[Snort-sigs] CVE-2018-7171 and CVE-2018-9148

Y M snort at outlook.com
Tue Apr 3 09:17:02 EDT 2018


Hi,


Below rules are for the TownkyMedia server, which inherently affects WD MyCloud. No pcaps are available for this one.


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER TwonkyMedia directory traversal precursor attempt"; flow:to_server,established; content:"POST"; http_method; content:"/rpc/set_all"; fast_pattern:only; http_uri; content:"contentdir=/../"; http_client_body; metadata:ruleset community, service http; reference:cve,2018-7171; reference:cve,2018-9148; reference:url,www.exploit-db.com/exploits/44350/; classtype:trojan-activity; sid:9000051; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER TwonkyMedia directory traversal attempt"; flow:to_server,established; content:"GET"; http_method; content:"/rpc/dir?path=/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2018-7171; reference:cve,2018-9148; reference:url,www.exploit-db.com/exploits/44350/; classtype:trojan-activity; sid:9000052; rev:1;)


Thanks and sorry for the noise.

YM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180403/3fc190e6/attachment.html>


More information about the Snort-sigs mailing list