-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcve-2022-21449.yar
13 lines (13 loc) · 1006 Bytes
/
cve-2022-21449.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
rule cve_2022_21449 {
meta:
description = "Detects JWT tokens abusing the Null Signature Vulnerability that indicate exploitation attempts of CVE-2022-21449"
author = "Luciano Righetti"
reference = "https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/"
date = "2022-04-22"
strings:
$jwt_es256 = /[\x2b\x2f-9A-Za-z]*[\x2b\x2f-9A-Za-z][0EUk]VTMjU2|RVMyNT[YZab]|[\x2b\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx]FUzI1N[g-v][\x2b\x2f-9A-Za-z]*\.[\x2b\x2f-9A-Za-z]+\.MAYCAQACAQ[ABCD]\x3d{0,2}/
$jwt_es384 = /[\x2b\x2f-9A-Za-z]*[\x2b\x2f-9A-Za-z][0EUk]VTMjU2|RVMyNT[YZab]|[\x2b\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx]FUzI1N[g-v][\x2b\x2f-9A-Za-z]*\.[\x2b\x2f-9A-Za-z]+\.MAYCAQACAQ[ABCD]\x3d{0,2}/
$jwt_es512 = /[\x2b\x2f-9A-Za-z]*[\x2b\x2f-9A-Za-z][0EUk]VTMzg0|[\x2b\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx]FUzM4N[A-P]|RVMzOD[Q-T][\x2b\x2f-9A-Za-z]*\.[\x2b\x2f-9A-Za-z]+\.MAYCAQACAQ[ABCD]\x3d{0,2}/
condition:
$jwt_es256 or $jwt_es384 or $jwt_es512
}