Snort mailing list archives
Re: Teleopti WFM multiple vulnerabilities
From: Tyler Montier <tmontier () sourcefire com>
Date: Tue, 14 Feb 2017 10:40:15 -0500
Yaser, Thanks for your submission. We will review and test the rules and get back to you when they're finished. Sincerely, Tyler Montier Cisco Talos On Tue, Feb 14, 2017 at 10:00 AM, Y M <snort () outlook com> wrote:
Hello, The below rules attempt at detecting multiple vulnerabilities in Teleopti WFM. Content detection was derived from vulnerability reports, so no pcaps are available. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER WEBAPP Teleopti WFM remote authenticated database information disclosure attempt"; flow:to_server,established; content:"POST"; http_method; content:"/TeleoptiWFM/Administration/GetOneTenant"; fast_pattern:only; http_uri; content:"Authorization|3A 20|"; http_header; content:"Cookie|3A 20|"; http_header; content:"Accept|3A 20|application/json"; http_header; content:"|22|"; within:1; http_client_body; flowbits:set,teleopti.wfm.dbinfo; metadata:ruleset community, http service; reference:url,vuldb.com/?id. 96805; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000834; rev:1;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER WEBAPP Teleopti WFM remote authenticated database information disclosure attempt"; flow:to_client,established; flowbits:isset,teleopti.wfm.dbinfo; content:"200"; http_stat_code; content:"|22|AppDatabase|22|"; fast_pattern:only; content:"|22|UserName|22|"; depth:10; content:"|22|Password|22|"; depth:10; metadata:ruleset community, http serice; reference:url,vuldb.com/?id.96805; reference:url,seclists.org/ fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000835; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER WEBAPP Teleopti WFM remote authenticated user information disclosure attempt"; flow:to_server,established; content:"GET"; http_method; content:"/TeleoptiWFM/Administration/Users"; fast_pattern:only; http_uri; content:"Authorization|3A 20|"; http_header; content:"Cookie|3A 20|"; http_header; content:"Accept|3A 20|application/json"; http_header; flowbits:set,teleopti.wfm.userinfo; metadata:ruleset community, http service; reference:url,vuldb.com/?id.96806; reference:url,seclists.org/ fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000836; rev:1;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER WEBAPP Teleopti WFM remote authenticated user information disclosure attempt"; flow:to_client,established; flowbits:isset,teleopti.wfm.userinfo; content:"200"; http_stat_code; content:"|22|Name|22|"; fast_pattern:only; content:"|22|Password|22|"; depth:10; content:"|22|AccessToken|22|"; depth:13; metadata:ruleset community, http serice; reference:url, vuldb.com/?id.96806; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000837; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER WEBAPP Teleopti WFM remote unauthenticated privilege escalation attempt"; flow:to_server,established; content:"GET"; http_method; content:"/TeleoptiWFM/Administration/AddFirstUser"; fast_pattern:only; http_uri;content:"|22|Name|22 3A|"; http_client_body; content:"|22|Password|22 3A|"; http_client_body; content:"|22|ConfirmPassword|22 3A|"; http_client_body; content:!"Authorization"; http_header; flowbits:set,teleopti.wfm.admin; metadata:ruleset community, http service; reference:url,vuldb.com/?id. 96807; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-admin; sid:1000838; rev:1;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER WEBAPP Teleopti WFM remote unauthenticated privilege attempt"; flow:to_client,established; flowbits:isset,teleopti.wfm.admin; content:"200"; http_stat_code; content:"|22|Success|22 3A|true"; fast_pattern:only; content:"|22|Message|22 3A 22|Update the user successfully.|22|"; depth:41; metadata:ruleset community, http serice; reference:url,vuldb.com/?id.96807; reference:url,seclists.org/ fulldisclosure/2017/Feb/13; classtype:attempted-admin; sid:1000839; rev:1;) Thank you. YM ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Teleopti WFM multiple vulnerabilities Y M (Feb 14)
- Re: Teleopti WFM multiple vulnerabilities Tyler Montier (Feb 14)