CVE-2020-3952 proposal

[gelim]

Hi,

You can find an attempt to match exploitation of the vmware vmdir CVE-2020-3952 by checking for ldap modify operation on Administrators built-in group here https://github.com/gelim/CVE-2020-3952/blob/master/vmware.rules

That may require some more tuning. So I write here that FYI without specific PR.

Cheers,

-- Mathieu

[kirillwow]

Hi @gelim, thanks for your report.
Have you successfully exploited this? If yes do you have any PCAP file of exploitation? So we could make a signature for both attempt and successful exploitaion stages.
I think we are talking about https://github.com/guardicore/vmware_vcenter_cve_2020_3952/blob/master/exploit.py