""ET WEB_CLIENT Java Web Start Command Injection (.jar)""
SID: 2011698
Revision: 6
Class Type: web-application-attack
Metadata: affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2015_04_03, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,from_server
Contents:
-
Value: "http|3a| -J-jar -J|5C 5C 5C 5C|"
-
Value: ".launch("
Within:
PCRE: "/http\x3a -J-jar -J\x5C\x5C\x5C\x5C\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\x5C\x5C[^\n]*.jar/i"
Special Options:
-
nocase
-
nocase