-
Notifications
You must be signed in to change notification settings - Fork 6
/
cve_2019_12260.lua
49 lines (47 loc) · 1.49 KB
/
cve_2019_12260.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
--[[
-- Author: Axel Boesenach
--
-- TCP-Options Field parser for Suricata to check for CVE-2019-12260
--
-- Suricata rule keyword
-- luajit:cve_2019_12260.lua;
--
-- Suricata rule
-- alert ip any any -> any any (
-- msg:"EXPLOIT - VxWorks CVE-2019-12260 Malformed TCP-AO Detected";
-- flow:to_server;
-- flags:S;
-- luajit:cve_2019_12260.lua;
-- threshold:type limit, track by_src, count 1, seconds 3600;
-- classtype:attempted-admin;
-- reference:url,armis.com/urgent11/;
-- metadata:created_at 2019-11-06;
-- metadata:CVE 2019-12260;
-- sid:3;
-- rev:1;
-- )
--
-- The script checks for CVE-2019-12260, the packet that is checked consists of a malformed SYN packet,
-- this packet contains a TCP-AO option field with a byte value of <= 3 bytes. The TCP-AO option can be
-- set with hex value 0x29, as per RFC: https://tools.ietf.org/html/rfc5925#page-7
]]
-- Initialize the script
function init (args)
local needs = {}
needs["packet"] = tostring(true)
return needs
end
-- Try and match the condition
function match (args)
for index, data in pairs(args) do
--[[
-- The exploit is based on malforming the TCP-AO option by setting it to anything that is less than
-- or equal to 3 bytes. This can be checked by verifying that hex value 0x29 is set as an option at
-- offset 56
]]
if string.byte(data, 57) == 29 and string.byte(data, 58) < 4 then
return 1
end
end
return 0
end