0:00

Hello and welcome to the Tuesday, May 21st, 2020,

0:02

4th edition of the Sans and Storms and

0:07

Stormcast. My name is Johannes

0:09

Ulrich and I'm recording from

0:12

Jacksonville, Florida. And

0:15

today again today with yet another

0:17

great addition to one of his

0:19

tools. This time, probably one of

0:21

his best well known

0:23

tools, Oli Dump. Oli Dump,

0:25

well, used to dump

0:28

information from OLE files turns out

0:30

that message email files are also

0:32

in that format. So the tool

0:35

works out of the box quite

0:37

well with them. And

0:39

yes, you know, there are converters that

0:41

will convert your message email files into

0:44

inbox and something a little bit more

0:46

standard in that sense. But

0:48

what you can do now

0:50

with Oli Dump is thanks

0:52

to a message summary plugin,

0:55

it will actually create a quick

0:58

summary of the email messages with

1:00

things like headers and probably even

1:02

more importantly, attachments. You

1:04

can even dump the content

1:06

of the attachments as part of

1:09

a JSON output file. I mentioned

1:11

that JSON output format. Yesterday,

1:14

because it also was about

1:16

JPEG files in PDFs yesterday,

1:19

this time it's attachments in

1:21

emails, which of course now

1:24

are always of interest. So

1:27

with this tool, you get in a

1:30

small little command line tool,

1:32

the output of these attachments

1:34

for further analysis. Even

1:36

identifies if any of the attachments

1:38

are hidden or in line. So

1:41

next time you got a

1:43

message file to work with while you

1:45

have your tool here to help you

1:48

analyze them. And

1:51

Tenable today did publish

1:53

details regarding a vulnerability

1:55

in Fluentbit. Fluentbit is

1:58

a monitoring service. is

2:00

used by most big

2:02

cloud services, also in private

2:04

clouds like, you know, VMware

2:06

and such, you often see

2:09

it being deployed for its

2:11

scalability. And apparently, there were

2:14

3 billion downloads of this particular software

2:16

as of 2022. The problem is that

2:19

an API that's available

2:25

in order for users and

2:27

administrators to check the status

2:30

of the service has a

2:32

vulnerability in the trace endpoint.

2:34

This trace endpoint is used

2:36

to check if you have

2:38

any traces set up or

2:41

to retrieve output from these

2:43

traces. Now, even if you

2:45

don't have any set up,

2:48

the endpoint is still available

2:50

and is exploitable. It's a

2:53

relatively straightforward vulnerability in the

2:55

sense that the endpoint does

2:57

expect a string. But

3:00

if you pass it a

3:02

negative or positive integer, well,

3:04

memory corruption happens. And this

3:06

can in the simplest form

3:08

lead to a denial of

3:11

service, but can also lead

3:13

to cross tenant data leakage.

3:15

And in some cases, it

3:17

may actually lead to code

3:19

execution. Given that this service

3:21

is so widely deployed, and

3:24

also the fact that functionality

3:27

here is usually accessible

3:30

even to normal users, this

3:32

is certainly a critical vulnerability.

3:34

Patches have been released. Now,

3:36

as far as exploits go,

3:38

Tenable does have a proof

3:40

of concept for denial of

3:43

service exploit that I guess

3:45

you could use in order

3:47

to check if you're vulnerable,

3:49

or if you have deployed

3:51

the patch correctly. And

3:54

then there is a good

3:57

write up from horizon three

3:59

AI regarding vulnerability

4:01

in Fortinet 40 seam.

4:05

This vulnerability was patched last

4:07

October but

4:10

it was a perfect 10

4:12

when it came to the

4:14

CVS score so with this

4:17

blog post now we actually

4:19

have sufficient details to easily

4:21

exploit this vulnerability. I just

4:24

want to say thanks to

4:26

riseon3.ai to wait a couple

4:28

months before actually publishing

4:30

all of these details because

4:33

the exploit is not really

4:35

all that difficult. You

4:38

basically have to construct a specific

4:40

XML payload that you're going to

4:42

feed to the vulnerable

4:45

service with essentially just

4:47

the command that

4:49

you would like to execute as part

4:51

of the payload. So if

4:53

you haven't yet this is your very

4:55

very very last chance to apply

4:59

the update and well likely

5:01

it's going to be delayed by

5:03

the time you are actually listening to

5:05

this podcast. But

5:07

well not everybody is so lucky to get that

5:09

much time to patch their systems.

5:12

We also got a proof

5:15

of concept and a detail analysis

5:17

of the git vulnerability patched last

5:19

week as well as proof

5:22

of concept and analysis of

5:24

one of the Google Chrome

5:26

server days that was patched

5:28

last week. Well

5:31

and this is it for today.

5:33

Thanks for listening and

5:35

if you haven't checked it out

5:37

yet remember Sansfire is coming up

5:40

and I'll be teaching our defending

5:42

web app class. Talk

5:44

to you again tomorrow and thanks!

5:47

Bye!