diff options
| author | MrTiz9 <tiziano.marra@pm.me> | 2020-01-30 15:08:26 +0100 |
|---|---|---|
| committer | MrTiz9 <tiziano.marra@pm.me> | 2020-01-30 15:08:26 +0100 |
| commit | 5c8c2d843afc38f6246c678ea41e81b1a88bcf17 (patch) | |
| tree | b2637201942fbd9c1d78e09d4f4aa5e27176cf11 | |
| parent | ea957687e1f9444baa69d0b2b041c1b8cf70b2f6 (diff) | |
nDPI now detect RCE injections via PCRE instead Intel Hyperscan - BUGGY, DOES NOT COMPILE
| -rw-r--r-- | src/include/ndpi_typedefs.h | 9 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 109 | ||||
| -rw-r--r-- | src/lib/third_party/include/rce_injection.h | 6 |
3 files changed, 63 insertions, 61 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index a04a07802..c20352e90 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1003,6 +1003,15 @@ struct hs { }; #endif +#ifdef HAVE_PCRE +#include <pcre.h> + +struct pcre_struct { + pcre *compiled; + pcre_extra *optimized; +}; +#endif + struct ndpi_detection_module_struct { NDPI_PROTOCOL_BITMASK detection_bitmask; NDPI_PROTOCOL_BITMASK generic_http_packet_bitmask; diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index c7ea25aee..b86e66bfb 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1214,100 +1214,93 @@ static int ndpi_is_xss_injection(char* query) { /* ********************************** */ -#ifdef HAVE_HYPERSCAN - -static void free_hyperscan(struct ndpi_detection_module_struct *ndpi_str, - hs_compile_error_t *compile_err) -{ - if (ndpi_str) { - struct hs *hs = (struct hs*)ndpi_str->hyperscan; - - if(hs) { - hs_free_scratch(hs->scratch); - hs_free_database(hs->database); - ndpi_free(hs); - } - - ndpi_free(ndpi_str); - } - - if (compile_err) { - hs_free_compile_error(compile_err); - } -} - -/* ********************************** */ +#ifdef HAVE_PCRE static void ndpi_compile_rce_regex() { - hs_compile_error_t *compile_err; + const char *pcreErrorStr; + int pcreErrorOffset; for(int i = 0; i < N_RCE_REGEX; i++) { - struct ndpi_detection_module_struct *ndpi_str = - ndpi_malloc(sizeof(struct ndpi_detection_module_struct)); - - ndpi_str->hyperscan = (void*)ndpi_malloc(sizeof(struct hs)); + comp_rx[i] = (struct pcre_struct*)ndpi_malloc(sizeof(struct pcre_struct)); - if(!ndpi_str->hyperscan) { - free_hyperscan(ndpi_str, NULL); - return; - } - - comp_rx[i] = (struct hs*)ndpi_str->hyperscan; + comp_rx[i]->compiled = pcre_compile(rce_regex[i], 0, &pcreErrorStr, + &pcreErrorOffset, NULL); - if (hs_compile(rce_regex[i], HS_FLAG_DOTALL, HS_MODE_BLOCK, NULL, - &comp_rx[i]->database, &compile_err) != HS_SUCCESS) - { + if(comp_rx[i]->compiled == NULL) { #ifdef DEBUG - NDPI_LOG_ERR(ndpi_str, "ERROR: Unable to compile pattern \"%s\": %s\n", - rce_regex[i], compile_err->message); + NDPI_LOG_ERR(ndpi_str, "ERROR: Could not compile '%s': %s\n", rce_regex[i], + pcreErrorStr); #endif continue; } - comp_rx[i]->scratch = NULL; + comp_rx[i]->optimized = pcre_study(comp_rx[i]->compiled, 