diff --git a/cve_rules/CVE-2022-0847.yar b/cve_rules/CVE-2022-0847.yar new file mode 100644 index 00000000..af7ea71f --- /dev/null +++ b/cve_rules/CVE-2022-0847.yar @@ -0,0 +1,46 @@ +/* + This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) + and open to any user or organization, as long as you use it under this license. + + Author: Max Kellerman + Date: 2022-02-19 + Identifier: Dirty Pipe PoC +*/ + +/* Super Rule ------------------------------------------------------------- */ + +rule DirtyPipez_CVE_2022_0847 +{ + meta: + description = "Exploit Sample DirtyPipe CVE-2022-0847" + author = "Max Kellerman" + eference = "hxxps[://]dirtypipe[.]cm4all[.]com/" + date = "2022-02-19" + vuln_type = "Local Privilege Escalation (DirtyCow reloaded?)" + vuln_impact = "SUID binary hijack" + affected_versions = "Linux kernel >5.15 <5.15.25 >=5.16 <5.16.11" + report = "hxxps[://]dirtypipe[.]cm4all[.]com/" + hash1 = "8ced0e276f4cbe52ddac086b0a902e63970edc1a3ef22ba9dfc7150d8052bcf7" + hash2 = "49561b607ebee157831f4eb55be9893165cf522c71a92c1b80aacc8262489f14" + + +/* Automatically generated by yarGen -------------------------------------- */ + strings: + $s1 = "prepare_pipe" fullword ascii + $s2 = "pipe@GLIBC_2.2.5" fullword ascii + $s3 = "splice failed" fullword ascii + $s4 = "_IO_stdin_used" fullword ascii + $s5 = ".note.ABI-tag" fullword ascii + $s6 = "__stack_chk_fail@GLIBC_2.4" fullword ascii + $s7 = ".eh_frame_hdr" fullword ascii + $s8 = "__FRAME_END__" fullword ascii + $s9 = "__frame_dummy_init_array_entry" fullword ascii + $s10 = "read@GLIBC_2.2.5" fullword ascii + $s11 = "__GNU_EH_FRAME_HDR" fullword ascii + $s12 = "short splice" fullword ascii + $s13 = "__libc_start_main" fullword ascii + $s14 = "__do_global_dtors_aux_fini_array_entry" fullword ascii + $s15 = "buffer.0" fullword ascii + condition: + uint16(0) == 0x457f and ( 8 of them ) or ( all of them ) +}