diff options
| author | Luca Deri <deri@ntop.org> | 2022-05-24 19:47:54 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-05-24 19:47:54 +0200 |
| commit | 4f9dee164e2c29fa7dbaef38b57775160dfbe2b9 (patch) | |
| tree | e3a338cdad7e2ece3579d7e220fa97f6aca03f5c | |
| parent | 2560260a41172a07b6b272027f441ccda01622a5 (diff) | |
Improved detection of invalid SNI and hostnames in TLS, HTTP
| -rw-r--r-- | src/include/ndpi_main.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 49 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 14 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 46 | ||||
| -rw-r--r-- | tests/result/fuzz-2006-09-29-28586.pcap.out | 2 |
5 files changed, 73 insertions, 39 deletions
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index ab9170fbf..80ef0e691 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -153,6 +153,7 @@ extern "C" { int ndpi_isset_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, ndpi_risk_enum r); int ndpi_is_printable_string(char * const str, size_t len); + int ndpi_is_valid_hostname(char * const str, size_t len); #define NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(entropy) (entropy > 7.0f) float ndpi_entropy(u_int8_t const * const buf, size_t len); u_int16_t ndpi_calculate_icmp4_checksum(u_int8_t const * const buf, size_t len); diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 62cec4878..8f3c03f72 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -864,7 +864,7 @@ static const char* ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const case NDPI_PROTOCOL_QUIC: case NDPI_PROTOCOL_TLS: - if (flow->protos.tls_quic.hello_processed != 0) + if(flow->protos.tls_quic.hello_processed != 0) return flow->host_server_name; break; } @@ -878,7 +878,7 @@ const char* ndpi_get_flow_info(struct ndpi_flow_struct const * const flow, ndpi_protocol const * const l7_protocol) { char const * const app_protocol_info = ndpi_get_flow_info_by_proto_id(flow, l7_protocol->app_protocol); - if (app_protocol_info != NULL) + if(app_protocol_info != NULL) return app_protocol_info; return ndpi_get_flow_info_by_proto_id(flow, l7_protocol->master_protocol); @@ -1105,7 +1105,7 @@ void ndpi_serialize_risk(ndpi_serializer *serializer, ndpi_risk risk) { u_int32_t i; - if (risk == 0) { + if(risk == 0) { return; } @@ -1115,7 +1115,7 @@ void ndpi_serialize_risk(ndpi_serializer *serializer, if(NDPI_ISSET_BIT(risk, r)) { ndpi_risk_info const * const risk_info = ndpi_risk2severity(r); - if (risk_info == NULL) + if(risk_info == NULL) continue; ndpi_serialize_start_of_block_uint32(serializer, i); @@ -1136,7 +1136,7 @@ void ndpi_serialize_risk_score(ndpi_serializer *serializer, { u_int16_t rs, rs_client = 0, rs_server = 0; - if (risk == NDPI_NO_RISK) { + if(risk == NDPI_NO_RISK) { return; } @@ -1153,7 +1153,7 @@ void ndpi_serialize_risk_score(ndpi_serializer *serializer, void ndpi_serialize_confidence(ndpi_serializer *serializer, ndpi_confidence_t confidence) { - if (confidence == NDPI_CONFIDENCE_UNKNOWN) { + if(confidence == NDPI_CONFIDENCE_UNKNOWN) { return; } @@ -1200,7 +1200,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, switch(l7_protocol.master_protocol ? l7_protocol.master_protocol : l7_protocol.app_protocol) { case NDPI_PROTOCOL_IP_ICMP: - if (flow->entropy > 0.0f) { + if(flow->entropy > 0.0f) { ndpi_serialize_string_float(serializer, "entropy", flow->entropy, "%.6f"); } break; @@ -2262,7 +2262,7 @@ int ndpi_is_printable_string(char * const str, size_t len) { int retval = 1; for (size_t i = 0; i < len; ++i) { - if (ndpi_isprint(str[i]) == 0) { + if(ndpi_isprint(str[i]) == 0) { str[i] = '?'; retval = 0; } @@ -2273,6 +2273,26 @@ int ndpi_is_printable_string(char * const str, size_t len) { /* ******************************************************************** */ +int ndpi_is_valid_hostname(char * const str, size_t len) { + for (size_t i = 0; i < len; ++i) { + if((str[i] == '.') + || (str[i] == '-') + || (str[i] == ':') + ) + continue; /* Used in hostnames */ + else if((ndpi_isprint(str[i]) == 0) + || ndpi_isspace(str[i]) + || ndpi_ispunct(str[i]) + ) { + return(0); + } + } + + return(1); +} + +/* ******************************************************************** */ + float ndpi_entropy(u_int8_t const * const buf, size_t len) { float entropy = 0.0f; u_int32_t byte_counters[256]; @@ -2284,7 +2304,7 @@ float ndpi_entropy(u_int8_t const * const buf, size_t len) { } for (size_t i = 0; i < sizeof(byte_counters) / sizeof(byte_counters[0]); ++i) { - if (byte_counters[i] == 0) { + if(byte_counters[i] == 0) { continue; } @@ -2314,7 +2334,7 @@ u_int16_t ndpi_calculate_icmp4_checksum(const u_int8_t * buf, size_t len) { buf += 2; } - if (len == 1) { + if(len == 1) { checksum += *buf; } @@ -2452,15 +2472,13 @@ u_int32_t ndpi_get_flow_error_code(struct ndpi_flow_struct *flow) { int ndpi_vsnprintf(char * str, size_t size, char const * format, va_list va_args) { #ifdef WIN32 - if (str == NULL || size == 0 || format == NULL) - { + if((str == NULL) || (size == 0) || (format == NULL)) { return -1; } int ret = vsnprintf_s(str, size, _TRUNCATE, format, va_args); - if (ret < 0) - { + if(ret < 0) { return size; } else { return ret; @@ -2472,8 +2490,7 @@ int ndpi_vsnprintf(char * str, size_t size, char const * format, va_list va_args /* ******************************************* */ -int ndpi_snprintf(char * str, size_t size, char const * format, ...) -{ +int ndpi_snprintf(char * str, size_t size, char const * format, ...) { va_list va_args; va_start(va_args, format); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 9b151c3b6..1b3ea7f66 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -679,8 +679,18 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len); flow->extra_packets_func = NULL; /* We're good now */ - if(strlen(flow->host_server_name) > 0) ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1); - + if(strlen(flow->host_server_name) > 0) { + ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1); + + if(ndpi_is_valid_hostname(flow->host_server_name, + strlen(flow->host_server_name)) == 0) { + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); + + /* This looks like an attack */ + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); + } + } + if(packet->forwarded_line.ptr) { if(flow->http.nat_ip == NULL) { len = packet->forwarded_line.len; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index a79b355e5..81a17c457 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -239,7 +239,7 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet, const char *label) { u_int8_t str_len = packet->payload[offset+4], is_printable = 1; char *str; - u_int len, j; + u_int len; if(*rdnSeqBuf_offset >= rdnSeqBuf_len) { #ifdef DEBUG_TLS @@ -260,12 +260,7 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet, buffer[len] = '\0'; // check string is printable - for(j = 0; j < len; j++) { - if(!ndpi_isprint(buffer[j])) { - is_printable = 0; - break; - } - } + is_printable = ndpi_is_printable_string(buffer, len); if(is_printable) { int rc = ndpi_snprintf(&rdnSeqBuf[*rdnSeqBuf_offset], @@ -488,7 +483,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi /* If the client hello was not observed or the requested name was missing, there is no need to trigger an alert */ if(flow->host_server_name[0] == '\0') matched_name = 1; - + #ifdef DEBUG_TLS printf("******* [TLS] Found subjectAltName\n"); #endif @@ -497,7 +492,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi /* skip the first type, 0x04 == BIT STRING, and jump to it's length */ if(packet->payload[i] == 0x04) i++; else i += 4; /* 4 bytes, with the last byte set to 04 */ - + if(i < packet->payload_packet_len) { i += (packet->payload[i] & 0x80) ? (packet->payload[i] & 0x7F) : 0; /* skip BIT STRING length */ if(i < packet->payload_packet_len) { @@ -508,7 +503,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi while(i < packet->payload_packet_len) { u_int8_t general_name_type = packet->payload[i]; - + if((general_name_type == 0x81) /* rfc822Name */ || (general_name_type == 0x82) /* dNSName */ || (general_name_type == 0x87) /* ipAddress */ @@ -546,7 +541,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi strncpy(dNSName, (const char*)&packet->payload[i], len); dNSName[len] = '\0'; } - + dNSName_len = strlen(dNSName); cleanupServerName(dNSName, dNSName_len); @@ -555,8 +550,17 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi flow->host_server_name, len, packet->payload_packet_len-i-len); #endif - if(ndpi_is_printable_string(dNSName, dNSName_len) == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); + + /* + We cannot use ndpi_is_valid_hostname() as we can have wildcards + here that will create false positives + */ + if(ndpi_is_printable_string(dNSName, dNSName_len) == 0) { + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); + + /* This looks like an attack */ + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); + } if(matched_name == 0) { #if DEBUG_TLS @@ -666,13 +670,13 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi printf("TLS] %s() issuerDN %s / %s\n", __FUNCTION__, flow->protos.tls_quic.issuerDN, head->value); #endif - + if(strcmp(flow->protos.tls_quic.issuerDN, head->value) == 0) return; /* This is a trusted DN */ else head = head->next; } - + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SELFSIGNED_CERTIFICATE); } @@ -1794,11 +1798,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("[TLS] SNI: [%s]\n", sni); #endif - if(ndpi_is_printable_string(sni, sni_len) == 0) - { - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); + if(ndpi_is_valid_hostname(sni, sni_len) == 0) { + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); + + /* This looks like an attack */ + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); } - + if(!is_quic) { if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, sni, sni_len)) flow->protos.tls_quic.subprotocol_detected = 1; @@ -1845,7 +1851,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("Client TLS [EllipticCurve: %u/0x%04X]\n", s_group, s_group); #endif - if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1]) + if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1]) || ((packet->payload[s_offset+i] & 0xF) != 0xA)) { /* Skip GREASE */ if(ja3.client.num_elliptic_curve < MAX_NUM_JA3) diff --git a/tests/result/fuzz-2006-09-29-28586.pcap.out b/tests/result/fuzz-2006-09-29-28586.pcap.out index 7a25d830e..039097bd2 100644 --- a/tests/result/fuzz-2006-09-29-28586.pcap.out +++ b/tests/result/fuzz-2006-09-29-28586.pcap.out @@ -15,7 +15,7 @@ AmazonAWS 1 477 1 1 TCP 172.20.3.5:2601 <-> 172.20.3.13:80 [proto: 7/HTTP][ClearText][Confidence: Match by port][cat: Web/5][9 pkts/6343 bytes <-> 4 pkts/409 bytes][Goodput ratio: 92/46][11.25 sec][bytes ratio: 0.879 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/104 67/128 469/152 164/24][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 705/102 1514/243 721/81][PLAIN TEXT (POST /servlets/mms HTTP/1.1)][Plen Bins: 16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,67,0,0] 2 TCP 172.20.3.5:2606 <-> 172.20.3.13:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Web/5][8 pkts/2287 bytes <-> 5 pkts/2963 bytes][Goodput ratio: 80/91][11.18 sec][Hostname/SNI: 172.20.3.13][bytes ratio: -0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/58 177/172 83/81][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 286/593 1514/1514 478/662][URL: 172.20.3.13/servlets/mms?message-id=189301][StatusCode: 0][Risk: ** HTTP Numeric IP Address **][Risk Score: 10][PLAIN TEXT (GET /servlets/mms)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,50,0,0] 3 TCP 172.20.3.5:2604 <-> 172.20.3.13:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Web/5][5 pkts/1754 bytes <-> 4 pkts/583 bytes][Goodput ratio: 83/62][11.17 sec][Hostname/SNI: 172.20.3.13][bytes ratio: 0.501 (Upload)][IAT c2s/s2c min/avg/max/stddev: 307/81 2793/3724 10864/10997 4662/5143][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 351/146 1514/417 582/157][URL: 172.20.3.13/servlets/mms?message-id=189001][StatusCode: 200][User-Agent: SonyEricssonT68/R201A][Risk: ** HTTP Numeric IP Address **][Risk Score: 10][PLAIN TEXT (GET /servlets/mms)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] - 4 TCP 172.20.3.13:53132 <-> 172.20.3.5:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Web/5][9 pkts/1650 bytes <-> 4 pkts/240 bytes][Goodput ratio: 70/0][5.14 sec][Hostname/SNI: %s][bytes ratio: 0.746 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 734/1 4911/1 1706/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 183/60 894/60 270/0][URL: %s][StatusCode: 0][Req Content-Type: multipart/related][User-Agent: MMS-Relay-DeliveryInitiator][Risk: ** Clear-Text Credentials **][Risk Score: 100][PLAIN TEXT (POST /ppgctrl/ppgcontrollogic.d)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 172.20.3.13:53132 <-> 172.20.3.5:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Web/5][9 pkts/1650 bytes <-> 4 pkts/240 bytes][Goodput ratio: 70/0][5.14 sec][Hostname/SNI: %s][bytes ratio: 0.746 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 734/1 4911/1 1706/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 183/60 894/60 270/0][URL: %s][StatusCode: 0][Req Content-Type: multipart/related][User-Agent: MMS-Relay-DeliveryInitiator][Risk: ** Clear-Text Credentials **** Text With Non-Printable Chars **** Possible Exploit **][Risk Score: 450][PLAIN TEXT (POST /ppgctrl/ppgcontrollogic.d)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 TCP 172.20.3.5:2602 <-> 172.20.3.13:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Web/5][4 pkts/942 bytes <-> 4 pkts/703 bytes][Goodput ratio: 75/69][11.10 sec][Hostname/SNI: 172.20.3.13][bytes ratio: 0.145 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/106 3699/5548 10844/10989 5054/5442][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 236/176 762/541 304/211][URL: 172.20.3.13.servlets/mms][StatusCode: 200][Req Content-Type: application/xml][Content-Type: application/xml][Risk: ** HTTP Numeric IP Address **][Risk Score: 10][PLAIN TEXT (POST .servlets/mms HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 TCP 172.20.3.13:53136 <-> 172.20.3.5:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Web/5][5 pkts/586 bytes <-> 6 pkts/999 bytes][Goodput ratio: 54/66][5.21 sec][bytes ratio: -0.261 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/96 1737/1302 4910/5010 2247/2141][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 117/166 370/481 126/150][PLAIN TEXT (POST /ppgctrl/ppgcon)][Plen Bins: 0,0,25,0,25,0,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 TCP 172.20.3.5:9587 -> 172.20.3.13:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Web/5][1 pkts/1514 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][PLAIN TEXT (POST /servlets/mms HTTP/)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] |