Add rule for CVE-2024-4577 (chainguard-dev#266)

* Add rule for CVE-2024-4577 Signed-off-by: egibs <[email protected]> * Move rule to exploit/php directory Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>
egibs · Jun 11, 2024 · aa5e95b · aa5e95b
1 parent 386dd25
commit aa5e95b
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/rules/explots/php/cve-2024-4577.yara b/rules/explots/php/cve-2024-4577.yara
@@ -0,0 +1,16 @@
+rule php_cgi_argument_injection : critical {
+  meta:
+    date = "2024-06-06"
+    description = "detect php CGI argument injections"
+    discovered_by = "Orange Tsai (@orange_8361) of DEVCORE (@d3vc0r3)"
+    exploiters = "Aliz (@AlizTheHax0r) and Sina Kheirkhah (@SinSinology) of watchTowr (@watchtowrcyber)"
+    reference = "https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en"
+    repository = "https://github.com/watchtowrlabs/CVE-2024-4577"
+    technical = "https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577"
+
+  strings:
+    $url_pattern = /\?%ADd\+allow_url_include%3d1\+(%ADd|-)[d+]\+auto_prepend_file%3dphp:\/\/input/
+
+  condition:
+    $url_pattern
+}