[Emerging-Sigs] AnyDesk Format String vulnerability signature
jwilliams at emergingthreats.net
Tue Jun 16 11:16:16 HDT 2020
Will QA it for today!
On Tue, Jun 16, 2020 at 10:59 AM Pedro Marinho <pppmarinho at gmail.com> wrote:
> Hey guys,
> Hope you are all doing well. I built a rule for this new vuln on anydesk.
> The idea is check the size of the hostname shouldn't be more than 16 bytes
> and the size is big-endian and then check for invalid chars on the
> hostname. The triggering condition is having an invalid UTF-8 sequence in
> the beginning of the hostname or username.
> For the username will have to byte_jump the hostname and match the regex
> in the username.
> alert udp $EXTERNAL_NET any -> $HOME_NET 50001 (msg:"ET EXPLOIT AnyDesk
> UDP Discovery Format String (CVE-2020-13160)"; isdataat:16; content:"|3e
> d1|"; depth:2; byte_test:4,<,16,11,relative,big;
> reference:url,devel0pment.de/?p=1881; classtype:attempted-user;
> sid:9010995; rev:1; metadata:created_at 2020_06_16, updated_at 2020_06_16;)
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs