PCRE in Sitecore CMS CSRFTOKEN Deserialization sid:2061119 for CVE-2019-9874

rampage · March 27, 2025, 2:39pm

Hi, Friends!

The PoC payload snippet disclosed in https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf is a base64 encoded string.
“__CSRFTOKEN=/wEysRIAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00[…]”

However, the alphanumeric section of the pcre:"/^[a-fA-F0-9\x2f\x2b\x3d]{32}/R" in the newly created sid:2061119 is limited to HEX characters and will not alert on the payload in its reference.

I was able to trigger an alert against the PoC payload, and newly generated ysoserialdotnet payloads, using the b64 character set with pcre:"/^[a-zA-Z0-9\x2f\x2b\x3d]{32}/R".

Yours, always and forever.
Rampage

trobinson667 · March 27, 2025, 6:28pm

Hey, this is Tony. Yeah, that’s definitely a problem. I got some lines crossed with some other work I was doing, and I didn’t use the same payload as what was listed in the reference document when I reproduced it, but it managed to trigger anyway, oddly enough. But I’ve since fixed it, and that should go live to tonight.

Thanks,

Tony

Topic		Replies	Views
ET EXPLOIT Fortinet FortiSIEM Unauthenticated Command Injection CVE-2023-34992 Rule Signatures	3	216	June 3, 2024
Sid:2055984 Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-8190) Rule Signatures etopen	1	111	October 1, 2024
Grimresource transformNode Obfuscation Rule Signatures suricata	5	126	October 10, 2024
Further verification and vallidation Rule Signatures	2	145	January 8, 2024
FP? NanoLocker - SID: 2022331 Rule Signatures	1	73	September 12, 2024

PCRE in Sitecore CMS CSRFTOKEN Deserialization sid:2061119 for CVE-2019-9874

Related topics