Using Zeek Signatures To Detect CVEs

Keith J. Jones

1

2

Why This Video?

• I’m teaching a method that can be applied to other CVEs.
• Sometimes you need to detect things that are not fully parsed by a Zeek protocol analyzer.
• I have used this method of Zeek signatures to detect several CVEs when the relevant protocol is not fully parsed by Zeek:
• https://corelight.com/blog/detecting-windows-nfs-portmap-vulnerabilities
• https://github.com/corelight/CVE-2022-24491
• https://github.com/corelight/CVE-2022-24497
• https://corelight.com/blog/detecting-cve-2022-26937-with-zeek
• https://github.com/corelight/CVE-2022-26937
• https://corelight.com/blog/detecting-cve-2022-23270-in-pptp
• https://github.com/corelight/CVE-2022-23270-PPTP
• https://corelight.com/blog/simplifying-detection-of-log4shell
• https://github.com/corelight/cve-2021-44228

3

Let’s Look At The First One On The List…

• CVE-2022-24991 - A Windows NFS Portmap Vulnerability
• Original Corelight Blog:
• https://corelight.com/blog/detecting-windows-nfs-portmap-vulnerabilities
• GitHub Repo:
• https://github.com/corelight/CVE-2022-24491
• PCAP:
• https://github.com/corelight/CVE-2022-24491/blob/master/testing/Traces/CVE-2022-24491.pcap
• This is usually the most difficult thing to get for a CVE!
• Zeek’s conn.log shows a bunch of UDP traffic.
• https://github.com/corelight/CVE-2022-24491/blob/master/testing/Baseline/cve202224491.run-pcap/conn.log
• A Portmap Set, Then A Portmap Dump

4

Wireshark Analysis

5

RPC Portmap DUMP Call

6

RPC Portmap SET Call

7

Walk Through The Code

8

9

XID

Msg Type�Call/Reply

Vers

Prog

Prog Vers

Proc (Set)

Note: You Can Pause The Video To Read This

10

Proc (Dump)

TCP Prepends 4 Length Bytes

11

main.zeek

12

main.zeek

13

That’s All!

14

15