search

firnsy / barnyard2

Barnyard2 is a dedicated spooler for Snort's unified2 binary output format.
GNU General Public License v2.0
345 stars 190 forks source link

Invalid Memcpy call in decode.c leads barnyard2 to crash on some ipv6 events #94

Open gaetronik opened 11 years ago

gaetronik commented 11 years ago

On https://github.com/firnsy/barnyard2/blob/master/src/decode.c#L4328 SafeMemCpy is called with a length of (pkt - p->pkt). But this function is called on line 2427 with pkt=p->pkt asset on line 2416. I'm not sure how to fix this, it might seems logical to copy whole packet but it will not be coherent with SafeMemCpy call on line 4315 (where by the way does not seems correct since the start parameter should be pseudopacket_buf + SPARC_TWIDDLE the end should be pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN if understand well how SafeMemCpy works.

It somehow critical since a attacker can make barnyards crash if he makes a program write an event in a unifed2 file flowing through this part of code. For example suricata can write such an event.

binf commented 11 years ago

On Sun, Aug 11, 2013 at 11:38 AM, Gaëtan Duchaussois notifications@github.com wrote:

On https://github.com/firnsy/barnyard2/blob/master/src/decode.c#L4328 SafeMemCpy is called with a length of (pkt - p->pkt). But this function is called on line 2427 with pkt=p->pkt asset on line 2416. I'm not sure how to fix this, it might seems logical to copy whole packet but it will not be coherent with SafeMemCpy call on line 4315 (where by the way does not seems correct since the start parameter should be pseudopacket_buf + SPARC_TWIDDLE the end should be pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN if understand well how SafeMemCpy works.

Line 2416 is within void DecodeRawPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt)

Which mean that the supplied packet has not link layer header thus this is why the pointer point to the packet it self.

For example in

void DecodeEthPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt)

...

case ETHERNET_TYPE_IPV6: DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN, (cap_len - ETHERNET_HEADER_LEN), p);

You see the correct padding being added.

It somehow critical since a attacker can make barnyards crash if he makes a program write an event in a unifed2 file flowing through this part of code. For example suricata can write such an event.

If you have a unified2 file that is problematic send it over we will look into it.

-elz

gaetronik commented 11 years ago

My unfied File is over 100MB and may contain private data. If you have any program to extract just an event in an unified2 file and write it to another i will gladly share the file with this event only.

The line 2416 is followed by the call to IPv6Decode on line 2427 and then it tries to make a SafeMemCpy with a length of 0. An event with a raw IPV6 paquet without an ethernet header will trigger the bug.

Here are the log with a BARNYARD_DEBUG=128 from the crash. Some extra debug messages were addded decode.c:113: Decoding linktype 12 decode.c:2418: Packet! decode.c:2427: IPv6 Raw Packet length 71 decode.c:4307: Generating PseudoIpv6Header! decode.c:4331: Generating PseudoIpv6Header no p->eh! 0x6634c0 0 barnyard2: bounds.h:86: SafeMemcpy: Assertion `0==1' failed.

binf commented 11 years ago

On Sun, Aug 11, 2013 at 12:07 PM, Gaëtan Duchaussois notifications@github.com wrote:

My unfied File is over 100MB and may contain private data. If you have any program to extract just an event in an unified2 file and write it to another i will gladly share the file with this event only.

The line 2416 is followed by the call to IPv6Decode on line 2427 and then it tries to make a SafeMemCpy with a length of 0.

Unified2 files compress really well, and mabey you want to take a look at https://github.com/binf/u2_anon/tree/anon-mask

Also trust that my interest it not in the data it self but in the reliability of barnyard2 thus you can allways send it privately to me at beenph@gmail.com if you want, but it should compress down alot.

Cheers. -elz

gaetronik commented 11 years ago

I sent you the file on your email. It might have be caught by your spam filter so please me if you did not receive it.

Regards,

Gaëtan

binf commented 11 years ago

Received, will look into later today and update the issue tracker accordingly.

On Sun, Aug 11, 2013 at 1:27 PM, Gaëtan Duchaussois < notifications@github.com> wrote:

I sent you the file on your email. It might have be caught by your spam filter so please me if you did not receive it.

Regards,

Gaëtan

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/94#issuecomment-22461499 .

binf commented 11 years ago

With the file you sent me i am unable to crash anything, do you have a problematic unified2 file?

-elz

On Sun, Aug 11, 2013 at 1:31 PM, beenph beenph@gmail.com wrote:

Received, will look into later today and update the issue tracker accordingly.

On Sun, Aug 11, 2013 at 1:27 PM, Gaëtan Duchaussois < notifications@github.com> wrote:

I sent you the file on your email. It might have be caught by your spam filter so please me if you did not receive it.

Regards,

Gaëtan

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/94#issuecomment-22461499 .

nrogut commented 9 years ago

I have this same issue.

root@localhost:~# barnyard2 -V

__ -> Barnyard2 <- / ,,_ \ Version 2.1.13 (Build 333) DEBUG |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

I can send a u2 log if needed, that I tested via command line with -o to validate the issue persists.

firnsy commented 9 years ago

@nrogut, if you could send that u2 file through to me that would be greatly appreciated.