cve-2022-21907

CVE-2022-21907

This package will detect exploits of CVE-2022-21907

https://corelight.com/blog/detecting-cve-2022-21907

Detection Method:

  • HTTP
    • HTTP data must be >= 1750 bytes, and
    • The HTTP/1.1 is not observed at the end of the exploit HTTP request.

Usage:

$ zeek -Cr your.pcap packages

$ cat notice.log 
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2022-01-12-06-58-39
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
1641934050.661549	C3zB9u3LtTMmn7XGab	192.168.88.1	55193	192.168.88.149	80	-	-	-	tcp	CVE_2022_21907::CVE_2022_21907_EXPLOIT_ATTEMPT	Possible CVE_2022_21907 exploit over HTTP, multiple sprays followed by the triggering malformed request	get_current_packet data=\x00\x0c)\x9a\x86\xd9\xa6\x83\xe7\xba\xc9g\x08\x00E\x00\x00\xd4\x00\x00@\x00@\x06\x00\x00\xc0\xa8X\x01\xc0\xa8X\x95\xd7\x99\x00P\xdf\xfbo\xde\xb8Y\x1d\x01\x80\x18\x08\x002\xae\x00\x00\x01\x01\x08\x0a\xf5\x16\x9c\xb8\x00*\xddvGET / HTTP/1.1\x0aHost: 192.168.88.149:80\x0aCache-Control: no-cache\x0a\x0aGET /l;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\x0a\x0a	192.168.88.1	192.168.88.149	80	-	-	Notice::ACTION_LOG	(empty)3600.000000	-	-	-	-	-
#close	2022-01-12-06-58-44

Package Version :