""ET EXPLOIT Microsoft Edge Chakra - NewScObjectNoCtor InitProtoType Confusion Inbound (CVE-2019-0567)""

SID: 2033783

Revision: 2

Class Type: attempted-admin

Metadata: attack_target Client_Endpoint, created_at 2021_08_25, cve CVE_2019_0567, deployment Perimeter, signature_severity Major, tag Exploit, updated_at 2021_08_25

Reference:

• cve

• 2019-0567

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: established,from_server

Contents:

• Value: "200"

• Value: "function"

• Value: "|20|= |7b|proto|3a|"

• Value: "eval|28|"

Within:

PCRE: "/^\s(?P[\w-]{1,20})((?P[\w-]{1,20})\s,\s(?P[\w-]{1,20})\s,\s(?P[\w-]{1,20})).{1,300}(?P=obj1).\w+\s=\s\d+.\d+\x3b\svar\s\w+\s=\s{proto:\s(?P=tmp_obj)}\x3b\s(?P=obj1).\w+\s=\s(?P=value)\x3b.{1,300}var\s(?P=obj1)\s=\s{\w+:\s\d+.\d+\s,\s\w+:\s\d+.\d+}\x3b\sfor\s(\svar\s(?P[\w-]{1,20})\s=\s\d{1,8}\s\x3b\s(?P=counter)\s(?:<|>)\s(?:0x)?\d{2,}\s\x3b\s(?P=counter)(?:+{2}|-{2}))\s{\s(?P=func_a)((?P=obj1)\s,\s(\x22{2}|\x27{2})\s,\s(\x22{2}|\x27{2}))\x3b.{1,300}(?P=func_a)((?P=obj1)\s,\s(?P=obj1)\s,\s\d+.\d{8,}.{1,300}eval((?P=obj1)./Rs"

Special Options:

• http_stat_code

• file_data

• fast_pattern

source