Last active
May 28, 2020 15:48
-
-
Save Obsecurus/b4bdf1d99735a988810efbad68fd03c0 to your computer and use it in GitHub Desktop.
Modified Exim RCE rule to capture both the < and + use cases. Previously the rule was only capturing when "verify = recipient" had been removed. See: https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149)"; flow:established,to_server; content:"RCPT|20|TO"; content:"|24 7b|run|7b|"; distance:0; fast_pattern; content:"|7d 7d 40|"; distance:0; content:"RCPT|20|TO|3a|"; pcre:"/^\s*\x24\x7brun\x7b[^\r\n]+\x7d{2}\x40/R"; metadata: former_category EXPLOIT; reference:url,www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt; classtype:attempted-admin; sid:2027442; rev:1; metadata:attack_target SMTP_Server, deployment Perimeter, cve 2019_10149, signature_severity Major, created_at 2019_06_07, performance_impact Low, updated_at 2019_06_07;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment