Sneed-Reactivity/yara-Neo23x0/vul_dell_bios_upd_driver.yar

19 lines
963 B
Text
Raw Permalink Normal View History

rule VULN_Dell_BIOS_Update_Driver_DBUtil_May21 {
meta:
description = "Detects vulnerable DELL BIOS update driver that allows privilege escalation as reported in CVE-2021-21551 - DBUtil_2_3.Sys - note: it's usual location is in the C:\\Windows\\Temp folder"
author = "Florian Roth (Nextron Systems)"
reference = "https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/"
date = "2021-05-05"
score = 60
hash1 = "0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5"
hash2 = "ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1"
id = "6d46866e-40fb-5fbf-b159-6bf688e638cb"
strings:
$s1 = "\\DBUtilDrv2" ascii
$s2 = "DBUtil_2_3.Sys" ascii fullword
$s3 = "[ Dell BIOS Utility Driver - " ascii fullword
condition:
uint16(0) == 0x5a4d and filesize < 50KB and all of them
}