For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Russell_Moore_8's avatar
Russell_Moore_8
Icon for Nimbostratus rankNimbostratus
May 10, 2012

ActiveSync Windows Phone query decode

I used the following rule to decode and locate the Windows Phone device ID for access control to an ActiveSync/OWA service. The AS protocol allows the query to be plain text or base64 encoded hex. ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jun 01, 2012
That's a novel sanity check you could add. But it still doesn't guarantee you'll avoid the memory leak. Basically, it checks if the query string length is evenly divisible by four. If it is, then the assumption is that it's a base64 encoded string. If it's not, then the input isn't attempted to be decoded.

 

 

You might also want to add a check to see if there is a query string first as 0%4 will return 0 and trigger decoding in the above example.

 

 

if { [HTTP::query] ne "" and ![expr [string length [HTTP::query]]%4] } {

 

 

Also, is there a specific parameter name that will have the base64 encoded string? Or is there another check you could add like of the HTTP::path to reduce the chance that you'll attempt to base64 decode a non-base64 encoded string?

 

 

Aaron