[Zeek] Hui Lin_DNP3 analyzer not working in current version of zeek
Jon Siwek
jsiwek at corelight.com
Tue Jun 18 11:43:18 PDT 2019
On Mon, Jun 17, 2019 at 9:19 PM Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:
> Back then when I had implemented it, I use a common record type, Request_Data_Object, to hide those differences. In the READ request, there still should be Request_Data_Object[8]. However, according to the value of the function code (which is the input of the Request_Data_Object), the size of each Request_Data_Object becomes 0 if it is READ request. Even though there are 8 objects, but each of them has 0 bytes, so totally there are no data coming. That is why actually there are no more data coming, which is not a mistake. I guess that it is probably how binpac changes the way to handle this type of situation now, making the analyzer fail to work.
Based on that description, I attached a patch that's possibly less
naive in case it helps give a good starting point for a proper fix.
An "array of empty objects" does (at first) seem like something that
should work, and it may have worked before (possibly for the wrong
reasons), but I think the current behavior of assuming array elements
have a minimum size of 1-byte is Good "for security reasons".
Specifically, DoS vulnerabilities become trivial when allowing for an
"array of empty objects". For example:
type Message = record {
flag: uint8;
num: uint32;
objs: Object(flag)[num];
};
type Object(flag: uint8) = case flag of {
true -> empty;
false -> uint8;
};
There, we don't statically know the size of an Object, so have to
parse each one, and a person can easily set "num" to 4 billion, not
actually have to send 4 billion bytes to back it up because they
intend for the Objects to all be empty, but yet leave us chugging away
for 4 billion iterations parsing out empty Objects.
> I probably will do that on July as I am catching a deadline on July 1st.
Thanks for reporting the issue and offering to take a look, let me
know what you come up with.
- Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnp3-less-naive.patch
Type: application/octet-stream
Size: 1732 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190618/d49d5266/attachment.obj
More information about the Zeek
mailing list