[Emerging-Sigs] AnyDesk Format String vulnerability signature

Pedro Marinho pppmarinho at gmail.com
Tue Jun 16 06:51:00 HDT 2020


Hey guys,


Hope you are all doing well. I built a rule for this new vuln on anydesk.
The idea is check the size of the hostname shouldn't be more than 16 bytes
and the size is big-endian and then check for invalid chars on the
hostname. The triggering condition is having an invalid UTF-8 sequence in
the beginning of the hostname or username.



For the username will have to byte_jump the hostname and match the regex in
the username.


alert udp $EXTERNAL_NET any -> $HOME_NET 50001 (msg:"ET EXPLOIT AnyDesk UDP
Discovery Format String (CVE-2020-13160)"; isdataat:16; content:"|3e d1|";
depth:2; byte_test:4,<,16,11,relative,big;
pcre:"/^.{11}([\xC0-\xC1]|[\xF5-\xFF]|\xE0[\x80-\x9F]|\xF0[\x80-\x8F]|[\xC2-\xDF](?![\x80-\xBF])|[\xE0-\xEF](?![\x80-\xBF]{2})|[\xF0-\xF4](?![\x80-\xBF]{3})|(?<=[\x00-\x7F\xF5-\xFF])[\x80-\xBF]|(?<![\xC2-\xDF]|[\xE0-\xEF]|[\xE0-\xEF][\x80-\xBF]|[\xF0-\xF4]|[\xF0-\xF4][\x80-\xBF]|[\xF0-\xF4][\x80-\xBF]{2})[\x80-\xBF]|(?<=[\xE0-\xEF])[\x80-\xBF](?![\x80-\xBF])|(?<=[\xF0-\xF4])[\x80-\xBF](?![\x80-\xBF]{2})|(?<=[\xF0-\xF4][\x80-\xBF])[\x80-\xBF](?![\x80-\xBF]))/R";
reference:url,devel0pment.de/?p=1881; classtype:attempted-user;
sid:9010995; rev:1; metadata:created_at 2020_06_16, updated_at 2020_06_16;)


thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200616/0ec82359/attachment-0001.html>


More information about the Emerging-sigs mailing list