From a27457715bae05c8a6cf23f46cb671fd506cfff6 Mon Sep 17 00:00:00 2001 From: cyb3rjy0t Date: Mon, 16 Jan 2023 14:34:41 -0500 Subject: [PATCH 1/2] CVE-2022-82889 --- .../web_cve_2022_42889_text4shell_exploit.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/web/web_cve_2022_42889_text4shell_exploit.yml diff --git a/rules/web/web_cve_2022_42889_text4shell_exploit.yml b/rules/web/web_cve_2022_42889_text4shell_exploit.yml new file mode 100644 index 000000000..8f0f38e29 --- /dev/null +++ b/rules/web/web_cve_2022_42889_text4shell_exploit.yml @@ -0,0 +1,27 @@ +title: Text4Shell Exploit CVE-2022-42889 +id: 85d466b0-d74c-4514-84d3-2bdd3327588b +status: experimental +description: Detects exploitation attempts for Apache Common Text Library +references: + - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035 +author: Harjot Singh, "@cyb3rjy0t" +date: 2023/01/16 +tags: + - attack.t1190 + - attack.initial_access + - cve.2022.42889 +logsource: + category: webserver +detection: + selection1: + cs-uri-query|contains|all: + - 'getRuntime%28%29' + - 'exec%28' + selection2: + cs-uri-query|contains|all: + - 'getRuntime()' + - 'exec(' + condition: selection1 OR selection2 +falsepositives: + - Unknown +level: high From 26fef9bfd1eb37c512c0b940c3b1d448a7c22168 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 19 Jan 2023 00:59:13 +0100 Subject: [PATCH 2/2] fix: add logic to the correct rule --- .../web_cve_2022_42889_text4shell_exploit.yml | 27 ------------------- rules/web/web_java_payload_in_access_logs.yml | 7 +++-- 2 files changed, 5 insertions(+), 29 deletions(-) delete mode 100644 rules/web/web_cve_2022_42889_text4shell_exploit.yml diff --git a/rules/web/web_cve_2022_42889_text4shell_exploit.yml b/rules/web/web_cve_2022_42889_text4shell_exploit.yml deleted file mode 100644 index 8f0f38e29..000000000 --- a/rules/web/web_cve_2022_42889_text4shell_exploit.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Text4Shell Exploit CVE-2022-42889 -id: 85d466b0-d74c-4514-84d3-2bdd3327588b -status: experimental -description: Detects exploitation attempts for Apache Common Text Library -references: - - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035 -author: Harjot Singh, "@cyb3rjy0t" -date: 2023/01/16 -tags: - - attack.t1190 - - attack.initial_access - - cve.2022.42889 -logsource: - category: webserver -detection: - selection1: - cs-uri-query|contains|all: - - 'getRuntime%28%29' - - 'exec%28' - selection2: - cs-uri-query|contains|all: - - 'getRuntime()' - - 'exec(' - condition: selection1 OR selection2 -falsepositives: - - Unknown -level: high diff --git a/rules/web/web_java_payload_in_access_logs.yml b/rules/web/web_java_payload_in_access_logs.yml index 213552435..109cf51ab 100644 --- a/rules/web/web_java_payload_in_access_logs.yml +++ b/rules/web/web_java_payload_in_access_logs.yml @@ -7,9 +7,10 @@ references: - https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/ - https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md - https://twitter.com/httpvoid0x2f/status/1532924261035384832 -author: frack113 + - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035 +author: frack113, Harjot Singh, "@cyb3rjy0t" (update) date: 2022/06/04 -modified: 2022/06/14 +modified: 2023/01/19 tags: - cve.2022.26134 - cve.2021.26084 @@ -25,6 +26,8 @@ detection: - '%2F%24%7B%23' - '/${#' - 'new+java.' + - 'getRuntime().exec(' + - 'getRuntime%28%29.exec%28' condition: keywords falsepositives: - Legitimate apps