Rejetto HTTP File Server RCE
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
Sigma rule (View on GitHub)
1title: Rejetto HTTP File Server RCE
2id: a133193c-2daa-4a29-8022-018695fcf0ae
3status: test
4description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
5references:
6 - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/
7 - https://www.exploit-db.com/exploits/39161
8 - https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-07-19
11modified: 2023-01-02
12tags:
13 - attack.initial-access
14 - attack.t1190
15 - attack.t1505.003
16 - cve.2014-6287
17 - detection.emerging-threats
18logsource:
19 category: webserver
20detection:
21 selection_search:
22 cs-uri-query|contains: '?search=%00{.'
23 selection_payload:
24 cs-uri-query|contains:
25 - 'save|' # Indication of saving a file which shouldn't be tested by vuln scanners
26 - 'powershell'
27 - 'cmd.exe'
28 - 'cmd /c'
29 - 'cmd /r'
30 - 'cmd /k'
31 - 'cscript'
32 - 'wscript'
33 - 'python'
34 - 'C:\Users\Public\'
35 - '%comspec%'
36 condition: all of selection_*
37falsepositives:
38 - Unknown
39level: high
References
-
Rejetto HTTP File Server (HFS) search feature in versions 2.3, 2.3a, and 2.3b fails to handle null bytes. HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regula...
Read More -
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2). CVE-2014-6287CVE-111386 . remote exploit for Windows platform
Read More -
My Markdown notes for all things cybersecurity. Contribute to Twigonometry/Cybersecurity-Notes development by creating an account on GitHub.
Read More
Related rules
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Oracle WebLogic Exploit
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations