CVE-2017-6920 Exploitation Attempt

Aug 21, 2020 ·

Detecting a Remote Code Execution vulnerability due to the PECL YAML parser not handling PHP objects safely

Sigma rule (View on GitHub)

 1title: CVE-2017-6920 Exploitation Attempt
 2id: 341b63a7-7c69-4a6e-ba43-fda37a43c021
 3status: experimental
 4description: Detecting a Remote Code Execution vulnerability due to the PECL YAML parser not handling PHP objects safely
 5author: Loginsoft Research Unit
 6references:
 7    - https://paper.seebug.org/334/
 8date: 2020/08/17
 9logsource:
10  product: drupal
11  category: application
12detection:
13    keywords:
14        # vulnerable error messages
15        - 'Argument 2 passed to * must be of the type array, object given, called in /var/www/html/core/modules/config/src/Form/ConfigSingleImportForm.php'
16        # fixed error messages
17        - 'Argument 2 passed to * must be of the type array, string given, called in /var/www/html/core/modules/config/src/Form/ConfigSingleImportForm.php'
18    condition: keywords
19falsepositives:
20  - Unknown
21level: critical```

References

https://paper.seebug.org/334/

Read More