[Snort-sigs] Teleopti WFM multiple vulnerabilities

Tyler Montier tmontier at ...435...
Tue Feb 14 10:40:15 EST 2017


Yaser,

Thanks for your submission. We will review and test the rules and get back
to you when they're finished.

Sincerely,

Tyler Montier
Cisco Talos

On Tue, Feb 14, 2017 at 10:00 AM, Y M <snort at ...3751...> wrote:

> Hello,
>
>
> The below rules attempt at detecting multiple vulnerabilities in Teleopti
> WFM. Content detection was derived from vulnerability reports, so no pcaps
> are available.
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER WEBAPP
> Teleopti WFM remote authenticated database information disclosure attempt";
> flow:to_server,established; content:"POST"; http_method;
> content:"/TeleoptiWFM/Administration/GetOneTenant"; fast_pattern:only;
> http_uri; content:"Authorization|3A 20|"; http_header; content:"Cookie|3A
> 20|"; http_header; content:"Accept|3A 20|application/json"; http_header;
> content:"|22|"; within:1; http_client_body; flowbits:set,teleopti.wfm.dbinfo;
> metadata:ruleset community, http service; reference:url,vuldb.com/?id.
> 96805; reference:url,seclists.org/fulldisclosure/2017/Feb/13;
> classtype:attempted-recon; sid:1000834; rev:1;)
>
> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER WEBAPP
> Teleopti WFM remote authenticated database information disclosure attempt";
> flow:to_client,established; flowbits:isset,teleopti.wfm.dbinfo;
> content:"200"; http_stat_code; content:"|22|AppDatabase|22|";
> fast_pattern:only; content:"|22|UserName|22|"; depth:10;
> content:"|22|Password|22|"; depth:10; metadata:ruleset community, http
> serice; reference:url,vuldb.com/?id.96805; reference:url,seclists.org/
> fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000835;
> rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER WEBAPP
> Teleopti WFM remote authenticated user information disclosure attempt";
> flow:to_server,established; content:"GET"; http_method;
> content:"/TeleoptiWFM/Administration/Users"; fast_pattern:only; http_uri;
> content:"Authorization|3A 20|"; http_header; content:"Cookie|3A 20|";
> http_header; content:"Accept|3A 20|application/json"; http_header;
> flowbits:set,teleopti.wfm.userinfo; metadata:ruleset community, http
> service; reference:url,vuldb.com/?id.96806; reference:url,seclists.org/
> fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000836;
> rev:1;)
>
> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER WEBAPP
> Teleopti WFM remote authenticated user information disclosure attempt";
> flow:to_client,established; flowbits:isset,teleopti.wfm.userinfo;
> content:"200"; http_stat_code; content:"|22|Name|22|"; fast_pattern:only;
> content:"|22|Password|22|"; depth:10; content:"|22|AccessToken|22|";
> depth:13; metadata:ruleset community, http serice; reference:url,
> vuldb.com/?id.96806; reference:url,seclists.org/fulldisclosure/2017/Feb/13;
> classtype:attempted-recon; sid:1000837; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER WEBAPP
> Teleopti WFM remote unauthenticated privilege escalation attempt";
> flow:to_server,established; content:"GET"; http_method;
> content:"/TeleoptiWFM/Administration/AddFirstUser"; fast_pattern:only;
> http_uri;content:"|22|Name|22 3A|"; http_client_body;
> content:"|22|Password|22 3A|"; http_client_body;
> content:"|22|ConfirmPassword|22 3A|"; http_client_body;
> content:!"Authorization"; http_header;  flowbits:set,teleopti.wfm.admin;
> metadata:ruleset community, http service; reference:url,vuldb.com/?id.
> 96807; reference:url,seclists.org/fulldisclosure/2017/Feb/13;
> classtype:attempted-admin; sid:1000838; rev:1;)
>
> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER WEBAPP
> Teleopti WFM remote unauthenticated privilege attempt";
> flow:to_client,established; flowbits:isset,teleopti.wfm.admin;
> content:"200"; http_stat_code; content:"|22|Success|22 3A|true";
> fast_pattern:only; content:"|22|Message|22 3A 22|Update the user
> successfully.|22|"; depth:41; metadata:ruleset community, http serice;
> reference:url,vuldb.com/?id.96807; reference:url,seclists.org/
> fulldisclosure/2017/Feb/13; classtype:attempted-admin; sid:1000839;
> rev:1;)
>
> Thank you.
>
> YM
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170214/2ef4477b/attachment.html>


More information about the Snort-sigs mailing list