Blog

ISSessions CTF 2021 Trend ThisIsTheRealDeal

Mar 31, 2021 | 2 minutes read

TrendMicro - ThisIsTheRealDeal

Real CVE, real snort rule, real vulnerability.

Solution

CVE-2019-14241 is super well documented, and HAProxy’s source is open, so the vulnerability is spelled out quite clearly the issue. We needed to check for anything that was a delimiter at the beginning of the cookie header line.

Normally, the cookies look like this:

Cookie: NAME=VALUE; NAME2=VALUE2

Or some other permutation of ;,: as the delimiters between them.

But the vulnerability was that if you started the line, as such:

Cookie: ;Name=Value

Solving it I thought was simple, as I just had to match against anything that shouldn’t be in the start of a line. This means three values. That’s pretty good for a negative match. Applying it took a bit longer than I thought. I had to really read into how the headers of HTTP requests are handled by Snort.

Turns out, you have to specify http_raw_header; otherwise, you’ll be running around in circles for hours like I was.

Next, we have to match in specific positions. We can use the isdataat parameter to check whether or not there’s data at the start of the cookies line where the vulnerability occurs.

From here, we just have to set up a match for each of the delimiters.

Cookie|3a 20 2c|
Cookie|3a 20 3b|
Cookie|3a 20 3a|

This will match and cover the following scenarios:

Cookie: ,
Cookie: ;
Cookie: :

To make it simple, I just copied the line three times, and set it to search for one per.


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Thisistherealdeal"; flow:to_server,established; content:"Cookie|3A|"; fast_pattern:only; http_header; content:"Cookie|3A 20 3A|"; http_raw_header; isdataat:2,relative; sid:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Thisistherealdeal"; flow:to_server,established; content:"Cookie|3A|"; fast_pattern:only; http_header; content:"Cookie|3A 20 3B|"; http_raw_header; isdataat:2,relative; sid:2;)"
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Thisistherealdeal"; flow:to_server,established; content:"Cookie|3A|"; fast_pattern:only; http_header; content:"Cookie|3A 20 2C|; http_raw_header; isdataat:2,relative; sid:3;)

This was the first time I had used more than one line on these challenges so far.

Now, the part that I didn’t do enough due dilligence. Apparently there’s already a snort community rule set with a much more comprehensive solution to this. Maybe a bit more Googling would have paid off.