Snort mailing list archives

Teleopti WFM multiple vulnerabilities

From: Y M <snort () outlook com>
Date: Tue, 14 Feb 2017 15:00:51 +0000

Hello,


The below rules attempt at detecting multiple vulnerabilities in Teleopti WFM. Content detection was derived from 
vulnerability reports, so no pcaps are available.


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER WEBAPP Teleopti WFM remote authenticated database 
information disclosure attempt"; flow:to_server,established; content:"POST"; http_method; 
content:"/TeleoptiWFM/Administration/GetOneTenant"; fast_pattern:only; http_uri; content:"Authorization|3A 20|"; 
http_header; content:"Cookie|3A 20|"; http_header; content:"Accept|3A 20|application/json"; http_header; 
content:"|22|"; within:1; http_client_body; flowbits:set,teleopti.wfm.dbinfo; metadata:ruleset community, http service; 
reference:url,vuldb.com/?id.96805; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; 
sid:1000834; rev:1;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER WEBAPP Teleopti WFM remote authenticated database 
information disclosure attempt"; flow:to_client,established; flowbits:isset,teleopti.wfm.dbinfo; content:"200"; 
http_stat_code; content:"|22|AppDatabase|22|"; fast_pattern:only; content:"|22|UserName|22|"; depth:10; 
content:"|22|Password|22|"; depth:10; metadata:ruleset community, http serice; reference:url,vuldb.com/?id.96805; 
reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000835; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER WEBAPP Teleopti WFM remote authenticated user 
information disclosure attempt"; flow:to_server,established; content:"GET"; http_method; 
content:"/TeleoptiWFM/Administration/Users"; fast_pattern:only; http_uri; content:"Authorization|3A 20|"; http_header; 
content:"Cookie|3A 20|"; http_header; content:"Accept|3A 20|application/json"; http_header; 
flowbits:set,teleopti.wfm.userinfo; metadata:ruleset community, http service; reference:url,vuldb.com/?id.96806; 
reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000836; rev:1;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER WEBAPP Teleopti WFM remote authenticated user 
information disclosure attempt"; flow:to_client,established; flowbits:isset,teleopti.wfm.userinfo; content:"200"; 
http_stat_code; content:"|22|Name|22|"; fast_pattern:only; content:"|22|Password|22|"; depth:10; 
content:"|22|AccessToken|22|"; depth:13; metadata:ruleset community, http serice; reference:url,vuldb.com/?id.96806; 
reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:1000837; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER WEBAPP Teleopti WFM remote unauthenticated privilege 
escalation attempt"; flow:to_server,established; content:"GET"; http_method; 
content:"/TeleoptiWFM/Administration/AddFirstUser"; fast_pattern:only; http_uri;content:"|22|Name|22 3A|"; 
http_client_body; content:"|22|Password|22 3A|"; http_client_body; content:"|22|ConfirmPassword|22 3A|"; 
http_client_body; content:!"Authorization"; http_header;  flowbits:set,teleopti.wfm.admin; metadata:ruleset community, 
http service; reference:url,vuldb.com/?id.96807; reference:url,seclists.org/fulldisclosure/2017/Feb/13; 
classtype:attempted-admin; sid:1000838; rev:1;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER WEBAPP Teleopti WFM remote unauthenticated privilege 
attempt"; flow:to_client,established; flowbits:isset,teleopti.wfm.admin; content:"200"; http_stat_code; 
content:"|22|Success|22 3A|true"; fast_pattern:only; content:"|22|Message|22 3A 22|Update the user successfully.|22|"; 
depth:41; metadata:ruleset community, http serice; reference:url,vuldb.com/?id.96807; 
reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-admin; sid:1000839; rev:1;)


Thank you.

YM

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Teleopti WFM multiple vulnerabilities Y M (Feb 14)
- Re: Teleopti WFM multiple vulnerabilities Tyler Montier (Feb 14)