Open andyrat33 opened 6 years ago
hxxp://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities
An interesting piece of research shows that SSL extension fields could be used to exfil data or for c2
Would it be possible to create a static cert with invalid extension data to test the signature?
alert tcp any any -> any any ( msg:"Fidelis abnormal very long x509v3 SubjectKeyIdentifier extension"; dsize:>768; content: "|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:0x150; pcre:"/\x06\x03\x55\x1d\x0e\x04[\x80-\xff]/"; classtype:misc-attack; sid:1000002; rev:1;)
hxxp://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities
An interesting piece of research shows that SSL extension fields could be used to exfil data or for c2
Would it be possible to create a static cert with invalid extension data to test the signature?
alert tcp any any -> any any ( msg:"Fidelis abnormal very long x509v3 SubjectKeyIdentifier extension"; dsize:>768; content: "|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:0x150; pcre:"/\x06\x03\x55\x1d\x0e\x04[\x80-\xff]/"; classtype:misc-attack; sid:1000002; rev:1;)