dsniff: urlsnarf should sanitize sniffed requests

Debian Bug report logs - #400624
dsniff: urlsnarf should sanitize sniffed requests

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dsniff: urlsnarf should sanitize sniffed requests

Date: Mon, 27 Nov 2006 17:49:48 +0100

Package: dsniff
Version: 2.4b1+debian-15
Severity: important
Tags: patch

urlsnarf directly outputs the user name, URL, Referer-URL, and the
User-Agent string of every HTTP request it sees on the wire, without
any sanitizing. Since it does not escape illegal characters, HTTP
requests containing non-ASCII bytes or double quote characters may
confuse most trying to parse CLF-style log files.

The attached patch modifies urlsnarf so that non-ASCII bytes are
escaped with \0xNN. Double quotes are escaped as \", and the backslash
is escaped as \\. (This is what Apache also seems to be doing.)

Cheers,
-Hilko

#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_urlsnarf_escape.dpatch by Hilko Bengen <bengen@debian.org>
##
## DP: Escape user, vhost, uri, referer, agent strings in log

@DPATCH@
--- dsniff-2.4b1+debian~/urlsnarf.c	2006-11-27 17:09:54.000000000 +0100
+++ dsniff-2.4b1+debian/urlsnarf.c	2006-11-27 17:08:41.000000000 +0100
@@ -84,6 +84,42 @@
 	return (tstr);
 }
 
+static char *
+escape_log_entry(char *string)
+{
+	char *out;
+	unsigned char *c, *o;
+	size_t len;
+
+	if (!string)
+		return NULL;
+
+	/* Determine needed length */
+	for (c = string, len = 0; *c; c++, len++) {
+		if ((*c < 32) || (*c >= 128))
+			len += 3;
+		if ((*c == '"') || (*c =='\\'))
+			len++;
+	}
+	out = malloc(len+1);
+	if (!out)
+		return NULL;
+	for (c = string, o = out; *c; c++, o++) {
+		if ((*c < 32) || (*c >= 128)) {
+			*(o++) = '\\';
+			*(o++) = 'x';
+			snprintf(o++, 3, "%02x", *c);
+		} else if ((*c == '"') || ((*c =='\\'))) {
+			*(o++) = '\\';
+			*o = *c;
+		} else {
+			*o=*c;
+		}
+	}
+	out[len]='\0';
+	return out;
+}
+
 static int
 process_http_request(struct tuple4 *addr, u_char *data, int len)
 {
@@ -142,18 +178,23 @@
 				buf_tok(NULL, NULL, i);
 			}
 		}
-		if (user == NULL)
-			user = "-";
-		if (vhost == NULL)
-			vhost = libnet_addr2name4(addr->daddr, Opt_dns);
-		if (referer == NULL)
-			referer = "-";
-		if (agent == NULL)
-			agent = "-";
-		
+		user = escape_log_entry(user);
+		vhost = escape_log_entry(vhost);
+		uri = escape_log_entry(uri);
+		referer = escape_log_entry(referer);
+		agent = escape_log_entry(agent);
+
 		printf("%s - %s [%s] \"%s http://%s%s\" - - \"%s\" \"%s\"\n",
 		       libnet_addr2name4(addr->saddr, Opt_dns),
-		       user, timestamp(), req, vhost, uri, referer, agent);
+		       (user?user:"-"), timestamp(), req, 
+		       (vhost?vhost:libnet_addr2name4(addr->daddr, Opt_dns)), 
+		       uri, (referer?referer:"-"), (agent?agent:"-"));
+
+		if (user) free(user);
+		if (vhost) free(vhost);
+		if (uri) free(uri);
+		if (referer) free(referer);
+		if (agent) free(agent);
 	}
 	fflush(stdout);
 	
-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages dsniff depends on:
ii  libc6                        2.3.6.ds1-8 GNU C Library: Shared libraries
ii  libdb4.3                     4.3.29-6    Berkeley v4.3 Database Libraries [
ii  libnet1                      1.1.2.1-2   library for the construction and h
ii  libnids1.21                  1.21-0      IP defragmentation TCP segment rea
ii  libpcap0.8                   0.9.5-1     System interface for user-level pa
ii  libssl0.9.8                  0.9.8c-3    SSL shared libraries
ii  openssl                      0.9.8c-3    Secure Socket Layer (SSL) binary a

dsniff recommends no packages.

-- no debconf information

Message #10 received at 400624@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: control@bugs.debian.org, 400624@bugs.debian.org

Subject: This is a security issue

Date: Wed, 13 Dec 2006 21:11:26 +0100

severity 400624 grave
thank you

Since urlsnarf is usually used on a terminal to have a look at
requested URLs in real-time, a malicious attacker could use requests
with escape sequences to execute arbitrary code.

