""ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt""

SID: 2024234

Revision: 1

Class Type: web-application-attack

Metadata: affected_product HTTP_Server, attack_target Web_Server, created_at 2017_04_21, cve CVE_2016_9091, deployment Internal, performance_impact Moderate, signature_severity Major, updated_at 2017_04_21, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services

Reference:

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: $HOME_NET

Destination Port: 8082

Flow: to_server,established

Contents:

  • Value: "POST"

  • Value: "/report-email/send"

  • Value: "/dev-report-overview.html"

  • Value: "|3B|"

Within:

PCRE: "/\/dev-report-overview.html[^\"]*?\x3b/Pi"

Special Options:

  • nocase

  • http_method

  • nocase

  • http_uri

  • nocase

  • http_client_body

  • http_client_body

source