From d44a5197d9855ab9d01ad7665ea840cf545883d7 Mon Sep 17 00:00:00 2001 From: vittring Date: Sun, 3 Apr 2022 02:29:45 -0400 Subject: [PATCH 1/2] Create CVE-2022-0847.yar --- cve_rules/CVE-2022-0847.yar | 44 +++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 cve_rules/CVE-2022-0847.yar diff --git a/cve_rules/CVE-2022-0847.yar b/cve_rules/CVE-2022-0847.yar new file mode 100644 index 00000000..e7252c88 --- /dev/null +++ b/cve_rules/CVE-2022-0847.yar @@ -0,0 +1,44 @@ +/* + This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) + and open to any user or organization, as long as you use it under this license. + + Author: Max Kellerman + Date: 2022-02-19 + Identifier: Dirty Pipe PoC +*/ + +/* Super Rule ------------------------------------------------------------- */ + +rule DirtyPipez_CVE_2022_0847 + meta: + description = "Exploit Sample DirtyPipe CVE-2022-0847" + author = "Max Kellerman" + eference = "https://dirtypipe[.]cm4all[.]com/" + date = "2022-02-19" + vuln_type = "Local Privilege Escalation (DirtyCow reloaded?)" + vuln_impact = "SUID binary hijack" + affected_versions = "Linux kernel >5.15 <5.15.25 >=5.16 <5.16.11" + report = "https://dirtypipe[.]cm4all[.]com/" + hash1 = "8ced0e276f4cbe52ddac086b0a902e63970edc1a3ef22ba9dfc7150d8052bcf7" + hash2 = "49561b607ebee157831f4eb55be9893165cf522c71a92c1b80aacc8262489f14" + +/* Automatically generated by yarGen -------------------------------------- */ + strings: + $s1 = "prepare_pipe" fullword ascii + $s2 = "pipe@GLIBC_2.2.5" fullword ascii + $s3 = "splice failed" fullword ascii + $s4 = "_IO_stdin_used" fullword ascii + $s5 = ".note.ABI-tag" fullword ascii + $s6 = "__stack_chk_fail@GLIBC_2.4" fullword ascii + $s7 = ".eh_frame_hdr" fullword ascii + $s8 = "__FRAME_END__" fullword ascii + $s9 = "__frame_dummy_init_array_entry" fullword ascii + $s10 = "read@GLIBC_2.2.5" fullword ascii + $s11 = "__GNU_EH_FRAME_HDR" fullword ascii + $s12 = "short splice" fullword ascii + $s13 = "__libc_start_main" fullword ascii + $s14 = "__do_global_dtors_aux_fini_array_entry" fullword ascii + $s15 = "buffer.0" fullword ascii + condition: + uint16(0) == 0x457f and ( 8 of them ) or ( all of them ) + From 8f87e0a2bb6a677a5865888c6c10d9b90ffe9d3e Mon Sep 17 00:00:00 2001 From: 0xArchitect Date: Tue, 12 Apr 2022 22:40:04 +0000 Subject: [PATCH 2/2] Update CVE-2022-0847.yar ## Changes - Forgot curly braces. --- cve_rules/CVE-2022-0847.yar | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cve_rules/CVE-2022-0847.yar b/cve_rules/CVE-2022-0847.yar index e7252c88..af7ea71f 100644 --- a/cve_rules/CVE-2022-0847.yar +++ b/cve_rules/CVE-2022-0847.yar @@ -10,18 +10,20 @@ /* Super Rule ------------------------------------------------------------- */ rule DirtyPipez_CVE_2022_0847 +{ meta: description = "Exploit Sample DirtyPipe CVE-2022-0847" author = "Max Kellerman" - eference = "https://dirtypipe[.]cm4all[.]com/" + eference = "hxxps[://]dirtypipe[.]cm4all[.]com/" date = "2022-02-19" vuln_type = "Local Privilege Escalation (DirtyCow reloaded?)" vuln_impact = "SUID binary hijack" affected_versions = "Linux kernel >5.15 <5.15.25 >=5.16 <5.16.11" - report = "https://dirtypipe[.]cm4all[.]com/" + report = "hxxps[://]dirtypipe[.]cm4all[.]com/" hash1 = "8ced0e276f4cbe52ddac086b0a902e63970edc1a3ef22ba9dfc7150d8052bcf7" hash2 = "49561b607ebee157831f4eb55be9893165cf522c71a92c1b80aacc8262489f14" + /* Automatically generated by yarGen -------------------------------------- */ strings: $s1 = "prepare_pipe" fullword ascii @@ -41,4 +43,4 @@ rule DirtyPipez_CVE_2022_0847 $s15 = "buffer.0" fullword ascii condition: uint16(0) == 0x457f and ( 8 of them ) or ( all of them ) - +}