rule EXPL_GitLab_CE_RCE_CVE_2021_22205 {
   meta:
      description = "Detects signs of exploitation of GitLab CE CVE-2021-22205"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/"
      date = "2021-10-26"
      score = 70
      id = "21cc6fa7-e50d-5b8e-815d-27315ab5635d"
   strings:
      /* User.find_by(username */
      $sa1 = "VXNlci5maW5kX2J5KHVzZXJuYW1l" ascii
      $sa2 = "VzZXIuZmluZF9ieSh1c2VybmFtZ" ascii
      $sa3 = "Vc2VyLmZpbmRfYnkodXNlcm5hbW" ascii

      /* user.admin */
      $sb1 = "dXNlci5hZG1pb" ascii
      $sb2 = "VzZXIuYWRtaW" ascii
      $sb3 = "1c2VyLmFkbWlu" ascii

      /* user.save! */
      $sc1 = "dXNlci5zYXZlI" ascii
      $sc2 = "VzZXIuc2F2ZS" ascii
      $sc3 = "1c2VyLnNhdmUh" ascii
   condition:
      1 of ($sa*) and 1 of ($sb*) and 1 of ($sc*)
}

rule EXPL_GitLab_CE_RCE_Malformed_JPG_CVE_2021_22204 {
   meta:
      description = "Detects malformed JPG files exploting EXIF vulnerability CVE-2021-22204 and used in the exploitation of GitLab vulnerability CVE-2021-22205"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog"
      date = "2021-10-26"
      score = 70
      id = "3d769340-0306-596d-8783-2b37b93a5673"
   strings:
      $h1 = { 41 54 26 54 46 4F 52 4D }
      $sr1 = /\(metadata[\s]{0,3}\([A-Za-z]{1,20} "\\/
   condition:
      filesize < 10KB 
      and $h1
      and $sr1
}