CVE-2022-23270-PPTP

CVE-2022-23270

A package to detect CVE-2022-23270, a vulnerability in Microsoft's PPTP implementation.

Example

You can run this logic on the included PCAP in the testing\traces directory:

$ zeek -Cr CVE-2022-23270-exploited.pcap packages

$ cat notice.log 
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2022-05-10-23-03-47
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
1652212222.744235	CHhAvVGS1DHFjwGM9	192.168.88.166	51143	192.168.88.157	1723	-	-	-	tcp	CVE202223270::CVE_2022_23270_Attempt	Potential PPTP CVE-2022-23270 exploit attempt: 192.168.88.166 attempted exploit against 192.168.88.157	-	192.168.88.166	192.168.88.157	1723	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1652212222.744235	CHhAvVGS1DHFjwGM9	192.168.88.166	51143	192.168.88.157	1723	-	-	-	tcp	CVE202223270::CVE_2022_23270_Success	PPTP CVE-2022-23270 exploit success: 192.168.88.166 exploited 192.168.88.157	-	192.168.88.166	192.168.88.157	1723	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
#close	2022-05-10-23-03-47

RFCs

Package Version :