--- spp_http_decode.c.org Wed Mar 21 13:01:23 2001 +++ spp_http_decode.c Mon Mar 26 01:03:11 2001 @@ -53,6 +53,7 @@ #define NOUNICODE "-unicode" #define NOCGINULL "-cginull" +/* #define DEBUG */ int check_iis_unicode = 1; int check_cgi_null = 1; @@ -193,6 +194,9 @@ int i; /* loop counter */ char logMessage[180]; int temp; + int temp2; + int temp3; + int unicode; #ifdef DEBUG printf("http decoder init on %d bytes\n", p->dsize); @@ -239,49 +243,87 @@ the payload */ if((*index == '%') && (index < end - 2)) { - /* and if the following two chars are hex digits */ - if(isxdigit((int)*(index+1)) && isxdigit((int)*(index+2))) + unicode = 1; + temp = ((((nibble(*(index+1))) <<4)+(nibble(*(index+2)))) & (0xff)); +#ifdef DEBUG + printf("First byte is %x.\n",temp); +#endif + if(temp <= 0x7f) + { + /* unicode = temp; */ + index += 3; + url++; + psize -= 2; + } + else if((temp >= 0xc0) && (temp <= 0xdf)) { - /*convert it and stuff it */ - temp = (nibble(*(index+1)) << 4) | nibble(*(index+2)); - if(((temp == 192) || /* c0 */ - (temp == 193) || /* c1 */ - (temp == 224) || /* e0 */ - (temp == 240) || /* f0 */ - (temp == 248) || /* f8 */ - (temp == 252)) &&/* fc */ - check_iis_unicode) + if((*(index+3) == '%') && (index < (end -5))) { - snprintf(logMessage, sizeof(logMessage), - MODNAME ": IIS Unicode attack detected"); - - /*(*AlertFunc)(p, logMessage);*/ - CallAlertFuncs(p, logMessage, NULL); - CallLogFuncs(p, logMessage, NULL); + temp2 = ((((nibble(*(index+4))) << 4)+(nibble(*(index+5)))) & (0xff)); +#ifdef DEBUG + printf("Second byte is %x.\n",temp2); +#endif + unicode = (temp & 0x1f)<<6|(temp2 & 0x3f); + index += 6; + url += 2; + psize -= 4; } - - if(temp == 0 && check_cgi_null) + } + else if((temp >= 0xe0) && (temp <= 0xef)) + { + if((*(index+3) == '%') && (index < (end -5))) { - snprintf(logMessage, sizeof(logMessage), - MODNAME ": CGI Null Byte attack detected"); - - /*(*AlertFunc)(p, logMessage);*/ - CallAlertFuncs(p, logMessage, NULL); - CallLogFuncs(p, logMessage, NULL); + temp2 = ((((nibble(*(index+4))) << 4)+(nibble(*(index+5)))) & (0xff)); +#ifdef DEBUG + printf("Second byte is %x.\n",temp2); +#endif + if((*(index+6) == '%') && (index < (end -8))) + { + temp3 = ((((nibble(*(index+7)))<<4)+(nibble(*(index+8)))) & (0xff)); +#ifdef DEBUG + printf("Third byte is %x.\n",temp3); +#endif + unicode = (temp & 0x0f) << 4| + (temp2 & 0x3f) << 6| + (temp3 & 0x3f); + index += 9; + url += 3; + psize -= 6; + } } - - *url = temp; - - index += 3; - url++; - psize -= 2; } else { *url = *index; url++; index++; - } + } +#ifdef DEBUG + printf("Unicode is %x.\n",unicode); +#endif + if(((unicode == 0x2f) || /* / */ + (unicode == 0x5c) || /* \ */ + (unicode == 0x2e)) && /* . */ + check_iis_unicode) + { + snprintf(logMessage, sizeof(logMessage), + MODNAME ": IIS Unicode attack detected"); + /*(*AlertFunc)(p, logMessage);*/ + CallAlertFuncs(p, logMessage, NULL); + CallLogFuncs(p, logMessage, NULL); +#ifdef DEBUG + printf("Unicode attack detect on %x.\n",unicode); +#endif + } + else if(unicode == 0 && check_cgi_null) + { + snprintf(logMessage, sizeof(logMessage), + MODNAME ": CGI Null Byte attack detected"); + + /*(*AlertFunc)(p, logMessage);*/ + CallAlertFuncs(p, logMessage, NULL); + CallLogFuncs(p, logMessage, NULL); + } } else { @@ -315,14 +357,19 @@ * * Arguments: what => the character in question * - * Returns: The converted character or -1 if the character is not hex + * Returns: The converted character or -1 if the character is not alphabet or number * */ int nibble(char what) { - if(isdigit((int)what)) return what - '0'; - - if(isxdigit((int)what)) return toupper((int)what) - 'A' + 10; + if(isalpha((int)what)) + { + return (tolower((int)(what))-'a'+10); + } + else if(isdigit((int)what)) + { + return what-'0'; + } return -1; }