Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating rule: attachment_cve_2023_38831.yml #831

Merged
merged 2 commits into from
Oct 18, 2023
Merged

Updating rule: attachment_cve_2023_38831.yml #831

merged 2 commits into from
Oct 18, 2023

Conversation

aidenmitchell
Copy link
Member

Adding delivr.to fix.

@aidenmitchell aidenmitchell requested a review from a team September 29, 2023 15:35
rw-access
rw-access reviewed Sep 29, 2023
View reviewed changes
detection-rules/attachment_cve_2023_38831.yml
@@ -22,19 +22,19 @@ source: |
// zip contains a path with spaces and file extensions
// lure.pdf /lure.pdf .cmd
//
// /= Initial file name
// /= Initial file name (including any spaces)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it okay if this includes dots too? Should we do . here or [\w\s]?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ajpc500 would know better

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The recent Agent Tesla file name is RFQ 23-301892.pdf /RFQ 23-301892.pdf .cmd. So [\w\s] specifically wouldn't match on the hyphens, nor on brackets. I haven't tested it, but I don't think a double-extension (e.g. .tar.gz) would have any impact on the ability to exploit CVE-2023-38831, so we could include . here. There's potential to refine this to a subset of symbols, but will defer to you re. any rule performance improvement in doing that!

@morriscode morriscode enabled auto-merge (squash) October 18, 2023 17:10
@morriscode morriscode merged commit ff301af into sublime-security:main Oct 18, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ajpc500 ajpc500 ajpc500 left review comments

@rw-access rw-access rw-access left review comments

@morriscode morriscode morriscode approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aidenmitchell @morriscode @rw-access @ajpc500