Cheers,
-Hilko

Message #17 received at 400624@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 400624@bugs.debian.org, 400624-submitter@bugs.debian.org

Subject: Re: dsniff: urlsnarf should sanitize sniffed requests

Date: Wed, 13 Dec 2006 13:09:20 -0800

severity 400624 important
thanks

> Since urlsnarf is usually used on a terminal to have a look at
> requested URLs in real-time, a malicious attacker could use requests
> with escape sequences to execute arbitrary code.

By this reasoning, cat would have a grave bug for allowing users to send
untrusted files to the terminal without escaping.

If a terminal can be exploited to cause arbitrary code execution through
control sequences in a file being displayed, we should consider this a bug
in the terminal.  I don't see any reason that dsniff should be picked on
here just because the untrusted data it's displaying comes directly from the
network.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #27 received at 400624@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: Steve Langasek <vorlon@debian.org>

Cc: 400624@bugs.debian.org

Subject: Re: Bug#400624: dsniff: urlsnarf should sanitize sniffed requests

Date: Wed, 13 Dec 2006 23:29:10 +0100

Steve Langasek <vorlon@debian.org> writes:

>> Since urlsnarf is usually used on a terminal to have a look at
>> requested URLs in real-time, a malicious attacker could use
>> requests with escape sequences to execute arbitrary code.
>
> By this reasoning, cat would have a grave bug for allowing users to
> send untrusted files to the terminal without escaping.

Nah. 

urlsnarf is designed specifically to display URIs from HTTP requests
out of sniffed network traffic, and there are various RfCs that define
pretty well what characters in a URI are valid and what characters
aren't.

Comparing urlsnarf to cat does not make any sense.

> If a terminal can be exploited to cause arbitrary code execution
> through control sequences in a file being displayed, we should
> consider this a bug in the terminal.

It would _also_ be a bug in the terminal application.

As a user of urlsnarf, I'd expect ASCII output that will not mess up
my terminal in whatever way.

By the way, since CVE-2003-0020, the Apache webserver has been doing
the same log file sanitizing.

> I don't see any reason that dsniff should be picked on here 

I am not picking on anything or anybody here, only trying to fix bugs
where appropriate.

-Hilko

Message #32 received at 400624-close@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@linux.org.ar>

To: 400624-close@bugs.debian.org

Subject: Bug#400624: fixed in dsniff 2.4b1+debian-16

Date: Mon, 18 Dec 2006 14:02:04 +0000

Source: dsniff
Source-Version: 2.4b1+debian-16

We believe that the bug you reported is fixed in the latest version of
dsniff, which is due to be installed in the Debian FTP archive:

dsniff_2.4b1+debian-16.diff.gz
  to pool/main/d/dsniff/dsniff_2.4b1+debian-16.diff.gz
dsniff_2.4b1+debian-16.dsc
  to pool/main/d/dsniff/dsniff_2.4b1+debian-16.dsc
dsniff_2.4b1+debian-16_i386.deb
  to pool/main/d/dsniff/dsniff_2.4b1+debian-16_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 400624@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@linux.org.ar> (supplier of updated dsniff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  8 Dec 2006 18:31:05 -0300
Source: dsniff
Binary: dsniff
Architecture: source i386
Version: 2.4b1+debian-16
Distribution: experimental
Urgency: low
Maintainer: Luciano Bello <luciano@linux.org.ar>
Changed-By: Luciano Bello <luciano@linux.org.ar>
Description: 
 dsniff     - Various tools to sniff network traffic for cleartext insecurities
Closes: 400624
Changes: 
 dsniff (2.4b1+debian-16) experimental; urgency=low
 .
   * Urlsnarf sanitizes the sniffed output (Closes:#400624).
   * The Uploaders field in ~/debian/control added.
   * The Recommends field in ~/debian/control added.
   * The long description cosmetic improvement.
Files: 
 d4be3e071cdf36b3c97dc1f37769ba24 717 net extra dsniff_2.4b1+debian-16.dsc
 3e51ceca7ecbd9bdcdee490f10dbd4d6 41332 net extra dsniff_2.4b1+debian-16.diff.gz
 2e6e5c563e09034f43be8f8b4cfee34b 118442 net extra dsniff_2.4b1+debian-16_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFhpukUCgnLz/SlGgRAoaSAJ9Z5m1KULs84OaJQPdVgqK1DbKHNQCeM0Tb
pvc4BTr68sembaYhOge0rR8=
=ihe7
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.