关联漏洞
标题:
Microsoft Windows Network File System 输入验证错误漏洞
(CVE-2022-26937)
描述:Microsoft Windows Network File System是美国微软(Microsoft)公司的一种文件共享解决方案,可让您使用 NFS 协议在运行 Windows Server 和 UNIX 操作系统的计算机之间传输文件。 Microsoft Windows Network File System存在输入验证错误漏洞。以下产品和版本受到影响:Windows Server 2019,Windows Server 2019 (Server Core installation),Windows
描述
A Zeek package to detect CVE-2022-26937, a vulnerability in the Network Lock Manager (NLM) protocol in Windows NFS server.
介绍
# CVE-2022-26937
A package to detect CVE-2022-26937, a vulnerability in Microsoft's NFS implementation.
## Example
You can run this logic on the included PCAP in the `testing\traces` directory:
```
$ zeek -Cr CVE-2022-26937-exploited.pcap ~/Source/CVE-2022-26937/scripts/__load__.zeek
$ cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2022-05-11-16-42-00
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1652285129.626881 Ci4lmM2HkJESnOzn6g fe80::88d1:4bb:492e:b104 49798 fe80::1550:7290:1622:4dce 111 - - - tcp CVE202226937::CVE_2022_26937_Attempt Potential NFS CVE-2022-26937 exploit attempt: fe80::1550:7290:1622:4dce attempted exploit against fe80::88d1:4bb:492e:b104 - fe80::88d1:4bb:492e:b104 fe80::1550:7290:1622:4dce 111 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2022-05-11-16-42-00
```
文件快照
[4.0K] /data/pocs/66cb71fa9787f240e46a758d93e3d347e03db691
├── [ 49] COPYING
├── [1.5K] LICENSE
├── [1.3K] README.md
├── [4.0K] scripts
│ ├── [ 41] __load__.zeek
│ ├── [1.0K] main.zeek
│ └── [1.4K] signatures.sig
├── [4.0K] testing
│ ├── [4.0K] Baseline
│ │ └── [4.0K] cve202226937.run-pcap
│ │ ├── [1.2K] conn.log
│ │ ├── [1.1K] notice.log
│ │ └── [ 115] output
│ ├── [ 565] btest.cfg
│ ├── [4.0K] cve202226937
│ │ └── [ 268] run-pcap.zeek
│ ├── [4.0K] Files
│ │ └── [ 192] random.seed
│ ├── [ 28] Makefile
│ ├── [4.0K] Scripts
│ │ ├── [ 383] diff-remove-timestamps
│ │ ├── [1.3K] get-zeek-env
│ │ └── [ 303] README
│ └── [4.0K] Traces
│ └── [5.8K] CVE-2022-26937-exploited.pcap
└── [ 381] zkg.meta
8 directories, 18 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。