signature-base/yara/vul_cve_2020_1938.yar


rule VUL_Tomcat_Catalina_CVE_2020_1938 {
   meta:
      description = "Detects a possibly active and vulnerable Tomcat configuration that includes an accessible and unprotected AJP connector (you can ignore backup files or files that are not actively used)"
      author = "Florian Roth"
      reference = "https://www.chaitin.cn/en/ghostcat"
      date = "2020-02-28"
      score = 50
   strings:
      $h1 = "<?xml "
      $a1 = "<Service name=\"Catalina\">" ascii

      $v1 = "<Connector port=\"8009\" protocol=\"AJP/1.3\" redirectPort=\"8443\"/>" ascii

      $fp1 = "<!--<Connector port=\"8009\" protocol=\"AJP/1.3\" redirectPort=\"8443\"" ascii
      $fp2 = " secret=\"" ascii
      $fp3 = " requiredSecret=\"" ascii
   condition:
      $h1 at 0 and filesize <= 300KB and
      $a1 and $v1
      and not 1 of ($fp*)
}
CVE-2020-1938 2020-02-28 22:43:30 +00:00
			`rule VUL_Tomcat_Catalina_CVE_2020_1938 {`
			`meta:`
			`description = "Detects a possibly active and vulnerable Tomcat configuration that includes an accessible and unprotected AJP connector (you can ignore backup files or files that are not actively used)"`
			`author = "Florian Roth"`
			`reference = "https://www.chaitin.cn/en/ghostcat"`
			`date = "2020-02-28"`
			`score = 50`
			`strings:`
			`$h1 = "<?xml "`
			`$a1 = "<Service name=\"Catalina\">" ascii`

			`$v1 = "<Connector port=\"8009\" protocol=\"AJP/1.3\" redirectPort=\"8443\"/>" ascii`

			`$fp1 = "<!--<Connector port=\"8009\" protocol=\"AJP/1.3\" redirectPort=\"8443\"" ascii`
			`$fp2 = " secret=\"" ascii`
			`$fp3 = " requiredSecret=\"" ascii`
			`condition:`
			`$h1 at 0 and filesize <= 300KB and`
			`$a1 and $v1`
			`and not 1 of ($fp*)`
			`}`