Sneed-Reactivity/yara-Neo23x0/vul_confluence_questions_plugin_cve_2022_26138.yar

25 lines
1.1 KiB
Text
Raw Normal View History

rule VULN_Confluence_Questions_Plugin_CVE_2022_26138_Jul22_1 {
meta:
description = "Detects properties file of Confluence Questions plugin with static user name and password (backdoor) CVE-2022-26138"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/"
date = "2022-07-21"
score = 50
id = "1443c673-2a86-5431-876a-c8fccba52190"
strings:
$x_plain_1 = "predefined.user.password=disabled1system1user6708"
$jar_marker = "/confluence/plugins/questions/"
/* v this is the size of 204 bytes */
$jar_size_1 = { 00 CC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
/* here starts default.properties v */
?? ?? ?? ?? ?? ?? 00 64 65 66 61 75 6C 74 2E 70
72 6F 70 65 72 74 69 65 73 50 4B }
$jar_size_2 = { 00 CC 00 ?? ?? ?? ?? ?? 00 64 65 66 61 75 6C 74
2E 70 72 6F 70 65 72 74 69 65 73 }
condition:
1 of ($x*) or ( $jar_marker and 1 of ($jar_size*) )
}