HTTP Protocol Stack Remote Code Execution Vulnerability.
An unauthenticated attacker can send an HTTP request with an ‘Accept-Encoding’ HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (http.sys) to process packets, resulting in a kernel crash.
CVE-2022-21907 – Security Update Guide – Microsoft – HTTP Protocol Stack Remote Code Execution Vulnerability
- QRadar AQL
SELECT UTF8(payload) from events where UTF8(payload) ILIKE '%%Accept-Encoding%%' and UTF8(payload) ILIKE '%%&%%%' and UTF8(payload) ILIKE '%%, %%'- Splunk
(c-headers="Accept-Encoding" c-headers="&" c-headers=", *")- Elastic Query
(c-headers:Accept-Encoding AND c-headers:&* AND c-headers:*,\ *)- Azure Sentinel
Webserver | where (c-headers contains 'Accept-Encoding' and c-headers matches regex '(?i).&..*' and c-headers contains ', ')- RegEx
^(?:.(?=..Accept-Encoding.)(?=..&..)(?=.., .*))
Неплохо.
Захватывающе.
Спасибо за такую информацию.
Скопленные на этом сайте сведения, очень важны