You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
192 lines
6.7 KiB
192 lines
6.7 KiB
# --- T2-COPYRIGHT-NOTE-BEGIN --- |
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch. |
|
# |
|
# T2 SDE: package/.../snort/CVE-2006-2769.patch |
|
# Copyright (C) 2006 The T2 SDE Project |
|
# |
|
# More information can be found in the files COPYING and README. |
|
# |
|
# This patch file is dual-licensed. It is available under the license the |
|
# patched project is licensed under, as long as it is an OpenSource license |
|
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms |
|
# of the GNU General Public License as published by the Free Software |
|
# Foundation; either version 2 of the License, or (at your option) any later |
|
# version. |
|
# --- T2-COPYRIGHT-NOTE-END --- |
|
|
|
diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/client/hi_client.c snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c |
|
--- snort-2.4.4-orig/src/preprocessors/HttpInspect/client/hi_client.c 2005-03-16 21:52:18.000000000 +0000 |
|
+++ snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c 2006-06-02 20:39:43.000000000 +0000 |
|
@@ -40,6 +40,7 @@ |
|
|
|
#define URI_END 1 |
|
#define NO_URI -1 |
|
+#define CR_IN_URI 18 |
|
#define INVALID_HEX_VAL -1 |
|
|
|
/** |
|
@@ -455,6 +456,11 @@ |
|
return URI_END; |
|
} |
|
|
|
+ if(isspace(**ptr) ) |
|
+ { |
|
+ return CR_IN_URI; |
|
+ } |
|
+ |
|
return NO_URI; |
|
} |
|
|
|
@@ -1345,8 +1351,21 @@ |
|
*/ |
|
break; |
|
} |
|
+ else if(iRet == CR_IN_URI) |
|
+ { |
|
+ if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert)) |
|
+ { |
|
+ hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert, |
|
+ NULL, NULL); |
|
+ } |
|
+ break; |
|
+ } |
|
+ |
|
+ |
|
+ |
|
else /* NO_URI */ |
|
{ |
|
+ |
|
/* |
|
** Check for chunk encoding, because the delimiter can |
|
** also be a space, which would look like a pipeline request |
|
diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/event_output/hi_eo_log.c snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c |
|
--- snort-2.4.4-orig/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2004-03-11 22:25:53.000000000 +0000 |
|
+++ snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2006-06-02 20:39:43.000000000 +0000 |
|
@@ -64,7 +64,9 @@ |
|
{HI_EO_CLIENT_PROXY_USE, HI_EO_LOW_PRIORITY, |
|
HI_EO_CLIENT_PROXY_USE_STR }, |
|
{HI_EO_CLIENT_WEBROOT_DIR, HI_EO_HIGH_PRIORITY, |
|
- HI_EO_CLIENT_WEBROOT_DIR_STR } |
|
+ HI_EO_CLIENT_WEBROOT_DIR_STR }, |
|
+ { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY, |
|
+ HI_EO_CLIENT_CR_IN_URI_STR }, |
|
}; |
|
|
|
static HI_EVENT_INFO anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM] = { |
|
diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/include/hi_eo_events.h snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h |
|
--- snort-2.4.4-orig/src/preprocessors/HttpInspect/include/hi_eo_events.h 2004-03-11 22:25:53.000000000 +0000 |
|
+++ snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h 2006-06-02 20:39:43.000000000 +0000 |
|
@@ -24,13 +24,14 @@ |
|
#define HI_EO_CLIENT_LARGE_CHUNK 15 /* done */ |
|
#define HI_EO_CLIENT_PROXY_USE 16 /* done */ |
|
#define HI_EO_CLIENT_WEBROOT_DIR 17 /* done */ |
|
+#define HI_EO_CLIENT_CR_IN_URI 18 /* done */ |
|
|
|
/* |
|
** IMPORTANT: |
|
** Every time you add a client event, this number must be |
|
