[Emerging-Sigs] AnyDesk Format String vulnerability signature

Jason Williams jwilliams at emergingthreats.net
Tue Jun 16 11:16:16 HDT 2020


Thanks Pedro!

Will QA it for today!

Jason

On Tue, Jun 16, 2020 at 10:59 AM Pedro Marinho <pppmarinho at gmail.com> wrote:

> Hey guys,
>
>
> Hope you are all doing well. I built a rule for this new vuln on anydesk.
> The idea is check the size of the hostname shouldn't be more than 16 bytes
> and the size is big-endian and then check for invalid chars on the
> hostname. The triggering condition is having an invalid UTF-8 sequence in
> the beginning of the hostname or username.
>
>
>
> For the username will have to byte_jump the hostname and match the regex
> in the username.
>
>
> alert udp $EXTERNAL_NET any -> $HOME_NET 50001 (msg:"ET EXPLOIT AnyDesk
> UDP Discovery Format String (CVE-2020-13160)"; isdataat:16; content:"|3e
> d1|"; depth:2; byte_test:4,<,16,11,relative,big;
> pcre:"/^.{11}([\xC0-\xC1]|[\xF5-\xFF]|\xE0[\x80-\x9F]|\xF0[\x80-\x8F]|[\xC2-\xDF](?![\x80-\xBF])|[\xE0-\xEF](?![\x80-\xBF]{2})|[\xF0-\xF4](?![\x80-\xBF]{3})|(?<=[\x00-\x7F\xF5-\xFF])[\x80-\xBF]|(?<![\xC2-\xDF]|[\xE0-\xEF]|[\xE0-\xEF][\x80-\xBF]|[\xF0-\xF4]|[\xF0-\xF4][\x80-\xBF]|[\xF0-\xF4][\x80-\xBF]{2})[\x80-\xBF]|(?<=[\xE0-\xEF])[\x80-\xBF](?![\x80-\xBF])|(?<=[\xF0-\xF4])[\x80-\xBF](?![\x80-\xBF]{2})|(?<=[\xF0-\xF4][\x80-\xBF])[\x80-\xBF](?![\x80-\xBF]))/R";
> reference:url,devel0pment.de/?p=1881; classtype:attempted-user;
> sid:9010995; rev:1; metadata:created_at 2020_06_16, updated_at 2020_06_16;)
>
>
> thanks
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200616/7d4ee6ca/attachment.html>


More information about the Emerging-sigs mailing list