diff options
| author | Luca Deri <deri@ntop.org> | 2022-05-29 16:29:51 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-05-29 16:31:26 +0200 |
| commit | 1093aafa5f81aeb39263bc87dc88327f873341ae (patch) | |
| tree | 08e17a3d1a6138c4ecccc9350014609bdb01fc6c | |
| parent | 6b7b23b01d50468263b707abdf79146f1d4c821f (diff) | |
Added detection for WordPress exploits
Fixed ndpi_iph_is_valid_and_not_fragmented() that was bugged with non UDP traffic
| -rw-r--r-- | src/lib/ndpi_main.c | 13 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 16 |
2 files changed, 24 insertions, 5 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 6fcfbb13f..1a3f0acf6 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4604,12 +4604,17 @@ u_int8_t ndpi_iph_is_valid_and_not_fragmented(const struct ndpi_iphdr *iph, cons 1: not fragmented */ //#ifdef REQUIRE_FULL_PACKETS - if(ipsize < iph->ihl * 4 || ipsize < ntohs(iph->tot_len) || ntohs(iph->tot_len) < iph->ihl * 4 || - (iph->frag_off & htons(0x1FFF)) != 0) { - return(0); + + if(iph->protocol == IPPROTO_UDP) { + if((ipsize < iph->ihl * 4) + || (ipsize < ntohs(iph->tot_len)) + || (ntohs(iph->tot_len) < iph->ihl * 4) + || (iph->frag_off & htons(0x1FFF)) != 0) { + return(0); + } } //#endif - + return(1); } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index cdb2d97bf..257585512 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -1040,8 +1040,22 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct /* https://en.wikipedia.org/wiki/List_of_HTTP_status_codes */ if((flow->http.response_status_code < 100) || (flow->http.response_status_code > 509)) flow->http.response_status_code = 0; /* Out of range */ - else if(flow->http.response_status_code >= 400) + else if(flow->http.response_status_code >= 400) { + if(flow->http.url != NULL) { + /* Let's check for Wordpress */ + char *slash = strchr(flow->http.url, '/'); + + if( + ((flow->http.method == NDPI_HTTP_METHOD_POST) && (strncmp(slash, "/wp-admin/", 10) == 0)) + || ((flow->http.method == NDPI_HTTP_METHOD_GET) && (strncmp(slash, "/wp-content/uploads/", 20) == 0)) + ) { + /* Example of popular exploits https://www.wordfence.com/blog/2022/05/millions-of-attacks-target-tatsu-builder-plugin/ */ + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); + } + } + ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED); + } } ndpi_parse_packet_line_info(ndpi_struct, flow); |