{"uuid": "1c448336-d2f3-4096-98a7-bb2b7426635d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-41082", "type": "seen", "source": "https://t.me/MrVGunz/494", "content": "\u062a\u06a9\u0645\u06cc\u0644\u06cc:\n\n\u0634\u0631\u06a9\u062a \u0645\u0627\u06cc\u06a9\u0631\u0648\u0633\u0627\u0641\u062a \u0634\u0646\u0627\u0633\u0647 \u0647\u0627\u06cc \u0632\u06cc\u0631 \u0631\u0627 \u0628\u0631\u0627\u06cc \u0627\u06cc\u0646 \u062f\u0648 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u0645\u0639\u0631\u0641\u06cc \u06a9\u0631\u062f\u0647 \u0627\u0633\u062a:\nCVE-2022-41040 flaw could only be exploited by authenticated attackers. Successful exploitation then allows them to trigger the CVE-2022-41082 RCE vulnerability.\n\n\u062a\u0627 \u0632\u0645\u0627\u0646 \u0627\u0646\u062a\u0634\u0627\u0631 \u0628\u0647 \u0631\u0648\u0632 \u0631\u0633\u0627\u0646\u06cc \u0631\u0633\u0645\u06cc \u0645\u06cc \u062a\u0648\u0627\u0646 \u0627\u0642\u062f\u0627\u0645\u0627\u062a \u0632\u06cc\u0631 \u0631\u0627 \u0628\u0631\u0627\u06cc \u0634\u0646\u0627\u0633\u0627\u06cc\u06cc \u0648 \u06a9\u0627\u0647\u0634 \u062e\u0637\u0631 \u0627\u062d\u062a\u0645\u0627\u0644\u06cc \u0628\u0647 \u06a9\u0627\u0631 \u0628\u0633\u062a:\n\"The current mitigation is to add a blocking rule in \"IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions\" to block the known attack patterns.\"\n\n1.\u00a0 Open the IIS Manager.\n2.\u00a0 Expand the Default Web Site.\n3.\u00a0 Select Autodiscover.\n4.\u00a0 In the Feature View, click URL Rewrite.\n5.\u00a0 In the Actions pane on the right-hand side, click Add Rules.\n6.\u00a0 Select Request Blocking and click OK.\n7.\u00a0 Add String \u201c.*autodiscover\\.json.*\\@.*Powershell.*\u201d (excluding quotes) and click OK.\n8.\u00a0 Expand the rule and select the rule with the Pattern \".*autodiscover\\.json.*\\@.*Powershell.*\" and click Edit under Conditions.\n9.\u00a0 Change the condition input from {URL} to {REQUEST_URI{\n10.\u00a0 Block HTTP:5985 and HTTPS:5986 ports\n11.\u00a0 For check compromised server can use below PowerShell command to scan IIS logs file\nc:\\>Get-ChildItem -Recurse -Path  -Filter \"*.log\" | Select-String -Pattern 'powershell.*autodiscover\\.json.*\\@.*200'", "creation_timestamp": "2022-09-30T18:49:22.000000Z"}