Skip to content

Latest commit

 

History

History
39 lines (34 loc) · 3.73 KB

README.md

File metadata and controls

39 lines (34 loc) · 3.73 KB
Raw

CVE-2021-31166

Detection of attempts to exploit CVE-2021-31166 (HTTP Protocol Stack vulnerability)

  • Suricata rule
  • Zeek Package

References

https://corelight.blog/2021/05/27/detecting-cve-2021-31166-http-vulnerability/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166
https://github.com/0vercl0k/CVE-2021-31166
https://www.bleepingcomputer.com/news/security/exploit-released-for-wormable-windows-http-vulnerability/

Notice provided by Zeek package (example)

  • To speed up triaging, the sub field contains the first 200 characters of the Header value.
  • The notices below have supression turned off for demonstration purposes, however the notice supression is 3600sec based on the id.orig_h-id.resp_h tuple.
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2021-05-18-15-57-59
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitudremote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	string	string	string	double	double
1621316027.006608	C5ABKx3uBT03uzsJEg	10.31.33.7	52728	10.0.0.13	80	-	-	-	tcp	CVE_2021_31166::CVE_2021_31166	Potential IIS HTTP Protocol Stack CVE-2021-31166 exploit attempt. POC https://github.com/0vercl0k/CVE-2021-31166	The ACCEPT-ENCODING Header value (max 200 chars shown) is 'doar-e, ftw, imo, ,' 	10.31.33.7	10.0.0.13	80	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-
1621316049.181915	C68JnP3zUs0En7tHS1	10.31.33.7	52733	10.0.0.13	80	-	-	-	tcp	CVE_2021_31166::CVE_2021_31166	Potential IIS HTTP Protocol Stack CVE-2021-31166 exploit attempt. POC https://github.com/0vercl0k/CVE-2021-31166	The ACCEPT-ENCODING Header value (max 200 chars shown) is 'doar-e, ftw, imo,,' 	10.31.33.7	10.0.0.13	80	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-
1621316067.175599	CjIQY93viY6dibvYsg	10.31.33.7	52739	10.0.0.13	80	-	-	-	tcp	CVE_2021_31166::CVE_2021_31166	Potential IIS HTTP Protocol Stack CVE-2021-31166 exploit attempt. POC https://github.com/0vercl0k/CVE-2021-31166	The ACCEPT-ENCODING Header value (max 200 chars shown) is 'doar-e, ftw, imo,     ,' 	10.31.33.7	10.0.0.13	80	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-
1621316106.328303	CTs0sL1lgR0AId1Oag	10.31.33.7	52743	10.0.0.13	80	-	-	-	tcp	CVE_2021_31166::CVE_2021_31166	Potential IIS HTTP Protocol Stack CVE-2021-31166 exploit attempt. POC https://github.com/0vercl0k/CVE-2021-31166	The ACCEPT-ENCODING Header value (max 200 chars shown) is 'doar-e, ftw, imo, , foo' 	10.31.33.7	10.0.0.13	80	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-
#close	2021-05-18-15-57-59

Alerts produced by Suricata rule (example)

05/18/2021-15:33:47.014022  [**] [1:3000005:1] CORELIGHT Windows HTTP Protocol Stack memory corruption exploit attempt CVE-2021-31166 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.31.33.7:52728 -> 10.0.0.13:80
05/18/2021-15:34:09.189560  [**] [1:3000005:1] CORELIGHT Windows HTTP Protocol Stack memory corruption exploit attempt CVE-2021-31166 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.31.33.7:52733 -> 10.0.0.13:80
05/18/2021-15:34:27.184188  [**] [1:3000005:1] CORELIGHT Windows HTTP Protocol Stack memory corruption exploit attempt CVE-2021-31166 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.31.33.7:52739 -> 10.0.0.13:80
05/18/2021-15:35:06.335232  [**] [1:3000005:1] CORELIGHT Windows HTTP Protocol Stack memory corruption exploit attempt CVE-2021-31166 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.31.33.7:52743 -> 10.0.0.13:80