通常情况下,大多数漏洞利用suricata提供的content、pcre等关键字进行特征匹配即可完成告警。
但是CVE-2024-21773这个漏洞,唯一的特征就是content-length的值大于request_body的长度,此时再仅仅用content等关键字来完成特征匹配则会力不从心。
CVE-2024-21773的利用价值虽然不高,但是该漏洞规则的编写和优化过程记录下来,作为depth、bsize、byte_extract、byte_math、isdataat关键字的实际应用案例,还是很不错的。
初期 - 检测特定PoC
在初期,实现对网上主要流通的PoC的检测
POST / HTTP/1.1
Host: hostname
Sec-Ch-Ua: "Chromium";v="119", "Not?A_Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: noneSec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9Priority: u=0, i
Connection: keep-alive
Content-Length: 6
Content-Type: application/x-www-form-urlencoded
X
可以提取出主要特征:content-length:6和request_body:X,然后形成如下规则:
alert http any any -> any any (msg:"Tomcat CVE_2024_21773";flow:established,to_server;http.method;content:"POST";http.content_len;content:"6";fast_pattern;http.request_body;content:"X";)
alert http any any -> any any (msg:"Tomcat CVE_2024_21773 - bsize";flow:established,to_server;http.method;content:"POST";http.content_len;content:"6";bsize:1;http.request_body;content:"X";bsize:1;)
alert http any any -> any any (msg:"Tomcat CVE_2024_21773 - depth";flow:established,to_server;http.method;content:"POST";http.content_len;content:"6";depth:1;http.request_body;content:"X";depth:1;)
中期 - 通用检测
alert http any any -> any any (msg:"Tomcat CVE_2024_21773 - isdata :!6";flow:established,to_server;http.method;content:"POST";http.content_len;content:"6";bsize:1;http.request_body;isdataat:!6;)
content-length长度为1个字节:http.content_len;bsize:1;byte_extract:1,0,clength,string,dec;
content-length长度为2个字节:http.content_len;bsize:2;byte_extract:2,0,clength,string,dec;
最后可以编写如下规则(仅考虑检测content-length长度为1个字节的情况):
alert http any any -> any any (msg:"Tomcat CVE_2024_21773 - byte_extract 1 byte to isdataat:!clength";flow:established,to_server;http.method;content:"POST";http.content_len;bsize:1;byte_extract:1,0,clength,string,dec;http.request_body;isdataat:!clength;)
后期 - 通用检测优化
上面的规则实现了对所有content-length大于实际request_body的情况的检测。但是在规则的实际运营过程中,产生了误报。
POST / HTTP/1.1
Host: hostname
Sec-Ch-Ua: "Chromium";v="119", "Not?A_Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: noneSec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9Priority: u=0, i
Connection: keep-alive
Content-Length: 3
Content-Type: application/x-www-form-urlencoded
abc
在http.content_len这个buffer中进行数据提取,从buffer中偏移0的位置开始提取1个字节的数据,执行减运算,减去数值1,转换为dec(十进制)后存储在名为off的变量中。
alert http any any -> any any (msg:"Tomcat CVE_2024_21773 - byte_math 1 byte ";flow:established,to_server;http.method;content:"POST";http.content_len;bsize:1;byte_math:bytes 1,offset 0,oper -,rvalue 1,result off,string dec;http.request_body;isdataat:!off;)
未来 - 新特性?
其实我们关于这个Tomcat请求走私的漏洞,主要思路还是在于检测request_body的长度,小于content-length的值。理论上来说使用byte_extract + bsize就可以实现。通过byte_extract将content-length的值提取到变量clength中,再通过http.request_body;bsize:<clength;进行判断。这样就不再需要麻烦byte_math和isdataat了。
alert http any any -> any any (msg:"Tomcat CVE_2024_21773 - bsize < byte_extract";flow:established,to_server;http.method;content:"POST";http.content_len;bsize:1;byte_extract:1,0,clength,string,dec;http.request_body;bsize:<clength;)
最后,之前的两篇文章,有大佬看了之后,反馈对规则方面挺感兴趣,并提议创建个群,方面后续交流互助。群已建,欢迎各位大佬加入指导。
原文始发于微信公众号(川云安全团队):Suricata之CVE-2024-21773 Tomcat请求走私检测
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论