Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Thursday,
0:02
May 18th, 2023 edition of the Sands and at Stormsterners
0:08
Stormcast. My name is Johannes Ulrich
0:11
and today I'm recording from Jacksonville,
0:13
Florida.
0:15
Xavi wrote a quick diary about an increase
0:18
in the use of self-extracting
0:21
RAR files that he's observing.
0:24
Self-extracting files are always interesting
0:26
because by definition as they're
0:29
being expanded they will
0:31
execute code. Same here with
0:34
these RAR files. The attacker
0:36
can pretty much just include a simple
0:39
Visual Basic script as is
0:41
shown in this example and then execute
0:44
it as the files
0:45
are being expanded. Most
0:48
of the files in the archive are actually harmless
0:50
and just garbage data but
0:53
the script and a couple configuration
0:55
files to go with it are what actually
0:58
causes the damage here.
1:00
Xavi offers a Yara
1:02
rule to detect self-extracting
1:05
RAR files. They shouldn't really be
1:07
that hard to spot given that usually
1:09
they also just use .exe as an
1:11
extension which probably should
1:14
be treated with caution anyway
1:17
and stripped out in any mail
1:19
filters. Then
1:21
we have an interesting vulnerability in Waymo
1:24
smart plugs. These smart plugs
1:27
are made by Belkin and
1:30
it's a pretty straightforward buffer overflow
1:32
in the friendly name. The
1:35
name is supposed to be up to 30 characters
1:38
long but this limit is
1:40
really only enforced in the app
1:42
that's used to control the plug.
1:45
If you can send the update name command
1:47
directly without the app then you
1:49
can specify whatever length you want giving
1:51
you ample space for a
1:54
buffer overflow. Amit Serpar
1:56
and Ruvan Yakar who
1:59
discovered
1:59
Did write a lengthy blog
2:02
including proof of concept exploit
2:04
code. They did report
2:06
the vulnerability early February
2:08
to Belkin. However, particular
2:10
device is no longer supported.
2:13
So you will be out of luck here
2:16
and pretty much have to upgrade to a
2:18
different device. In order
2:20
to exploit this vulnerability, you need to
2:23
send data to the embedded
2:25
web server of the blog. So it's easily exploitable. If
2:27
you have a web server, you can use it. If
2:29
you happen
2:29
to actually expose
2:32
this blog to the internet, not very
2:34
common, I would hope, but certainly
2:36
not unheard of.
2:39
But well, odd vulnerabilities like this don't
2:41
just affect home user devices.
2:44
The Wago PFC 100 industrial
2:48
controller also suffered
2:51
from an interesting vulnerability
2:54
in the license page of
2:56
all places. So this device
2:59
has a web based
3:00
admin interface as they all have.
3:03
And one particular page lists
3:06
third party license information. For
3:08
example, the product includes
3:10
software with various open source licenses.
3:13
And essentially, this page lists the different
3:15
components and what licenses
3:17
they're subject to. Now, when I see a page
3:20
like this, I assume it's just a static HTML
3:22
page. Well, not in this case, it's actually
3:24
just a dynamic HTML page. But in this case, it's actually being
3:27
dynamically assembled by
3:29
decompressing various
3:32
license files that are stored on
3:34
the device. And the package
3:36
name is a user controlled variable
3:39
that is just passed to the XZ
3:42
command, the command that is being used
3:45
for decompression here. So by passing
3:48
an interesting package name
3:50
like semicolon ID, you'll be able to execute arbitrary
3:53
code, pretty simple to exploit and
3:55
proof of concept exploit is included in the web.
3:59
included in the advisory.
4:04
I mentioned a few times before that
4:06
when we're dealing with sort of these IoT style
4:08
vulnerabilities, of course, we often see
4:10
a flood of these Mirai style
4:14
exploits hitting these devices
4:16
and sometimes being successful.
4:19
But in the flood of
4:22
this noise, sometimes more
4:24
sophisticated actors are hiding
4:26
and Checkpoint has another example
4:29
here, where Chinese
4:31
state based threat actor as they
4:33
identifying
4:34
it is actually using
4:36
some of these routers to
4:39
then install their own
4:41
software, mostly proxies
4:44
in order to build an attack infrastructure
4:47
is of course very valuable because you end up
4:49
with many, many sort of more or less
4:52
anonymous home and
4:54
small business devices that
4:56
are hard to block and also
5:00
may never get updated. So you may
5:03
never get evicted from the respective
5:06
compromised device. The payload
5:08
of these attacks is also a
5:09
bit more complex than what you sort of see
5:12
in your average run of the mill exploit.
5:14
Typically, again, these Mirai bots or
5:16
crypto coin miners and the like,
5:19
will typically just sort of install a couple additional
5:21
binaries or scripts and then a random.
5:24
In this case, it will actually alter
5:27
the firmware also likely to get more
5:29
persistence. And in the
5:31
case that checkpoint discussed,
5:34
they specifically targeted
5:35
TP link routers.
5:39
Well, and that's it for today. Thanks
5:42
for listening and talk to you again
5:44
tomorrow. Bye.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More