0, &pcreErrorStr); - if(hs_alloc_scratch(comp_rx[i]->database, &comp_rx[i]->scratch) != HS_SUCCESS) { + if(pcreErrorStr != NULL) { #ifdef DEBUG - NDPI_LOG_ERR(ndpi_str, "ERROR: Unable to allocate hyperscan scratch space\n"); + NDPI_LOG_ERR(ndpi_str, "ERROR: Could not study '%s': %s\n", rce_regex[i], + pcreErrorStr); #endif continue; } } - free_hyperscan(NULL, compile_err); + free((void *)pcreErrorStr); } -/* ********************************** */ - static int ndpi_is_rce_injection(char* query) { if (!initialized_comp_rx) { ndpi_compile_rce_regex(); initialized_comp_rx = 1; } - hs_error_t status; + int pcreExecRet; + int subStrVec[30]; for(int i = 0; i < N_RCE_REGEX; i++) { unsigned int length = strlen(query); - status = hs_scan(comp_rx[i]->database, query, length, 0, comp_rx[i]->scratch, - NULL, (void *)rce_regex[i]); + pcreExecRet = pcre_exec(comp_rx[i]->compiled, + comp_rx[i]->optimized, + query, + length, + 0, + 0, + subStrVec, + 30); - if (status == HS_SUCCESS) { + if (pcreExecRet >= 0) { return 1; } - else if(status == HS_SCAN_TERMINATED) { - continue; - } + #ifdef DEBUG else { - #ifdef DEBUG - NDPI_LOG_ERR(ndpi_str, "ERROR: Unable to scan input buffer\n"); - #endif - - continue; + switch(pcreExecRet) { + case PCRE_ERROR_NOMATCH: + NDPI_LOG_ERR(ndpi_str, "ERROR: String did not match the pattern\n"); + break; + case PCRE_ERROR_NULL: + NDPI_LOG_ERR(ndpi_str, "ERROR: Something was null\n"); + break; + case PCRE_ERROR_BADOPTION: + NDPI_LOG_ERR(ndpi_str, "ERROR: A bad option was passed\n"); + break; + case PCRE_ERROR_BADMAGIC: + NDPI_LOG_ERR(ndpi_str, "ERROR: Magic number bad (compiled re corrupt?)\n"); + break; + case PCRE_ERROR_UNKNOWN_NODE: + NDPI_LOG_ERR(ndpi_str, "ERROR: Something kooky in the compiled re\n"); + break; + case PCRE_ERROR_NOMEMORY: + NDPI_LOG_ERR(ndpi_str, "ERROR: Ran out of memory\n"); + break; + default: + NDPI_LOG_ERR(ndpi_str, "ERROR: Unknown error\n"); + break; + } } + #endif } size_t ushlen = sizeof(ush_commands) / sizeof(ush_commands[0]); @@ -1368,7 +1361,7 @@ ndpi_url_risk ndpi_validate_url(char *url) { rc = ndpi_url_possible_xss; else if(ndpi_is_sql_injection(decoded)) rc = ndpi_url_possible_sql_injection; -#ifdef HAVE_HYPERSCAN +#ifdef HAVE_PCRE else if(ndpi_is_rce_injection(decoded)) rc = ndpi_url_possible_rce_injection; #endif diff --git a/src/lib/third_party/include/rce_injection.h b/src/lib/third_party/include/rce_injection.h index 80b6fc853..1febfc779 100644 --- a/src/lib/third_party/include/rce_injection.h +++ b/src/lib/third_party/include/rce_injection.h @@ -1,4 +1,4 @@ -#ifdef HAVE_HYPERSCAN +#ifdef HAVE_PCRE #ifndef NDPI_RCE_H #define NDPI_RCE_H @@ -8,7 +8,7 @@ #define N_RCE_REGEX 7 /* Compiled regex */ -static struct hs *comp_rx[N_RCE_REGEX]; +static struct pcre_struct *comp_rx[N_RCE_REGEX]; static unsigned int initialized_comp_rx = 0; @@ -610,4 +610,4 @@ static const char *pwsh_commands[] = { "-PSConsoleFile" }; -#endif
\ No newline at end of file +#endif //HAVE_PCRE
\ No newline at end of file |