0:00

Hello and welcome to the Thursday,

0:02

May 18th, 2023 edition of the Sands and at Stormsterners

0:08

Stormcast. My name is Johannes Ulrich

0:11

and today I'm recording from Jacksonville,

0:13

Florida.

0:15

Xavi wrote a quick diary about an increase

0:18

in the use of self-extracting

0:21

RAR files that he's observing.

0:24

Self-extracting files are always interesting

0:26

because by definition as they're

0:29

being expanded they will

0:31

execute code. Same here with

0:34

these RAR files. The attacker

0:36

can pretty much just include a simple

0:39

Visual Basic script as is

0:41

shown in this example and then execute

0:44

it as the files

0:45

are being expanded. Most

0:48

of the files in the archive are actually harmless

0:50

and just garbage data but

0:53

the script and a couple configuration

0:55

files to go with it are what actually

0:58

causes the damage here.

1:00

Xavi offers a Yara

1:02

rule to detect self-extracting

1:05

RAR files. They shouldn't really be

1:07

that hard to spot given that usually

1:09

they also just use .exe as an

1:11

extension which probably should

1:14

be treated with caution anyway

1:17

and stripped out in any mail

1:19

filters. Then

1:21

we have an interesting vulnerability in Waymo

1:24

smart plugs. These smart plugs

1:27

are made by Belkin and

1:30

it's a pretty straightforward buffer overflow

1:32

in the friendly name. The

1:35

name is supposed to be up to 30 characters

1:38

long but this limit is

1:40

really only enforced in the app

1:42

that's used to control the plug.

1:45

If you can send the update name command

1:47

directly without the app then you

1:49

can specify whatever length you want giving

1:51

you ample space for a

1:54

buffer overflow. Amit Serpar

1:56

and Ruvan Yakar who

1:59

discovered

1:59

Did write a lengthy blog

2:02

including proof of concept exploit

2:04

code. They did report

2:06

the vulnerability early February

2:08

to Belkin. However, particular

2:10

device is no longer supported.

2:13

So you will be out of luck here

2:16

and pretty much have to upgrade to a

2:18

different device. In order

2:20

to exploit this vulnerability, you need to

2:23

send data to the embedded

2:25

web server of the blog. So it's easily exploitable. If

2:27

you have a web server, you can use it. If

2:29

you happen

2:29

to actually expose

2:32

this blog to the internet, not very

2:34

common, I would hope, but certainly

2:36

not unheard of.

2:39

But well, odd vulnerabilities like this don't

2:41

just affect home user devices.

2:44

The Wago PFC 100 industrial

2:48

controller also suffered

2:51

from an interesting vulnerability

2:54

in the license page of

2:56

all places. So this device

2:59

has a web based

3:00

admin interface as they all have.

3:03

And one particular page lists

3:06

third party license information. For

3:08

example, the product includes

3:10

software with various open source licenses.

3:13

And essentially, this page lists the different

3:15

components and what licenses

3:17

they're subject to. Now, when I see a page

3:20

like this, I assume it's just a static HTML

3:22

page. Well, not in this case, it's actually

3:24

just a dynamic HTML page. But in this case, it's actually being

3:27

dynamically assembled by

3:29

decompressing various

3:32

license files that are stored on

3:34

the device. And the package

3:36

name is a user controlled variable

3:39

that is just passed to the XZ

3:42

command, the command that is being used

3:45

for decompression here. So by passing

3:48

an interesting package name

3:50

like semicolon ID, you'll be able to execute arbitrary

3:53

code, pretty simple to exploit and

3:55

proof of concept exploit is included in the web.

3:59

included in the advisory.

4:04

I mentioned a few times before that

4:06

when we're dealing with sort of these IoT style

4:08

vulnerabilities, of course, we often see

4:10

a flood of these Mirai style

4:14

exploits hitting these devices

4:16

and sometimes being successful.

4:19

But in the flood of

4:22

this noise, sometimes more

4:24

sophisticated actors are hiding

4:26

and Checkpoint has another example

4:29

here, where Chinese

4:31

state based threat actor as they

4:33

identifying

4:34

it is actually using

4:36

some of these routers to

4:39

then install their own

4:41

software, mostly proxies

4:44

in order to build an attack infrastructure

4:47

is of course very valuable because you end up

4:49

with many, many sort of more or less

4:52

anonymous home and

4:54

small business devices that

4:56

are hard to block and also

5:00

may never get updated. So you may

5:03

never get evicted from the respective

5:06

compromised device. The payload

5:08

of these attacks is also a

5:09

bit more complex than what you sort of see

5:12

in your average run of the mill exploit.

5:14

Typically, again, these Mirai bots or

5:16

crypto coin miners and the like,

5:19

will typically just sort of install a couple additional

5:21

binaries or scripts and then a random.

5:24

In this case, it will actually alter

5:27

the firmware also likely to get more

5:29

persistence. And in the

5:31

case that checkpoint discussed,

5:34

they specifically targeted

5:35

TP link routers.

5:39

Well, and that's it for today. Thanks

5:42

for listening and talk to you again

5:44

tomorrow. Bye.