** incremented. |
|
*/ |
|
-#define HI_EO_CLIENT_EVENT_NUM 18 |
|
+#define HI_EO_CLIENT_EVENT_NUM 19 |
|
|
|
/* |
|
** These defines are the alert names for each event |
|
@@ -71,6 +72,8 @@ |
|
"(http_inspect) UNAUTHORIZED PROXY USE DETECTED" |
|
#define HI_EO_CLIENT_WEBROOT_DIR_STR \ |
|
"(http_inspect) WEBROOT DIRECTORY TRAVERSAL" |
|
+#define HI_EO_CLIENT_CR_IN_URI_STR \ |
|
+ "(http_inspect) NON-STD CARRIAGE RETURN IN URI" |
|
|
|
/* |
|
** Anomalous Server Events |
|
diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/include/hi_ui_config.h snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h |
|
--- snort-2.4.4-orig/src/preprocessors/HttpInspect/include/hi_ui_config.h 2005-03-16 21:52:18.000000000 +0000 |
|
+++ snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h 2006-06-02 20:39:43.000000000 +0000 |
|
@@ -113,6 +113,7 @@ |
|
HTTPINSPECT_CONF_OPT webroot; |
|
HTTPINSPECT_CONF_OPT apache_whitespace; |
|
HTTPINSPECT_CONF_OPT iis_delimiter; |
|
+ HTTPINSPECT_CONF_OPT non_std_cr; |
|
|
|
} HTTPINSPECT_CONF; |
|
|
|
diff -Nur snort-2.4.4-orig/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c |
|
--- snort-2.4.4-orig/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 2005-03-16 21:52:19.000000000 +0000 |
|
+++ snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 2006-06-02 20:39:43.000000000 +0000 |
|
@@ -117,6 +117,9 @@ |
|
|
|
GlobalConf->global_server.non_strict = 1; |
|
|
|
+ GlobalConf->global_server.non_std_cr.on = 1; |
|
+ GlobalConf->global_server.non_std_cr.alert = 1; |
|
+ |
|
return HI_SUCCESS; |
|
} |
|
|
|
@@ -209,6 +212,9 @@ |
|
|
|
ServerConf->tab_uri_delimiter = 1; |
|
|
|
+ ServerConf->non_std_cr.on = 1; |
|
+ ServerConf->non_std_cr.alert = 1; |
|
+ |
|
return HI_SUCCESS; |
|
} |
|
|
|
@@ -279,6 +285,9 @@ |
|
|
|
ServerConf->non_strict = 1; |
|
|
|
+ ServerConf->non_std_cr.on = 1; |
|
+ ServerConf->non_std_cr.alert = 1; |
|
+ |
|
return HI_SUCCESS; |
|
} |
|
|
|
@@ -349,6 +358,9 @@ |
|
|
|
ServerConf->tab_uri_delimiter = 1; |
|
|
|
+ ServerConf->non_std_cr.on = 1; |
|
+ ServerConf->non_std_cr.alert = 1; |
|
+ |
|
return HI_SUCCESS; |
|
} |
|
|
|
diff -Nur snort-2.4.4-orig/src/preprocessors/snort_httpinspect.c snort-2.4.4/src/preprocessors/snort_httpinspect.c |
|
--- snort-2.4.4-orig/src/preprocessors/snort_httpinspect.c 2005-08-23 15:52:19.000000000 +0000 |
|
+++ snort-2.4.4/src/preprocessors/snort_httpinspect.c 2006-06-02 20:39:43.000000000 +0000 |
|
@@ -134,6 +134,7 @@ |
|
#define GLOBAL_ALERT "no_alerts" |
|
#define WEBROOT "webroot" |
|
#define TAB_URI_DELIMITER "tab_uri_delimiter" |
|
+#define NON_STD_CR "non_std_cr" |
|
|
|
/* |
|
** Alert subkeywords |
|
@@ -1449,6 +1450,15 @@ |
|
return iRet; |
|
} |
|
} |
|
+ else if(!strcmp(NON_STD_CR, pcToken)) |
|
+ { |
|
+ ConfOpt = &ServerConf->non_std_cr; |
|
+ if((iRet = ProcessConfOpt(ConfOpt, NON_STD_CR, |
|
+ ErrorString, ErrStrLen))) |
|
+ { |
|
+ return iRet; |
|
+ } |
|
+ } |
|
else if(!strcmp(IIS_BACKSLASH, pcToken)) |
|
{ |
|
ConfOpt = &ServerConf->iis_backslash; |
|
@@ -1583,6 +1593,7 @@ |
|
PrintConfOpt(&ServerConf->webroot, "Web Root Traversal"); |
|
PrintConfOpt(&ServerConf->apache_whitespace, "Apache WhiteSpace"); |
|
PrintConfOpt(&ServerConf->iis_delimiter, "IIS Delimiter"); |
|
+ PrintConfOpt(&ServerConf->non_std_cr, "Non-Std Carriage Return"); |
|
|
|
if(ServerConf->iis_unicode_map_filename) |
|
{
|
|
|