CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Detecting CVE-2022-23270 in PPTP

This month, Microsoft announced a vulnerability in PPTP, a part of the VPN remote access services on Windows systems that runs on port 1723/tcp. Through Microsoft’s MAPP program, Corelight Labs reviewed a proof of concept exploit for this vulnerability and wrote a Zeek®-based detection for it. 

The PoC exploit sends numerous EchoRequests to port 1723/tcp on the victim server, address 172.16.0.157 in this example:

wireshark-4

Upon receiving the EchoRequests, if the victim machine is not exploited, the PPTP server replies with a TCP RST (reset) packet. If it is exploited, it does not reply at all, and the machine reboots.

Based on the information above, Corelight Labs wrote some signatures to detect large numbers of EchoRequests. When the signature hits, it raises a Notice (CVE_2022_23270_Attempt) in the function named “CVE202223270::match”. Here, it also marks the connection as containing the signature so that we can use this information later. Next, when Zeek indicates it’s discarding the connection via a “connection_state_remove” event, the detection logic looks for whether the connection was (1) marked as an attempted exploit, and (2) never finished. (A connection that does not finish is signified in Zeek’s “conn_state” as “S1”, so if the “conn_state” is “S1”, Zeek raises another Notice (CVE_2022_23270_Success) that the exploit attempt was successful.

An example output of this package is:

$ zeek -Cr CVE-2022-23270-exploited.pcap packages

$ cat notice.log 

#separator \x09

#set_separator ,

#empty_field (empty)

#unset_field -

#path notice

#open 2022-05-10-23-03-47

#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude

#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double

1652212222.744235 CHhAvVGS1DHFjwGM9 192.168.88.166 51143 192.168.88.157 1723 - - - tcp CVE202223270::CVE_2022_23270_Attempt Potential PPTP CVE-2022-23270 exploit attempt: 192.168.88.166 attempted exploit against 192.168.88.157 - 192.168.88.166 192.168.88.157 1723 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -

1652212222.744235 CHhAvVGS1DHFjwGM9 192.168.88.166 51143 192.168.88.157 1723 - - - tcp CVE202223270::CVE_2022_23270_Success PPTP CVE-2022-23270 exploit success: 192.168.88.166 exploited 192.168.88.157 - 192.168.88.166 192.168.88.157 1723 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -

#close 2022-05-10-23-03-47

You can install the CVE-2022-23270 detection package from:  https://github.com/corelight/CVE-2022-23270-PPTP.

By Corelight Labs Team

 

Recent Posts