Sneed-Reactivity/yara-Neo23x0/exploit_gitlab_cve_2021_22205.yar


rule EXPL_GitLab_CE_RCE_CVE_2021_22205 {
   meta:
      description = "Detects signs of exploitation of GitLab CE CVE-2021-22205"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/"
      date = "2021-10-26"
      score = 70
      id = "21cc6fa7-e50d-5b8e-815d-27315ab5635d"
   strings:
      /* User.find_by(username */
      $sa1 = "VXNlci5maW5kX2J5KHVzZXJuYW1l" ascii
      $sa2 = "VzZXIuZmluZF9ieSh1c2VybmFtZ" ascii
      $sa3 = "Vc2VyLmZpbmRfYnkodXNlcm5hbW" ascii

      /* user.admin */
      $sb1 = "dXNlci5hZG1pb" ascii
      $sb2 = "VzZXIuYWRtaW" ascii
      $sb3 = "1c2VyLmFkbWlu" ascii

      /* user.save! */
      $sc1 = "dXNlci5zYXZlI" ascii
      $sc2 = "VzZXIuc2F2ZS" ascii
      $sc3 = "1c2VyLnNhdmUh" ascii
   condition:
      1 of ($sa*) and 1 of ($sb*) and 1 of ($sc*)
}

rule EXPL_GitLab_CE_RCE_Malformed_JPG_CVE_2021_22204 {
   meta:
      description = "Detects malformed JPG files exploting EXIF vulnerability CVE-2021-22204 and used in the exploitation of GitLab vulnerability CVE-2021-22205"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog"
      date = "2021-10-26"
      score = 70
      id = "3d769340-0306-596d-8783-2b37b93a5673"
   strings:
      $h1 = { 41 54 26 54 46 4F 52 4D }
      $sr1 = /\(metadata[\s]{0,3}\([A-Za-z]{1,20} "\\/
   condition:
      filesize < 10KB 
      and $h1
      and $sr1
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule EXPL_GitLab_CE_RCE_CVE_2021_22205 {`
			`meta:`
			`description = "Detects signs of exploitation of GitLab CE CVE-2021-22205"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/"`
			`date = "2021-10-26"`
			`score = 70`
			`id = "21cc6fa7-e50d-5b8e-815d-27315ab5635d"`
			`strings:`
			`/* User.find_by(username */`
			`$sa1 = "VXNlci5maW5kX2J5KHVzZXJuYW1l" ascii`
			`$sa2 = "VzZXIuZmluZF9ieSh1c2VybmFtZ" ascii`
			`$sa3 = "Vc2VyLmZpbmRfYnkodXNlcm5hbW" ascii`

			`/* user.admin */`
			`$sb1 = "dXNlci5hZG1pb" ascii`
			`$sb2 = "VzZXIuYWRtaW" ascii`
			`$sb3 = "1c2VyLmFkbWlu" ascii`

			`/* user.save! */`
			`$sc1 = "dXNlci5zYXZlI" ascii`
			`$sc2 = "VzZXIuc2F2ZS" ascii`
			`$sc3 = "1c2VyLnNhdmUh" ascii`
			`condition:`
			`1 of ($sa) and 1 of ($sb) and 1 of ($sc*)`
			`}`

			`rule EXPL_GitLab_CE_RCE_Malformed_JPG_CVE_2021_22204 {`
			`meta:`
			`description = "Detects malformed JPG files exploting EXIF vulnerability CVE-2021-22204 and used in the exploitation of GitLab vulnerability CVE-2021-22205"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog"`
			`date = "2021-10-26"`
			`score = 70`
			`id = "3d769340-0306-596d-8783-2b37b93a5673"`
			`strings:`
			`$h1 = { 41 54 26 54 46 4F 52 4D }`
			`$sr1 = /\(metadata[\s]{0,3}\([A-Za-z]{1,20} "\\/`
			`condition:`
			`filesize < 10KB`
			`and $h1`
			`and $sr1`
			`}`