Sneed-Reactivity/yara-Neo23x0/vul_cve_2020_0688.yar


rule VUL_Exchange_CVE_2020_0688 {
   meta:
      description = "Detects static validation key used by Exchange server in web.config"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys"
      date = "2020-02-26"
      score = 60
      id = "1065f297-0dc4-5dcb-b0f3-c89d06ff5e69"
   strings:
      $h1 = "<?xml "
      $x1 = "<machineKey validationKey=\"CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\"" ascii wide
   condition:
      filesize <= 300KB and $h1 at 0 and $x1
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule VUL_Exchange_CVE_2020_0688 {`
			`meta:`
			`description = "Detects static validation key used by Exchange server in web.config"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys"`
			`date = "2020-02-26"`
			`score = 60`
			`id = "1065f297-0dc4-5dcb-b0f3-c89d06ff5e69"`
			`strings:`
			`$h1 = "<?xml "`
			`$x1 = "<machineKey validationKey=\"CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\"" ascii wide`
			`condition:`
			`filesize <= 300KB and $h1 at 0 and $x1`
			`}`