

http.pcap (1.42 KB) http.pcap TLPW pcap Jason Ish, 11/22/2024 04:40 PM
Actions
Copy link

Also available in: Atom PDF