suricata
util-file-decompression.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /** \file
19  *
20  * \author Giuseppe Longo <giuseppe@glongo.it>
21  *
22  * \brief Decompress files transfered via HTTP corresponding to file_data
23  * keyword.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 
30 #include "detect-engine.h"
31 #include "app-layer-htp.h"
32 
35 #include "util-misc.h"
36 #include "util-print.h"
37 
38 #define SWF_ZLIB_MIN_VERSION 0x06
39 #define SWF_LZMA_MIN_VERSION 0x0D
40 
41 int FileIsSwfFile(const uint8_t *buffer, uint32_t buffer_len)
42 {
43  if (buffer_len >= 3 && buffer[1] == 'W' && buffer[2] == 'S') {
44  if (buffer[0] == 'F')
46  else if (buffer[0] == 'C')
48  else if (buffer[0] == 'Z')
50  else
51  return FILE_IS_NOT_SWF;
52  }
53 
54  return FILE_IS_NOT_SWF;
55 }
56 
57 /**
58  * \brief This function decompresses a buffer with zlib/lzma algorithm
59  *
60  * \param buffer compressed buffer
61  * \param buffer_len compressed buffer length
62  * \param decompressed_buffer buffer that store decompressed data
63  * \param decompressed_buffer_len decompressesd data length
64  * \param swf_type decompression algorithm to use
65  * \param decompress_depth how much decompressed data we want to store
66  * \param compress_depth how much compressed data we want to decompress
67  *
68  * \retval 1 if decompression works
69  * \retval 0 an error occured, and event set
70  */
71 int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len,
72  DetectEngineThreadCtx *det_ctx,
73  InspectionBuffer *out_buffer,
74  int swf_type,
75  uint32_t decompress_depth,
76  uint32_t compress_depth)
77 {
78  int r = 0;
79 
80  int compression_type = FileIsSwfFile(buffer, buffer_len);
81  if (compression_type == FILE_SWF_NO_COMPRESSION) {
82  return 0;
83  }
84 
85  uint32_t offset = 0;
86  if (compression_type == FILE_SWF_ZLIB_COMPRESSION) {
87  /* compressed data start from the 4th bytes */
88  offset = 8;
89  } else if (compression_type == FILE_SWF_LZMA_COMPRESSION) {
90  /* compressed data start from the 17th bytes */
91  offset = 17;
92  }
93 
94  if (buffer_len <= offset) {
96  return 0;
97  }
98 
99  uint32_t compressed_data_len = 0;
100  if (buffer_len > offset && compress_depth == 0) {
101  compressed_data_len = buffer_len - offset;
102  } else if (compress_depth > 0 && compress_depth <= buffer_len) {
103  compressed_data_len = compress_depth;
104  } else if (compress_depth > 0 && compress_depth > buffer_len) {
105  compressed_data_len = buffer_len;
106  }
107 
108  /* get swf version */
109  uint8_t swf_version = FileGetSwfVersion(buffer, buffer_len);
110  if (compression_type == FILE_SWF_ZLIB_COMPRESSION &&
111  swf_version < SWF_ZLIB_MIN_VERSION)
112  {
114  return 0;
115  }
116  if (compression_type == FILE_SWF_LZMA_COMPRESSION &&
117  swf_version < SWF_LZMA_MIN_VERSION)
118  {
120  return 0;
121  }
122 
123  /* get flash decompressed file length */
124  uint32_t decompressed_swf_len = FileGetSwfDecompressedLen(buffer, buffer_len);
125  if (decompressed_swf_len == 0) {
126  decompressed_swf_len = MIN_SWF_LEN;
127  }
128 
129  /* if decompress_depth is 0, keep the flash file length */
130  uint32_t decompressed_data_len = (decompress_depth == 0) ? decompressed_swf_len : decompress_depth;
131  decompressed_data_len += 8;
132 
133  /* make sure the inspection buffer has enough space */
134  InspectionBufferCheckAndExpand(out_buffer, decompressed_data_len);
135  if (out_buffer->size < decompressed_data_len) {
137  return 0;
138  }
139  out_buffer->len = decompressed_data_len;
140 
141  /*
142  * FWS format
143  * | 4 bytes | 4 bytes | n bytes |
144  * | 'FWS' + version | script len | data |
145  */
146  out_buffer->buf[0] = 'F';
147  out_buffer->buf[1] = 'W';
148  out_buffer->buf[2] = 'S';
149  out_buffer->buf[3] = swf_version;
150  memcpy(out_buffer->buf + 4, &decompressed_swf_len, 4);
151  memset(out_buffer->buf + 8, 0, decompressed_data_len - 8);
152 
153  if ((swf_type == HTTP_SWF_COMPRESSION_ZLIB || swf_type == HTTP_SWF_COMPRESSION_BOTH) &&
154  compression_type == FILE_SWF_ZLIB_COMPRESSION)
155  {
156  /* the first 8 bytes represents the fws header, see 'FWS format' above.
