CVE-2022-23270
A package to detect CVE-2022-23270, a vulnerability in Microsoft's PPTP implementation.
Example
You can run this logic on the included PCAP in the testing\traces directory:
$ zeek -Cr CVE-2022-23270-exploited.pcap packages
$ cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2022-05-10-23-03-47
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1652212222.744235 CHhAvVGS1DHFjwGM9 192.168.88.166 51143 192.168.88.157 1723 - - - tcp CVE202223270::CVE_2022_23270_Attempt Potential PPTP CVE-2022-23270 exploit attempt: 192.168.88.166 attempted exploit against 192.168.88.157 - 192.168.88.166 192.168.88.157 1723 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1652212222.744235 CHhAvVGS1DHFjwGM9 192.168.88.166 51143 192.168.88.157 1723 - - - tcp CVE202223270::CVE_2022_23270_Success PPTP CVE-2022-23270 exploit success: 192.168.88.166 exploited 192.168.88.157 - 192.168.88.166 192.168.88.157 1723 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2022-05-10-23-03-47