Suricata https://tech.feedyourhead.at/ en Suricata: stack-based buffer-overflow in ParseFilename https://tech.feedyourhead.at/content/suricata-stack-based-buffer-overflow <span class="field field--name-title field--type-string field--label-hidden">Suricata: stack-based buffer-overflow in ParseFilename</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul><li>System affected: suricata</li> <li>Software-Version: prior to 4.1</li> <li> <p>Impact: Code-Execution. The impact for this vulnerability is considered as low because an attacker could exploit this for code execution only if the configuration-file is not protected properly.</p> </li> </ul><h3>Detailed description</h3> <p>There is a stack-based buffer-overflow in ParseFilename. Since the length of "outputs.pcap-log.filename" is not checked and the destination buffer "str" has a fixed length of 512 bytes, a buffer overflow happens with long filenames for the pcap-log. A special crafted config-file could lead to code-execution. The impact for this vulnerability is considered as low because an attacker could exploit this only if the configuration-file is not protected properly.</p> <h3>Solution</h3> <p>This bug was fixed in Suricata 4.1</p> <h3>Credits</h3> <p>This bug was discovered and fixed by Wolfgang Hotwagner (https://tech.feedyourhead.at/content/suricata-stack-based-buffer-overflow)</p> <p> </p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Apr 06 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/104" hreflang="en">Suricata</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=253&amp;2=comment&amp;3=comment" token="XDGQ2r4jpagOcOfbgsoCbAv8Uzz-naS2qbTGl_QfmTA"></drupal-render-placeholder> </section> Fri, 06 Apr 2018 11:52:48 +0000 Hoti 253 at https://tech.feedyourhead.at Remote-Code-Execution in Suricata-Update https://tech.feedyourhead.at/content/remote-code-execution-in-suricata-update <span class="field field--name-title field--type-string field--label-hidden">Remote-Code-Execution in Suricata-Update</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul> <li>System affected: <a href="https://github.com/OISF/suricata-update">Suricata-Update</a></li> <li>CVE: <a href="https://www.cvedetails.com/cve/CVE-2018-1000167/" title="CVE-2018-1000167 security vulnerability details">CVE-2018-1000167</a></li> <li>Software-Version: 1.0.0a1</li> <li>User-Interaction: Not required</li> <li>Impact: Remote-Code-Execution</li> </ul> <h3>Detailed Description</h3> <p>The list of possible sources for suricata-update is downloaded from "<a href="https://www.openinfosecfoundation.org/rules/index.yaml">https://www.openinfosecfoundation.org/rules/index.yaml</a>" per default. Suricata-Update uses the insecure yaml.load()-function which could lead to remote code execution.</p> <h3>Proof-Of-Concept</h3> <p>Code will be executed if the yaml-file at <a href="https://openinfosecfoundation.org/rules/index.yaml ">https://openinfosecfoundation.org/rules/index.yaml </a>contains the following&nbsp; line:</p> <pre> <code> hello: !!python/object/apply:os.system ['ls -l &gt; /tmp/output'] </code></pre> <p>The vulnerable function can be triggered by "suricata-update list-sources". The locally stored index.yaml will be loaded in this function and the malicious code gets executed.</p> <h3>Solution</h3> <p>The provided fix was released in version <a href="https://github.com/OISF/suricata-update/releases/tag/1.0.0b1">1.0.0b1</a></p> <h3>Credits</h3> <p>The remote-code-execution bug was discovered and fixed by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/remote-code-execution-in-suricata-update)</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Apr 06 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/104" hreflang="en">Suricata</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=252&amp;2=comment&amp;3=comment" token="iaDkpmpBwPQ3ATJlCo2tp6Eb54aSg4s9aCSDvoK6Rsc"></drupal-render-placeholder> </section> Fri, 06 Apr 2018 10:39:06 +0000 Hoti 252 at https://tech.feedyourhead.at Suricata-Update: a smart update-script for suricata-rules https://tech.feedyourhead.at/content/Suricata-Update-a-smart-update-script-for-suricata-rules <span class="field field--name-title field--type-string field--label-hidden">Suricata-Update: a smart update-script for suricata-rules</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Last week <a href="https://oisf.net/">OISF</a> announced a new tool called <a href="https://suricata-ids.org/2017/12/05/announcing-suricata-update/">suricata-update</a>. It's a smart tool for updating suricata rules from remote sources like Emerging Threats. It's works similar to oinkmaster or pulledpork. The main advantage is that it works great with suricata, makes backup of previous rulesets and tests the rules before applying them.  Yesterday it reminded me about deprecated options in my suricata-configuration because of the tests it runs(suricata -T).</p> <p>Suricata-Update was a <a href="https://redmine.openinfosecfoundation.org/issues/2344">bit too chatty</a>, so I <a href="https://github.com/OISF/suricata-update/commit/c0596f5895b8c4514d5371543cfe2ee07af1afee">contributed to the project and implemented a config-option for a custom user-agent-string</a>.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 10 2017</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/104" hreflang="en">Suricata</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/103" hreflang="en">Open-Source</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/105" hreflang="en">Contribution</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=249&amp;2=comment&amp;3=comment" token="KUUsA0VZz_KI9mfEDvmbLBv-No11EU6mZ8BHPmNeAvQ"></drupal-render-placeholder> </section> Sun, 10 Dec 2017 10:41:13 +0000 Hoti 249 at https://tech.feedyourhead.at Improving suricatas configuration-parser https://tech.feedyourhead.at/content/Improving-suricatas-configuration-parser <span class="field field--name-title field--type-string field--label-hidden">Improving suricatas configuration-parser</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>I worked the last weeks on suricatas configuration-parser and fixed a couple of minor bugs. Some of them made it to the new <a href="https://suricata-ids.org/2017/12/06/suricata-4-0-3-available/">suricata 4.0.3 release</a>.</p> <ul><li><a href="https://suricata-ids.org/2017/12/06/suricata-4-0-3-available/">https://suricata-ids.org/2017/12/06/suricata-4-0-3-available/</a></li> <li><a href="https://github.com/OISF/suricata/commit/cb70d85c692df3e96495fa427429782add092d4d">https://github.com/OISF/suricata/commit/cb70d85c692df3e96495fa427429782add092d4d</a></li> <li><a href="https://github.com/OISF/suricata/commit/094632730ee2230ad3b2b690ea1daa528a421d8f">https://github.com/OISF/suricata/commit/094632730ee2230ad3b2b690ea1daa528a421d8f</a></li> <li><a href="https://github.com/OISF/suricata/commit/2e27a5df6b6cee7a3fdd4b6e0709a38f925ac4ad">https://github.com/OISF/suricata/commit/2e27a5df6b6cee7a3fdd4b6e0709a38f925ac4ad</a></li> </ul></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 10 2017</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/103" hreflang="en">Open-Source</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/105" hreflang="en">Contribution</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/106" hreflang="en">Bugfix</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/104" hreflang="en">Suricata</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=248&amp;2=comment&amp;3=comment" token="VYkgD4YWXiJbOCGOnqvZ50OfcxkcqsaTXi2jScWWdYg"></drupal-render-placeholder> </section> Sun, 10 Dec 2017 10:25:25 +0000 Hoti 248 at https://tech.feedyourhead.at