May 26, 2022 by Corelight Labs Team
This month, Microsoft announced a vulnerability in PPTP, a part of the VPN remote access services on Windows systems that runs on port 1723/tcp. Through Microsoft’s MAPP program, Corelight Labs reviewed a proof of concept exploit for this vulnerability and wrote a Zeek®-based detection for it.
The PoC exploit sends numerous EchoRequests to port 1723/tcp on the victim server, address 172.16.0.157 in this example:
Upon receiving the EchoRequests, if the victim machine is not exploited, the PPTP server replies with a TCP RST (reset) packet. If it is exploited, it does not reply at all, and the machine reboots.
Based on the information above, Corelight Labs wrote some signatures to detect large numbers of EchoRequests. When the signature hits, it raises a Notice (CVE_2022_23270_Attempt) in the function named “CVE202223270::match”. Here, it also marks the connection as containing the signature so that we can use this information later. Next, when Zeek indicates it’s discarding the connection via a “connection_state_remove” event, the detection logic looks for whether the connection was (1) marked as an attempted exploit, and (2) never finished. (A connection that does not finish is signified in Zeek’s “conn_state” as “S1”, so if the “conn_state” is “S1”, Zeek raises another Notice (CVE_2022_23270_Success) that the exploit attempt was successful.
An example output of this package is:
$ zeek -Cr CVE-2022-23270-exploited.pcap packages
$ cat notice.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1652212222.744235 CHhAvVGS1DHFjwGM9 192.168.88.166 51143 192.168.88.157 1723 - - - tcp CVE202223270::CVE_2022_23270_Attempt Potential PPTP CVE-2022-23270 exploit attempt: 192.168.88.166 attempted exploit against 192.168.88.157 - 192.168.88.166 192.168.88.157 1723 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1652212222.744235 CHhAvVGS1DHFjwGM9 192.168.88.166 51143 192.168.88.157 1723 - - - tcp CVE202223270::CVE_2022_23270_Success PPTP CVE-2022-23270 exploit success: 192.168.88.166 exploited 192.168.88.157 - 192.168.88.166 192.168.88.157 1723 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
By Corelight Labs Team