25 lines
1.1 KiB
Text
25 lines
1.1 KiB
Text
|
|
||
|
rule VULN_Confluence_Questions_Plugin_CVE_2022_26138_Jul22_1 {
|
||
|
meta:
|
||
|
description = "Detects properties file of Confluence Questions plugin with static user name and password (backdoor) CVE-2022-26138"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/"
|
||
|
date = "2022-07-21"
|
||
|
score = 50
|
||
|
id = "1443c673-2a86-5431-876a-c8fccba52190"
|
||
|
strings:
|
||
|
$x_plain_1 = "predefined.user.password=disabled1system1user6708"
|
||
|
|
||
|
$jar_marker = "/confluence/plugins/questions/"
|
||
|
/* v this is the size of 204 bytes */
|
||
|
$jar_size_1 = { 00 CC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
|
||
|
/* here starts default.properties v */
|
||
|
?? ?? ?? ?? ?? ?? 00 64 65 66 61 75 6C 74 2E 70
|
||
|
72 6F 70 65 72 74 69 65 73 50 4B }
|
||
|
$jar_size_2 = { 00 CC 00 ?? ?? ?? ?? ?? 00 64 65 66 61 75 6C 74
|
||
|
2E 70 72 6F 70 65 72 74 69 65 73 }
|
||
|
condition:
|
||
|
1 of ($x*) or ( $jar_marker and 1 of ($jar_size*) )
|
||
|
}
|
||
|
|