# --- T2-COPYRIGHT-NOTE-BEGIN --- # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # T2 SDE: package/.../snort/CVE-2006-2769.patch # Copyright (C) 2006 The T2 SDE Project # # More information can be found in the files COPYING and README. # # This patch file is dual-licensed. It is available under the license the # patched project is licensed under, as long as it is an OpenSource license # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 2 of the License, or (at your option) any later # version. # --- T2-COPYRIGHT-NOTE-END --- diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/client/hi_client.c snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c --- snort-2.4.4-orig/src/preprocessors/HttpInspect/client/hi_client.c 2005-03-16 21:52:18.000000000 +0000 +++ snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c 2006-06-02 20:39:43.000000000 +0000 @@ -40,6 +40,7 @@ #define URI_END 1 #define NO_URI -1 +#define CR_IN_URI 18 #define INVALID_HEX_VAL -1 /** @@ -455,6 +456,11 @@ return URI_END; } + if(isspace(**ptr) ) + { + return CR_IN_URI; + } + return NO_URI; } @@ -1345,8 +1351,21 @@ */ break; } + else if(iRet == CR_IN_URI) + { + if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert)) + { + hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert, + NULL, NULL); + } + break; + } + + + else /* NO_URI */ { + /* ** Check for chunk encoding, because the delimiter can ** also be a space, which would look like a pipeline request diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/event_output/hi_eo_log.c snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c --- snort-2.4.4-orig/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2004-03-11 22:25:53.000000000 +0000 +++ snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2006-06-02 20:39:43.000000000 +0000 @@ -64,7 +64,9 @@ {HI_EO_CLIENT_PROXY_USE, HI_EO_LOW_PRIORITY, HI_EO_CLIENT_PROXY_USE_STR }, {HI_EO_CLIENT_WEBROOT_DIR, HI_EO_HIGH_PRIORITY, - HI_EO_CLIENT_WEBROOT_DIR_STR } + HI_EO_CLIENT_WEBROOT_DIR_STR }, + { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY, + HI_EO_CLIENT_CR_IN_URI_STR }, }; static HI_EVENT_INFO anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM] = { diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/include/hi_eo_events.h snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h --- snort-2.4.4-orig/src/preprocessors/HttpInspect/include/hi_eo_events.h 2004-03-11 22:25:53.000000000 +0000 +++ snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h 2006-06-02 20:39:43.000000000 +0000 @@ -24,13 +24,14 @@ #define HI_EO_CLIENT_LARGE_CHUNK 15 /* done */ #define HI_EO_CLIENT_PROXY_USE 16 /* done */ #define HI_EO_CLIENT_WEBROOT_DIR 17 /* done */ +#define HI_EO_CLIENT_CR_IN_URI 18 /* done */ /* ** IMPORTANT: ** Every time you add a client event, this number must be ** incremented. */ -#define HI_EO_CLIENT_EVENT_NUM 18 +#define HI_EO_CLIENT_EVENT_NUM 19 /* ** These defines are the alert names for each event @@ -71,6 +72,8 @@ "(http_inspect) UNAUTHORIZED PROXY USE DETECTED" #define HI_EO_CLIENT_WEBROOT_DIR_STR \ "(http_inspect) WEBROOT DIRECTORY TRAVERSAL" +#define HI_EO_CLIENT_CR_IN_URI_STR \ + "(http_inspect) NON-STD CARRIAGE RETURN IN URI" /* ** Anomalous Server Events diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/include/hi_ui_config.h snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h --- snort-2.4.4-orig/src/preprocessors/HttpInspect/include/hi_ui_config.h 2005-03-16 21:52:18.000000000 +0000 +++ snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h 2006-06-02 20:39:43.000000000 +0000 @@ -113,6 +113,7 @@ HTTPINSPECT_CONF_OPT webroot; HTTPINSPECT_CONF_OPT apache_whitespace; HTTPINSPECT_CONF_OPT iis_delimiter; + HTTPINSPECT_CONF_OPT non_std_cr; } HTTPINSPECT_CONF; diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c --- snort-2.4.4-orig/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 2005-03-16 21:52:19.000000000 +0000 +++ snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 2006-06-02 20:39:43.000000000 +0000 @@ -117,6 +117,9 @@ GlobalConf->global_server.non_strict = 1; + GlobalConf->global_server.non_std_cr.on = 1; + GlobalConf->global_server.non_std_cr.alert = 1; + return HI_SUCCESS; } @@ -209,6 +212,9 @@ ServerConf->tab_uri_delimiter = 1; + ServerConf->non_std_cr.on = 1; + ServerConf->non_std_cr.alert = 1; + return HI_SUCCESS; } @@ -279,6 +285,9 @@ ServerConf->non_strict = 1; + ServerConf->non_std_cr.on = 1; + ServerConf->non_std_cr.alert = 1; + return HI_SUCCESS; } @@ -349,6 +358,9 @@ ServerConf->tab_uri_delimiter = 1; + ServerConf->non_std_cr.on = 1; + ServerConf->non_std_cr.alert = 1; + return HI_SUCCESS; } diff -Nur snort-2.4.4-orig/src/preprocessors/snort_httpinspect.c snort-2.4.4/src/preprocessors/snort_httpinspect.c --- snort-2.4.4-orig/src/preprocessors/snort_httpinspect.c 2005-08-23 15:52:19.000000000 +0000 +++ snort-2.4.4/src/preprocessors/snort_httpinspect.c 2006-06-02 20:39:43.000000000 +0000 @@ -134,6 +134,7 @@ #define GLOBAL_ALERT "no_alerts" #define WEBROOT "webroot" #define TAB_URI_DELIMITER "tab_uri_delimiter" +#define NON_STD_CR "non_std_cr" /* ** Alert subkeywords @@ -1449,6 +1450,15 @@ return iRet; } } + else if(!strcmp(NON_STD_CR, pcToken)) + { + ConfOpt = &ServerConf->non_std_cr; + if((iRet = ProcessConfOpt(ConfOpt, NON_STD_CR, + ErrorString, ErrStrLen))) + { + return iRet; + } + } else if(!strcmp(IIS_BACKSLASH, pcToken)) { ConfOpt = &ServerConf->iis_backslash; @@ -1583,6 +1593,7 @@ PrintConfOpt(&ServerConf->webroot, "Web Root Traversal"); PrintConfOpt(&ServerConf->apache_whitespace, "Apache WhiteSpace"); PrintConfOpt(&ServerConf->iis_delimiter, "IIS Delimiter"); + PrintConfOpt(&ServerConf->non_std_cr, "Non-Std Carriage Return"); if(ServerConf->iis_unicode_map_filename) {