Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS Stormcast Monday April 7th 2025: New Username Report; Quickshell Vulnerability; Apache Traffic Director Request Smuggeling
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9396.mp3

New Username Report; Quickshell Vulnerability; Apache Traffic Director Request Smuggeling
00:00
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
New SSH Username Report
A new ssh/telnet username reports makes it easier to identify new usernames attackers are using against our telnet and ssh honeypots
https://isc.sans.edu/diary/New%20SSH%20Username%20Report/31830
Quickshell Sharing is Caring: About an RCE Attack Chain on Quick Share
The Google Quick Share protocol is susceptible to several vulnerabilities that have not yet been fully patched, allowing for some file overwrite issues that could lead to the accidental execution of malicious code.
https://www.blackhat.com/asia-25/briefings/schedule/index.html#quickshell-sharing-is-caring-about-an-rce-attack-chain-on-quick-share-43874
Apache Traffic Director Request Smuggling Vulnerability
https://www.openwall.com/lists/oss-security/2025/04/02/4
Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Podcast Transcript
Hello and welcome to the Monday, April 7th, 2025 edition of the SANS and Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. I added a quick new report to the Storm Center website this weekend and the reason I added it is the last couple weeks I spent a bit more time with our SSH HoneyNet data. You may have been able to tell by some of the diaries I published, but the one thing I felt sort of was missing from the website was an easy way to figure out what particular usernames and passwords are just being newly used that have not been used before. This type of report is always very useful. We have one for our web honeypots, for URLs and for the headers. So now we have it also for usernames. Passwords, I haven't made that public yet. There are so many different passwords that makes that report a little bit challenging. So I'm still working on it. And just a quick overview. When I looked at it today, wasn't anything super exciting. Looks like a couple new first initial last name combinations were attempted. Also a couple bugs in tools. At least I think part of it at least is bugs. Where the first letter of the username is missing. That can often happen like if an attacker doesn't understand quite how to pass command line arguments to a tool. There's also one particular attacker who has sent about 14,000, I think it was, requests using the file name of the username file as a username. So, again, probably just someone not knowing how to use the tool correctly. That happens actually, I think, much more often than people are realizing that attackers are using exploits and such that they don't understand very well themselves. And that fail even if you are vulnerable. I've seen similar things also on the web application side where attackers are just misspelling URLs. And just a quick note in URLs or also in these usernames. If you have seen the word redacted in square brackets, that's where originally there was something like an IP address. The reason I removed that is not necessarily to keep these IP addresses secret, but they change a lot. So, it may still be the same exploit just with a different IP address. Sometimes it also gives away the IP address of our honeypot. I want to avoid some of that. And so, that's why you see that word redacted ever so often. It's not in all of the reports, but particularly if you're trying to do summaries and trying to find new things, then the IP addresses are really more a distraction. And we got some interesting work by Or Yair and Shmuel Cohen from SafeBreach. They gave a presentation at Black Hat Asia outlining some remote code execution attack chains in Google's QuickShare. If you're not familiar with QuickShare, it's sort of the Google equivalent of Apple's AirDrop. It allows you to quickly exchange files with other Google users close by. Now, the security paradigm is overall similar to AirDrop. You can limit who can send you files. The problem here is that these controls don't always work as expected. That it's able to trick a user into accepting malicious files from a user they think they trust by basically pretending to be a different user. And most importantly, it's actually possible to overwrite earlier received files. So with that, malicious user could overwrite, for example, an executable that was earlier received from a trusted user. And that way, a victim could be tricked into executing malicious code. Not the most severe and most easy to exploit vulnerability, but definitely something to keep on the radar. And certainly you always should restrict what users you accept files from, whether you're using AirDrop or QuickShare. And I believe AirDrop in recent iOS updates at least made it more difficult to sort of widely open up AirDrop. It only allows that for a limited amount of time. Not sure if similar constraints also apply to QuickShare. And in new vulnerabilities, we do have an HTTP request smuggling vulnerability in Apache Traffic Server. The reason I mention this is that these are always tricky vulnerabilities to exploit too, but also to protect yourself from. They're very typical for these kind of middle boxes. So definitely something that you have to be aware of, that you have to patch. Can be used to steal requests, to bypass authentication. How it's being exploited depends a lot on your application. So it's not that you should expect sort of a simple one-size-fits-all exploit for this type of vulnerability. Definitely upgrade as it may undermine many sort of of the security assumptions in your application. Well, and that's it for today. Remember Tuesday this week, Patch Tuesday. I know it feels like we just had one last week, but yep, next Patch Tuesday is this week for Microsoft. If you have any feedback, please let me know if I missed a story, something that I should have covered today. There were like two stories about various malicious packages in PyPy and NPM. I figured, well, only going to cover that once a week. But anyway, thanks for listening and talk to you again tomorrow. Bye.