CVE-2022-37055 D-Link Router Buffer Overflow Exploitation

let dlink_device_ips = dynamic([]);
let suspicious_payloads = dynamic(['%2F..%2F', '../', 'cmd=', 'shell=', '/bin/sh', '/bin/bash', 'wget ', 'curl ']);
CommonSecurityLog
| where TimeGenerated >= ago(24h)
| where DeviceVendor has_any ('D-Link', 'DLink') or DeviceProduct has_any ('Router', 'DIR-', 'DSR-', 'DWR-')
| where Activity has_any ('buffer', 'overflow', 'exploit', 'attack') or RequestURL has_any (suspicious_payloads)
| extend SourceHost = SourceIP, TargetDevice = DestinationIP
| project TimeGenerated, SourceHost, TargetDevice, Activity, RequestURL, DeviceVendor, DeviceProduct, Message
| union (
    NetworkAnalytics
    | where TimeGenerated >= ago(24h)
    | where DestinationPort in (80, 443, 8080, 8443, 23, 22)
    | where FlowDirection == 'I'
    | extend PayloadLength = toint(BytesSent)
    | where PayloadLength > 65000
    | project TimeGenerated, SourceHost = SrcIp, TargetDevice = DestIp, Activity = 'Large payload to potential router', RequestURL = '', DeviceVendor = 'Unknown', DeviceProduct = 'Network Device', Message = strcat('Large inbound payload: ', tostring(PayloadLength), ' bytes')
)
| order by TimeGenerated desc

index=network OR index=firewall OR index=ids
(sourcetype=cisco:asa OR sourcetype=paloalto:firewall OR sourcetype=suricata OR sourcetype=snort OR sourcetype=fortinet:firewall)
(
  (vendor="D-Link" OR product IN ("DIR-*", "DSR-*", "DWR-*", "DAP-*"))
  OR
  (dest_port IN (80, 443, 8080, 8443, 23) AND bytes_in > 65000)
  OR
  (uri_path IN ("*../", "*%2F..%2F*", "*cmd=*", "*shell=*"))
  OR
  (signature IN ("*buffer overflow*", "*CVE-2022-37055*", "*D-Link*exploit*"))
)
| eval risk_score=case(
    match(uri_path, "\.\.[\/]"), 90,
    bytes_in > 65000, 70,
    match(signature, "CVE-2022-37055"), 100,
    true(), 50
  )
| where risk_score >= 50
| stats count as attempt_count, max(risk_score) as max_risk, values(uri_path) as paths, values(src_ip) as source_ips by dest_ip, _time span=5m
| where attempt_count >= 1
| sort -max_risk

sequence by destination.ip with maxspan=10m
  [network where destination.port in (80, 443, 8080, 8443, 23) and
   (network.bytes > 65000 or
    url.path like "*../*" or
    url.path like "*%2F..%2F*" or
    url.query like "*cmd=*" or
    url.query like "*shell=*") and
   (device.vendor like "*D-Link*" or device.model like "*DIR-*" or device.model like "*DSR-*")]
  [network where event.action in ("connection-attempt", "allowed") and
   source.ip != destination.ip and
   network.direction == "outbound" and
   destination.port in (4444, 1337, 31337, 8888, 9999)]

SELECT
  sourceip,
  destinationip,
  destinationport,
  LONG("Bytes Sent") as bytes_sent,
  URL,
  QIDNAME(qid) as event_name,
  logsourcename(logsourceid) as log_source,
  starttime,
  eventcount
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Cisco ASA', 'Snort', 'Suricata', 'Palo Alto Networks Firewall')
  AND starttime > NOW() - 24 HOURS
  AND (
    LOWER(URL) LIKE '%../%'
    OR LOWER(URL) LIKE '%cmd=%'
    OR LOWER(URL) LIKE '%shell=%'
    OR LOWER(URL) LIKE '%/bin/sh%'
    OR LONG("Bytes Sent") > 65000
    OR LOWER(QIDNAME(qid)) LIKE '%d-link%'
    OR LOWER(QIDNAME(qid)) LIKE '%buffer overflow%'
    OR LOWER(QIDNAME(qid)) LIKE '%cve-2022-37055%'
  )
  AND destinationport IN (80, 443, 8080, 8443, 23, 22)
ORDER BY starttime DESC
LIMIT 500

_sourceCategory=network/firewall OR _sourceCategory=network/ids OR _sourceCategory=network/router
| where _sourceHost matches "*D-Link*" or _sourceHost matches "*dlink*" or dest_port in ("80", "443", "8080", "8443", "23")
| parse "*src=* dst=* dpt=*" as raw, src_ip, dst_ip, dst_port nodrop
| parse "*GET * HTTP*" as raw2, url_path nodrop
| parse "*POST * HTTP*" as raw3, post_path nodrop
| parse "*bytes=*" as raw4, byte_count nodrop
| where (url_path matches "*../*" or post_path matches "*../*") 
   or byte_count > 65000
   or _raw matches "*CVE-2022-37055*"
   or _raw matches "*buffer overflow*"
| eval exploit_indicator = if(url_path matches "*../*" or post_path matches "*../*", "path_traversal", if(byte_count > 65000, "large_payload", "signature_match"))
| count by src_ip, dst_ip, dst_port, exploit_indicator
| sort by _count desc

rule cve_2022_37055_dlink_buffer_overflow {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects exploitation attempts for CVE-2022-37055 D-Link Router Buffer Overflow"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2022-37055"
    created = "2025-12-08"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.target.port in (80, 443, 8080, 8443, 23)
    (
      re.regex($e.network.http.request_url, `(\.\./|%2F\.\.%2F|cmd=|shell=|/bin/sh|/bin/bash)`) or
      $e.network.sent_bytes > 65000 or
      re.regex($e.metadata.description, `(?i)(cve-2022-37055|d-link.*overflow|buffer.*overflow.*router)`)
    )
    $e.target.asset.attribute.labels["vendor"] = /(?i)d-link/
    $src_ip = $e.principal.ip
    $dst_ip = $e.target.ip

  match:
    $src_ip, $dst_ip over 10m

  outcome:
    $risk_score = max(
      if($e.network.sent_bytes > 65000, 70) +
      if(re.regex($e.network.http.request_url, `(\.\./|cmd=|shell=)`), 90) +
      if(re.regex($e.metadata.description, `(?i)cve-2022-37055`), 100)
    )

  condition:
    $e
}

#event_simpleName=NetworkConnectIP4 OR #event_simpleName=DnsRequest OR #event_simpleName=NetworkReceiveAcceptIP4
| TargetPort IN [80, 443, 8080, 8443, 23]
| (
    RemoteAddressIP4 != LocalAddressIP4
    AND (
      HttpUrl LIKE "%../%"
      OR HttpUrl LIKE "%cmd=%"
      OR HttpUrl LIKE "%shell=%"
      OR BytesTransferred > 65000
    )
  )
| OR
  (#event_simpleName=DetectionSummaryEvent
   AND Technique LIKE "%Exploit%"
   AND (Description LIKE "%D-Link%" OR Description LIKE "%CVE-2022-37055%" OR Description LIKE "%buffer overflow%"))
| groupBy([LocalAddressIP4, RemoteAddressIP4, TargetPort], function=([count(aid, as=attempt_count), max(BytesTransferred, as=max_bytes), collect(HttpUrl, as=urls)]))
| sort(attempt_count, order=desc)
| limit 200