[Snort-sigs] Teleopti WFM multiple vulnerabilities

Y M snort at ...3751...
Tue Feb 14 10:00:51 EST 2017


Hello,


The below rules attempt at detecting multiple vulnerabilities in Teleopti WFM. Content detection was derived from vulnerability reports, so no pcaps are available.


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER WEBAPP Teleopti WFM remote authenticated database information disclosure attempt"; flow:to_server,established; content:"POST"; http_method; content:"/TeleoptiWFM/Administration/GetOneTenant"; fast_pattern:only; http_uri; content:"Authorization|3A 20|"; http_header; content:"Cookie|3A 20|"; http_header; content:"Accept|3A 20|application/json"; http_header; content:"|22|"; within:1; http_client_body; flowbits:set,teleopti.wfm.dbinfo; metadata:ruleset community, http service; reference:url,vuldb.com/?id.96805; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000834; rev:1;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER WEBAPP Teleopti WFM remote authenticated database information disclosure attempt"; flow:to_client,established; flowbits:isset,teleopti.wfm.dbinfo; content:"200"; http_stat_code; content:"|22|AppDatabase|22|"; fast_pattern:only; content:"|22|UserName|22|"; depth:10; content:"|22|Password|22|"; depth:10; metadata:ruleset community, http serice; reference:url,vuldb.com/?id.96805; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000835; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER WEBAPP Teleopti WFM remote authenticated user information disclosure attempt"; flow:to_server,established; content:"GET"; http_method; content:"/TeleoptiWFM/Administration/Users"; fast_pattern:only; http_uri; content:"Authorization|3A 20|"; http_header; content:"Cookie|3A 20|"; http_header; content:"Accept|3A 20|application/json"; http_header; flowbits:set,teleopti.wfm.userinfo; metadata:ruleset community, http service; reference:url,vuldb.com/?id.96806; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000836; rev:1;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER WEBAPP Teleopti WFM remote authenticated user information disclosure attempt"; flow:to_client,established; flowbits:isset,teleopti.wfm.userinfo; content:"200"; http_stat_code; content:"|22|Name|22|"; fast_pattern:only; content:"|22|Password|22|"; depth:10; content:"|22|AccessToken|22|"; depth:13; metadata:ruleset community, http serice; reference:url,vuldb.com/?id.96806; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000837; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER WEBAPP Teleopti WFM remote unauthenticated privilege escalation attempt"; flow:to_server,established; content:"GET"; http_method; content:"/TeleoptiWFM/Administration/AddFirstUser"; fast_pattern:only; http_uri;content:"|22|Name|22 3A|"; http_client_body; content:"|22|Password|22 3A|"; http_client_body; content:"|22|ConfirmPassword|22 3A|"; http_client_body; content:!"Authorization"; http_header;  flowbits:set,teleopti.wfm.admin; metadata:ruleset community, http service; reference:url,vuldb.com/?id.96807; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-admin; sid:1000838; rev:1;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER WEBAPP Teleopti WFM remote unauthenticated privilege attempt"; flow:to_client,established; flowbits:isset,teleopti.wfm.admin; content:"200"; http_stat_code; content:"|22|Success|22 3A|true"; fast_pattern:only; content:"|22|Message|22 3A 22|Update the user successfully.|22|"; depth:41; metadata:ruleset community, http serice; reference:url,vuldb.com/?id.96807; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-admin; sid:1000839; rev:1;)


Thank you.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170214/0817e3fd/attachment.html>


More information about the Snort-sigs mailing list