Merge pull request #1318 from Mad-robot/patch-1

Create CVE-2021-28480.yaml

cves/2021/CVE-2021-28480.yaml

@@ -0,0 +1,31 @@
+id: CVE-2021-28480
+
+info:
+  name: Microsoft Exchange Server Remote Code Execution detection
+  author: madrobot
+  severity: critical
+  description: CVE-2021-28480 & CVE-2021-28481 received a CVSS score of 9.8 which is remarkably high. Both of these have 'Network' as attack vector, which means the attack can be executed remotely and the exploit might potentially be wormable.
+  tags: cve,cve2021,rce,exchange
+  reference: |
+      - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28480
+      - https://khonggianmang.vn/check-proxynotfound/en
+
+requests:
+  - raw:
+      - |
+        GET /ews/exchange.asmx HTTP/1.1
+        Host: {{Hostname}}
+        Authorization: NTLM TlRMTVNTUAABAAAABoIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAMAA=
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "NTLM .+"
+        part: header
+
+      - type: dsl
+        dsl:
+          - "contains(tolower(all_headers), 'www-authenticate') && status_code == 401"