SANS Stormcast Monday April 7th 2025: New Username Report; Quickshell Vulnerability; Apache Traffic Director Request Smuggeling

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9396.mp3

previous

New Username Report; Quickshell Vulnerability; Apache Traffic Director Request Smuggeling

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, April 7th, 2025
 edition of the SANS and Storm Center's Stormcast. My name is
 Johannes Ullrich and today I'm recording from Jacksonville,
 Florida. I added a quick new report to the Storm Center
 website this weekend and the reason I added it is the last
 couple weeks I spent a bit more time with our SSH HoneyNet
 data. You may have been able to tell by some of the diaries
 I published, but the one thing I felt sort of was missing
 from the website was an easy way to figure out what
 particular usernames and passwords are just being newly
 used that have not been used before. This type of report is
 always very useful. We have one for our web honeypots, for
 URLs and for the headers. So now we have it also for
 usernames. Passwords, I haven't made that public yet.
 There are so many different passwords that makes that
 report a little bit challenging. So I'm still
 working on it. And just a quick overview. When I looked
 at it today, wasn't anything super exciting. Looks like a
 couple new first initial last name combinations were
 attempted. Also a couple bugs in tools. At least I think
 part of it at least is bugs. Where the first letter of the
 username is missing. That can often happen like if an
 attacker doesn't understand quite how to pass command line
 arguments to a tool. There's also one particular attacker
 who has sent about 14,000, I think it was, requests using
 the file name of the username file as a username. So, again,
 probably just someone not knowing how to use the tool
 correctly. That happens actually, I think, much more
 often than people are realizing that attackers are
 using exploits and such that they don't understand very
 well themselves. And that fail even if you are vulnerable.
 I've seen similar things also on the web application side
 where attackers are just misspelling URLs. And just a
 quick note in URLs or also in these usernames. If you have
 seen the word redacted in square brackets, that's where
 originally there was something like an IP address. The reason
 I removed that is not necessarily to keep these IP
 addresses secret, but they change a lot. So, it may still
 be the same exploit just with a different IP address.
 Sometimes it also gives away the IP address of our
 honeypot. I want to avoid some of that. And so, that's why
 you see that word redacted ever so often. It's not in all
 of the reports, but particularly if you're trying
 to do summaries and trying to find new things, then the IP
 addresses are really more a distraction.
 And we got some interesting work by Or Yair and Shmuel
 Cohen from SafeBreach. They gave a presentation at Black
 Hat Asia outlining some remote code execution attack chains
 in Google's QuickShare. If you're not familiar with
 QuickShare, it's sort of the Google equivalent of Apple's
 AirDrop. It allows you to quickly exchange files with
 other Google users close by. Now, the security paradigm is
 overall similar to AirDrop. You can limit who can send you
 files. The problem here is that these controls don't
 always work as expected. That it's able to trick a user into
 accepting malicious files from a user they think they trust
 by basically pretending to be a different user. And most
 importantly, it's actually possible to overwrite earlier
 received files. So with that, malicious user could
 overwrite, for example, an executable that was earlier
 received from a trusted user. And that way, a victim could
 be tricked into executing malicious code. Not the most
 severe and most easy to exploit vulnerability, but
 definitely something to keep on the radar. And certainly
 you always should restrict what users you accept files
 from, whether you're using AirDrop or QuickShare. And I
 believe AirDrop in recent iOS updates at least made it more
 difficult to sort of widely open up AirDrop. It only
 allows that for a limited amount of time. Not sure if
 similar constraints also apply to QuickShare. And in new
 vulnerabilities, we do have an HTTP request smuggling
 vulnerability in Apache Traffic Server. The reason I
 mention this is that these are always tricky vulnerabilities
 to exploit too, but also to protect yourself from. They're
 very typical for these kind of middle boxes. So definitely
 something that you have to be aware of, that you have to
 patch. Can be used to steal requests, to bypass
 authentication. How it's being exploited depends a lot on
 your application. So it's not that you should expect sort of
 a simple one-size-fits-all exploit for this type of
 vulnerability. Definitely upgrade as it may undermine
 many sort of of the security assumptions in your
 application. Well, and that's it for today. Remember Tuesday
 this week, Patch Tuesday. I know it feels like we just had
 one last week, but yep, next Patch Tuesday is this week for
 Microsoft. If you have any feedback, please let me know
 if I missed a story, something that I should have covered
 today. There were like two stories about various
 malicious packages in PyPy and NPM. I figured, well, only
 going to cover that once a week. But anyway, thanks for
 listening and talk to you again tomorrow. Bye.