You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
193 lines
6.7 KiB
193 lines
6.7 KiB
18 years ago
|
# --- T2-COPYRIGHT-NOTE-BEGIN ---
|
||
|
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
|
||
|
|
#
|
||
|
|
# T2 SDE: package/.../snort/CVE-2006-2769.patch
|
||
|
|
# Copyright (C) 2006 The T2 SDE Project
|
||
|
|
#
|
||
|
|
# More information can be found in the files COPYING and README.
|
||
|
|
#
|
||
|
|
# This patch file is dual-licensed. It is available under the license the
|
||
|
|
# patched project is licensed under, as long as it is an OpenSource license
|
||
|
|
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
|
||
|
|
# of the GNU General Public License as published by the Free Software
|
||
|
|
# Foundation; either version 2 of the License, or (at your option) any later
|
||
|
|
# version.
|
||
|
|
# --- T2-COPYRIGHT-NOTE-END ---
|
||
|
|
|
||
|
|
diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/client/hi_client.c snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
|
||
|
|
--- snort-2.4.4-orig/src/preprocessors/HttpInspect/client/hi_client.c 2005-03-16 21:52:18.000000000 +0000
|
||
|
|
+++ snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c 2006-06-02 20:39:43.000000000 +0000
|
||
|
|
@@ -40,6 +40,7 @@
|
||
|
|
|
||
|
|
#define URI_END 1
|
||
|
|
#define NO_URI -1
|
||
|
|
+#define CR_IN_URI 18
|
||
|
|
#define INVALID_HEX_VAL -1
|
||
|
|
|
||
|
|
/**
|
||
|
|
@@ -455,6 +456,11 @@
|
||
|
|
return URI_END;
|
||
|
|
}
|
||
|
|
|
||
|
|
+ if(isspace(**ptr) )
|
||
|
|
+ {
|
||
|
|
+ return CR_IN_URI;
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
return NO_URI;
|
||
|
|
}
|
||
|
|
|
||
|
|
@@ -1345,8 +1351,21 @@
|
||
|
|
*/
|
||
|
|
break;
|
||
|
|
}
|
||
|
|
+ else if(iRet == CR_IN_URI)
|
||
|
|
+ {
|
||
|
|
+ if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))
|
||
|
|
+ {
|
||
|
|
+ hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,
|
||
|
|
+ NULL, NULL);
|
||
|
|
+ }
|
||
|
|
+ break;
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
+
|
||
|
|
+
|
||
|
|
else /* NO_URI */
|
||
|
|
{
|
||
|
|
+
|
||
|
|
/*
|
||
|
|
** Check for chunk encoding, because the delimiter can
|
||
|
|
** also be a space, which would look like a pipeline request
|
||
|
|
diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/event_output/hi_eo_log.c snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
|
||
|
|
--- snort-2.4.4-orig/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2004-03-11 22:25:53.000000000 +0000
|
||
|
|
+++ snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2006-06-02 20:39:43.000000000 +0000
|
||
|
|
@@ -64,7 +64,9 @@
|
||
|
|
{HI_EO_CLIENT_PROXY_USE, HI_EO_LOW_PRIORITY,
|
||
|
|
HI_EO_CLIENT_PROXY_USE_STR },
|
||
|
|
{HI_EO_CLIENT_WEBROOT_DIR, HI_EO_HIGH_PRIORITY,
|
||
|
|
- HI_EO_CLIENT_WEBROOT_DIR_STR }
|
||
|
|
+ HI_EO_CLIENT_WEBROOT_DIR_STR },
|
||
|
|
+ { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY,
|
||
|
|
+ HI_EO_CLIENT_CR_IN_URI_STR },
|
||
|
|
};
|
||
|
|
|
||
|
|
static HI_EVENT_INFO anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM] = {
|
||
|
|
diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/include/hi_eo_events.h snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
|
||
|
|
--- snort-2.4.4-orig/src/preprocessors/HttpInspect/include/hi_eo_events.h 2004-03-11 22:25:53.000000000 +0000
|
||
|
|
+++ snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h 2006-06-02 20:39:43.000000000 +0000