157  * data will start from 8th bytes
158  */
159  r = FileSwfZlibDecompression(det_ctx,
160  (uint8_t *)buffer + offset, compressed_data_len,
161  out_buffer->buf + 8, out_buffer->len - 8);
162  if (r == 0)
163  goto error;
164 
165  } else if ((swf_type == HTTP_SWF_COMPRESSION_LZMA || swf_type == HTTP_SWF_COMPRESSION_BOTH) &&
166  compression_type == FILE_SWF_LZMA_COMPRESSION)
167  {
168 #ifndef HAVE_LIBLZMA
169  goto error;
170 #else
171  /* we need to setup the lzma header */
172  /*
173  * | 5 bytes | 8 bytes | n bytes |
174  * | LZMA properties | Uncompressed length | Compressed data |
175  */
176  compressed_data_len += 13;
177  uint8_t compressed_data[compressed_data_len];
178  /* put lzma properties */
179  memcpy(compressed_data, buffer + 12, 5);
180  /* put lzma end marker */
181  memset(compressed_data + 5, 0xFF, 8);
182  /* put compressed data */
183  memcpy(compressed_data + 13, buffer + offset, compressed_data_len - 13);
184 
185  /* the first 8 bytes represents the fws header, see 'FWS format' above.
186  * data will start from 8th bytes
187  */
188  r = FileSwfLzmaDecompression(det_ctx,
189  compressed_data, compressed_data_len,
190  out_buffer->buf + 8, out_buffer->len - 8);
191  if (r == 0)
192  goto error;
193 #endif
194  } else {
195  goto error;
196  }
197 
198  /* all went well so switch the buffer's inspect pointer/size
199  * to use the new data. */
200  out_buffer->inspect = out_buffer->buf;
201  out_buffer->inspect_len = out_buffer->len;
202 
203  return 1;
204 
205 error:
206  return 0;
207 }
uint32_t size
Definition: detect.h:354
uint64_t offset
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
make sure that the buffer has at least &#39;min_size&#39; bytes Expand the buffer if necessary ...
int FileIsSwfFile(const uint8_t *buffer, uint32_t buffer_len)
#define SWF_LZMA_MIN_VERSION
uint32_t FileGetSwfDecompressedLen(const uint8_t *buffer, const uint32_t buffer_len)
uint8_t * buf
Definition: detect.h:353
uint32_t len
Definition: detect.h:352
#define SWF_ZLIB_MIN_VERSION
#define MIN_SWF_LEN
uint32_t inspect_len
Definition: detect.h:349
const uint8_t * inspect
Definition: detect.h:347
int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len, DetectEngineThreadCtx *det_ctx, InspectionBuffer *out_buffer, int swf_type, uint32_t decompress_depth, uint32_t compress_depth)
This function decompresses a buffer with zlib/lzma algorithm.
int FileSwfZlibDecompression(DetectEngineThreadCtx *det_ctx, uint8_t *compressed_data, uint32_t compressed_data_len, uint8_t *decompressed_data, uint32_t decompressed_data_len)
uint8_t FileGetSwfVersion(const uint8_t *buffer, const uint32_t buffer_len)