Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Tuesday, May 21st, 2020,
0:02
4th edition of the Sans and Storms and
0:07
Stormcast. My name is Johannes
0:09
Ulrich and I'm recording from
0:12
Jacksonville, Florida. And
0:15
today again today with yet another
0:17
great addition to one of his
0:19
tools. This time, probably one of
0:21
his best well known
0:23
tools, Oli Dump. Oli Dump,
0:25
well, used to dump
0:28
information from OLE files turns out
0:30
that message email files are also
0:32
in that format. So the tool
0:35
works out of the box quite
0:37
well with them. And
0:39
yes, you know, there are converters that
0:41
will convert your message email files into
0:44
inbox and something a little bit more
0:46
standard in that sense. But
0:48
what you can do now
0:50
with Oli Dump is thanks
0:52
to a message summary plugin,
0:55
it will actually create a quick
0:58
summary of the email messages with
1:00
things like headers and probably even
1:02
more importantly, attachments. You
1:04
can even dump the content
1:06
of the attachments as part of
1:09
a JSON output file. I mentioned
1:11
that JSON output format. Yesterday,
1:14
because it also was about
1:16
JPEG files in PDFs yesterday,
1:19
this time it's attachments in
1:21
emails, which of course now
1:24
are always of interest. So
1:27
with this tool, you get in a
1:30
small little command line tool,
1:32
the output of these attachments
1:34
for further analysis. Even
1:36
identifies if any of the attachments
1:38
are hidden or in line. So
1:41
next time you got a
1:43
message file to work with while you
1:45
have your tool here to help you
1:48
analyze them. And
1:51
Tenable today did publish
1:53
details regarding a vulnerability
1:55
in Fluentbit. Fluentbit is
1:58
a monitoring service. is
2:00
used by most big
2:02
cloud services, also in private
2:04
clouds like, you know, VMware
2:06
and such, you often see
2:09
it being deployed for its
2:11
scalability. And apparently, there were
2:14
3 billion downloads of this particular software
2:16
as of 2022. The problem is that
2:19
an API that's available
2:25
in order for users and
2:27
administrators to check the status
2:30
of the service has a
2:32
vulnerability in the trace endpoint.
2:34
This trace endpoint is used
2:36
to check if you have
2:38
any traces set up or
2:41
to retrieve output from these
2:43
traces. Now, even if you
2:45
don't have any set up,
2:48
the endpoint is still available
2:50
and is exploitable. It's a
2:53
relatively straightforward vulnerability in the
2:55
sense that the endpoint does
2:57
expect a string. But
3:00
if you pass it a
3:02
negative or positive integer, well,
3:04
memory corruption happens. And this
3:06
can in the simplest form
3:08
lead to a denial of
3:11
service, but can also lead
3:13
to cross tenant data leakage.
3:15
And in some cases, it
3:17
may actually lead to code
3:19
execution. Given that this service
3:21
is so widely deployed, and
3:24
also the fact that functionality
3:27
here is usually accessible
3:30
even to normal users, this
3:32
is certainly a critical vulnerability.
3:34
Patches have been released. Now,
3:36
as far as exploits go,
3:38
Tenable does have a proof
3:40
of concept for denial of
3:43
service exploit that I guess
3:45
you could use in order
3:47
to check if you're vulnerable,
3:49
or if you have deployed
3:51
the patch correctly. And
3:54
then there is a good
3:57
write up from horizon three
3:59
AI regarding vulnerability
4:01
in Fortinet 40 seam.
4:05
This vulnerability was patched last
4:07
October but
4:10
it was a perfect 10
4:12
when it came to the
4:14
CVS score so with this
4:17
blog post now we actually
4:19
have sufficient details to easily
4:21
exploit this vulnerability. I just
4:24
want to say thanks to
4:26
riseon3.ai to wait a couple
4:28
months before actually publishing
4:30
all of these details because
4:33
the exploit is not really
4:35
all that difficult. You
4:38
basically have to construct a specific
4:40
XML payload that you're going to
4:42
feed to the vulnerable
4:45
service with essentially just
4:47
the command that
4:49
you would like to execute as part
4:51
of the payload. So if
4:53
you haven't yet this is your very
4:55
very very last chance to apply
4:59
the update and well likely
5:01
it's going to be delayed by
5:03
the time you are actually listening to
5:05
this podcast. But
5:07
well not everybody is so lucky to get that
5:09
much time to patch their systems.
5:12
We also got a proof
5:15
of concept and a detail analysis
5:17
of the git vulnerability patched last
5:19
week as well as proof
5:22
of concept and analysis of
5:24
one of the Google Chrome
5:26
server days that was patched
5:28
last week. Well
5:31
and this is it for today.
5:33
Thanks for listening and
5:35
if you haven't checked it out
5:37
yet remember Sansfire is coming up
5:40
and I'll be teaching our defending
5:42
web app class. Talk
5:44
to you again tomorrow and thanks!
5:47
Bye!
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More