ET EXPLOIT Fortinet FortiSIEM Unauthenticated Command Injection CVE-2023-34992


Could you help me understand the pcre in SID:2052888?

Just looking at the content matches for the malicious XML payload, which are:
content:“<server_ip”; nocase; fast_pattern; pcre:“/^\b[^>]*>[^\x3b<]+\x3b[^<]+</server_ip>/Rsi”;

Which should detect the demonstrated payload:
<server_ip>; nc -e /bin/sh 443; </server_ip>

However, I am unable to trigger the alert with a test pcap. I think it’s because the pcre is relative to the content match “<server_ip”, leaving the detection cursor at the beginning of “>; nc -e /bin/sh 443; </server_ip>” for the pcre, which can only start if there’s a string that begins with a word character (^\b), which it cannot because the first character it comes across is a “>”.

This is actually the first time I have seen ^\b, I may misunderstand its intent. I am able to get the rule to trigger by changing the first content match, to “<server_i” for example, to leave a word character at the start for the pcre match.

Thank you.

1 Like

Apologies for the late pickup on this.

You’re right, this was an oversight in my edits of a community submitted signature.

Changes to the PCRE were made to account for the closing of the XML parameter a few days back.


Thanks @rampage @James !

Thank you for the follow up @James.

1 Like