HTTP Protocol Stack CVE-2021-31166# CVE-2021-31166
Detection of attempts to exploit CVE-2021-31166 (HTTP Protocol Stack vulnerability)
- Suricata rule
- Zeek Package
## References
https://corelight.blog/2021/05/27/detecting-cve-2021-31166-http-vulnerability/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166
https://github.com/0vercl0k/CVE-2021-31166
https://www.bleepingcomputer.com/news/security/exploit-released-for-wormable-windows-http-vulnerability/
## Notice provided by Zeek package (example)
- To speed up triaging, the sub field contains the first 200 characters of the Header value.
- The notices below have supression turned off for demonstration purposes, however the notice supression is 3600sec based on the id.orig_h-id.resp_h tuple.
```
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2021-05-18-15-57-59
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitudremote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double
1621316027.006608 C5ABKx3uBT03uzsJEg 10.31.33.7 52728 10.0.0.13 80 - - - tcp CVE_2021_31166::CVE_2021_31166 Potential IIS HTTP Protocol Stack CVE-2021-31166 exploit attempt. POC https://github.com/0vercl0k/CVE-2021-31166 The ACCEPT-ENCODING Header value (max 200 chars shown) is 'doar-e, ftw, imo, ,' 10.31.33.7 10.0.0.13 80 - - Notice::ACTION_LOG 3600.000000 - - - - -
1621316049.181915 C68JnP3zUs0En7tHS1 10.31.33.7 52733 10.0.0.13 80 - - - tcp CVE_2021_31166::CVE_2021_31166 Potential IIS HTTP Protocol Stack CVE-2021-31166 exploit attempt. POC https://github.com/0vercl0k/CVE-2021-31166 The ACCEPT-ENCODING Header value (max 200 chars shown) is 'doar-e, ftw, imo,,' 10.31.33.7 10.0.0.13 80 - - Notice::ACTION_LOG 3600.000000 - - - - -
1621316067.175599 CjIQY93viY6dibvYsg 10.31.33.7 52739 10.0.0.13 80 - - - tcp CVE_2021_31166::CVE_2021_31166 Potential IIS HTTP Protocol Stack CVE-2021-31166 exploit attempt. POC https://github.com/0vercl0k/CVE-2021-31166 The ACCEPT-ENCODING Header value (max 200 chars shown) is 'doar-e, ftw, imo, ,' 10.31.33.7 10.0.0.13 80 - - Notice::ACTION_LOG 3600.000000 - - - - -
1621316106.328303 CTs0sL1lgR0AId1Oag 10.31.33.7 52743 10.0.0.13 80 - - - tcp CVE_2021_31166::CVE_2021_31166 Potential IIS HTTP Protocol Stack CVE-2021-31166 exploit attempt. POC https://github.com/0vercl0k/CVE-2021-31166 The ACCEPT-ENCODING Header value (max 200 chars shown) is 'doar-e, ftw, imo, , foo' 10.31.33.7 10.0.0.13 80 - - Notice::ACTION_LOG 3600.000000 - - - - -
#close 2021-05-18-15-57-59
```
## Alerts produced by Suricata rule (example)
```
05/18/2021-15:33:47.014022 [**] [1:3000005:1] CORELIGHT Windows HTTP Protocol Stack memory corruption exploit attempt CVE-2021-31166 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.31.33.7:52728 -> 10.0.0.13:80
05/18/2021-15:34:09.189560 [**] [1:3000005:1] CORELIGHT Windows HTTP Protocol Stack memory corruption exploit attempt CVE-2021-31166 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.31.33.7:52733 -> 10.0.0.13:80
05/18/2021-15:34:27.184188 [**] [1:3000005:1] CORELIGHT Windows HTTP Protocol Stack memory corruption exploit attempt CVE-2021-31166 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.31.33.7:52739 -> 10.0.0.13:80
05/18/2021-15:35:06.335232 [**] [1:3000005:1] CORELIGHT Windows HTTP Protocol Stack memory corruption exploit attempt CVE-2021-31166 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.31.33.7:52743 -> 10.0.0.13:80
```
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view