Bug #7409
Updated by Jason Ish 8 months ago
Running current git master (13841c0b9eb39ba245ffeb7b9e42957383e94927), Suricata will crash in @strip_pseudo_headers@ with the provided rule and PCAP (PCAP is TLPW).
<pre>
thread '<unnamed>' panicked at core/src/panicking.rs:221:5:
unsafe precondition(s) violated: ptr::copy_nonoverlapping requires that both pointer arguments are aligned and non-null and the specified memory ranges do not overlap
stack backtrace:
0: rust_begin_unwind
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/std/src/panicking.rs:662:5
1: core::panicking::panic_nounwind_fmt::runtime
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/panicking.rs:112:18
2: core::panicking::panic_nounwind_fmt
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/panicking.rs:122:5
3: core::panicking::panic_nounwind
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/panicking.rs:221:5
4: core::intrinsics::copy_nonoverlapping::precondition_check
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/ub_checks.rs:70:21
5: core::intrinsics::copy_nonoverlapping
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/ub_checks.rs:77:17
6: core::slice::<impl [T]>::copy_from_slice
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/slice/mod.rs:3688:13
7: suricata::detect::transforms::http_headers::strip_pseudo_transform_do
at ./rust/src/detect/transforms/http_headers.rs:108:13
8: strip_pseudo_transform
at ./rust/src/detect/transforms/http_headers.rs:131:19
</pre>
Requires Rust built in debug mode (@./configure --enable-debug@). Does not crash in release mode.
Below is the rule that initially triggered the issue in my setup, along with a simplified version that triggers the issue:
<pre>
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Redirect to Generic Credential Phish Landing Page 2024-11-05"; flow:established,to_client; http.stat_code; content:"200"; http.content_len; byte_test:0,<=,500,0,string,dec; http.header_names; to_lowercase; strip_pseudo_headers; content:"|0d 0a|x-guploader-uploadid|0d 0a|"; fast_pattern; http.response_body; content:"http|2d|equiv|3d 22|refresh|22|"; distance:0; content:"URL="; distance:0; content:"/0/0/0/"; distance:0; classtype:credential-theft; sid:2057280; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_11_05, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Phishing, updated_at 2024_11_06, former_sid 2858896, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"TEST"; flow:established,to_client; http.header_names; to_lowercase; strip_pseudo_headers; content:"|0d 0a|"; sid:2057280; rev:1;)
</pre>
Introduced with commit: 45e0acf772cb30320b960bd4d224e2ec945e7c22