|
||
|
|
@@ -24,13 +24,14 @@
|
||
|
|
#define HI_EO_CLIENT_LARGE_CHUNK 15 /* done */
|
||
|
|
#define HI_EO_CLIENT_PROXY_USE 16 /* done */
|
||
|
|
#define HI_EO_CLIENT_WEBROOT_DIR 17 /* done */
|
||
|
|
+#define HI_EO_CLIENT_CR_IN_URI 18 /* done */
|
||
|
|
|
||
|
|
/*
|
||
|
|
** IMPORTANT:
|
||
|
|
** Every time you add a client event, this number must be
|
||
|
|
** incremented.
|
||
|
|
*/
|
||
|
|
-#define HI_EO_CLIENT_EVENT_NUM 18
|
||
|
|
+#define HI_EO_CLIENT_EVENT_NUM 19
|
||
|
|
|
||
|
|
/*
|
||
|
|
** These defines are the alert names for each event
|
||
|
|
@@ -71,6 +72,8 @@
|
||
|
|
"(http_inspect) UNAUTHORIZED PROXY USE DETECTED"
|
||
|
|
#define HI_EO_CLIENT_WEBROOT_DIR_STR \
|
||
|
|
"(http_inspect) WEBROOT DIRECTORY TRAVERSAL"
|
||
|
|
+#define HI_EO_CLIENT_CR_IN_URI_STR \
|
||
|
|
+ "(http_inspect) NON-STD CARRIAGE RETURN IN URI"
|
||
|
|
|
||
|
|
/*
|
||
|
|
** Anomalous Server Events
|
||
|
|
diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/include/hi_ui_config.h snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
|
||
|
|
--- snort-2.4.4-orig/src/preprocessors/HttpInspect/include/hi_ui_config.h 2005-03-16 21:52:18.000000000 +0000
|
||
|
|
+++ snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h 2006-06-02 20:39:43.000000000 +0000
|
||
|
|
@@ -113,6 +113,7 @@
|
||
|
|
HTTPINSPECT_CONF_OPT webroot;
|
||
|
|
HTTPINSPECT_CONF_OPT apache_whitespace;
|
||
|
|
HTTPINSPECT_CONF_OPT iis_delimiter;
|
||
|
|
+ HTTPINSPECT_CONF_OPT non_std_cr;
|
||
|
|
|
||
|
|
} HTTPINSPECT_CONF;
|
||
|
|
|
||
|
|
diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
|
||
|
|
--- snort-2.4.4-orig/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 2005-03-16 21:52:19.000000000 +0000
|
||
|
|
+++ snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 2006-06-02 20:39:43.000000000 +0000
|
||
|
|
@@ -117,6 +117,9 @@
|
||
|
|
|
||
|
|
GlobalConf->global_server.non_strict = 1;
|
||
|
|
|
||
|
|
+ GlobalConf->global_server.non_std_cr.on = 1;
|
||
|
|
+ GlobalConf->global_server.non_std_cr.alert = 1;
|
||
|
|
+
|
||
|
|
return HI_SUCCESS;
|
||
|
|
}
|
||
|
|
|
||
|
|
@@ -209,6 +212,9 @@
|
||
|
|
|
||
|
|
ServerConf->tab_uri_delimiter = 1;
|
||
|
|
|
||
|
|
+ ServerConf->non_std_cr.on = 1;
|
||
|
|
+ ServerConf->non_std_cr.alert = 1;
|
||
|
|
+
|
||
|
|
return HI_SUCCESS;
|
||
|
|
}
|
||
|
|
|
||
|
|
@@ -279,6 +285,9 @@
|
||
|
|
|
||
|
|
ServerConf->non_strict = 1;
|
||
|
|
|
||
|
|
+ ServerConf->non_std_cr.on = 1;
|
||
|
|
+ ServerConf->non_std_cr.alert = 1;
|
||
|
|
+
|
||
|
|
return HI_SUCCESS;
|
||
|
|
}
|
||
|
|
|
||
|
|
@@ -349,6 +358,9 @@
|
||
|
|
|
||
|
|
ServerConf->tab_uri_delimiter = 1;
|
||
|
|
|
||
|
|
+ ServerConf->non_std_cr.on = 1;
|
||
|
|
+ ServerConf->non_std_cr.alert = 1;
|
||
|
|
+
|
||
|
|
return HI_SUCCESS;
|
||
|
|
}
|
||
|
|
|
||
|
|
diff -Nur snort-2.4.4-orig/src/preprocessors/snort_httpinspect.c snort-2.4.4/src/preprocessors/snort_httpinspect.c
|
||
|
|
--- snort-2.4.4-orig/src/preprocessors/snort_httpinspect.c 2005-08-23 15:52:19.000000000 +0000
|
||
|
|
+++ snort-2.4.4/src/preprocessors/snort_httpinspect.c 2006-06-02 20:39:43.000000000 +0000
|
||
|
|
@@ -134,6 +134,7 @@
|
||
|
|
#define GLOBAL_ALERT "no_alerts"
|
||
|
|
#define WEBROOT "webroot"
|
||
|
|
#define TAB_URI_DELIMITER "tab_uri_delimiter"
|
||
|
|
+#define NON_STD_CR "non_std_cr"
|
||
|
|
|
||
|
|
/*
|
||
|
|
** Alert subkeywords
|
||
|
|
@@ -1449,6 +1450,15 @@
|
||
|
|
return iRet;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
+ else if(!strcmp(NON_STD_CR, pcToken))
|
||
|
|
+ {
|
||
|
|
+ ConfOpt = &ServerConf->non_std_cr;
|
||
|
|
+ if((iRet = ProcessConfOpt(ConfOpt, NON_STD_CR,
|
||
|
|
+ ErrorString, ErrStrLen)))
|
||
|
|
+ {
|
||
|
|
+ return iRet;
|
||
|
|
+ }
|
||
|
|
+ }
|
||
|
|
else if(!strcmp(IIS_BACKSLASH, pcToken))
|
||
|
|
{
|
||
|
|
ConfOpt = &ServerConf->iis_backslash;
|
||
|
|
@@ -1583,6 +1593,7 @@
|
||
|
|
PrintConfOpt(&ServerConf->webroot, "Web Root Traversal");
|
||
|
|
PrintConfOpt(&ServerConf->apache_whitespace, "Apache WhiteSpace");
|
||
|
|
PrintConfOpt(&ServerConf->iis_delimiter, "IIS Delimiter");
|
||
|
|
+ PrintConfOpt(&ServerConf->non_std_cr, "Non-Std Carriage Return");
|
||
|
|
|
||
|
|
if(ServerConf->iis_unicode_map_filename)
|
||
|
|
{
|