Handler on Duty: Jan Kopriva
Threat Level: green
Podcast Detail
SANS Stormcast Monday, June 2nd, 2025: PNG with RAT; Cisco IOS XE WLC Exploit; vBulletin Exploit
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9474.mp3
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
A PNG Image With an Embedded Gift
Xavier shows how Python code attached to a PNG image can be used to implement a command and control channel or a complete remote admin kit.
https://isc.sans.edu/diary/A+PNG+Image+With+an+Embedded+Gift/31998
Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis
Horizon3 analyzed a recently patched flaw in Cisco Wireless Controllers. This arbitrary file upload flaw can easily be used to execute arbitrary code.
https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/
Don't Call That "Protected" Method: Dissecting an N-Day vBulletin RCE
A change in PHP 8.1 can expose methods previously expected to be “safe”. vBulletin fixed a related flaw about a year ago without explicitly highlighting the security impact of the fix. A blog post now exposed the flaw and provided exploit examples. We have seen exploit attempts against honeypots starting May 25th, two days after the blog was published.
https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Monday, June 2nd, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and this episode brought to you by the SANS.edu Graduate Certificate Program in Penetration Testing and Ethical Hacking is recorded in Jacksonville, Florida. Well, and in diaries, we do have yet more fun with images from Xavier. Xavier came across a PNG image that included malware. Now, this one didn't use sort of the steganography we have talked about a lot in the last couple of weeks. Instead, it used sort of a simpler form where the malicious code is just being appended to the image. With PNG images, there is an end marker. Any data after the end marker is ignored, meaning that if you display the image in a normal image viewer, well, all will look fine because the script in the end is just ignored. But as Xavier points out, the script or that data in the end is really just a little zip archive that then unpacks into a Python script. Now, one trick they're sort of doing here is that they are replacing the desktop wallpaper with their own sort of little wallpaper. Now, Xavier considers this a little bit more proof of concept than actual malware. In part because, well, it's just a very simple, straightforward, basic remote admin tool. Also, this particular wallpaper sounds more like something that's sort of being done to indicate, hey, this is sort of something that could be exploited rather than the exploit itself. Regardless, virus total detection for this image is very low, indicating that, well, there aren't really a lot of antivirus products that are, for example, looking for code being appended to an image like this, which should really always be considered malicious. In this case, you may say, okay, you know, this is a little custom tool. That's probably not going to be a specific signature for it. But it's exactly the point, the problem with a signature-based detection, which even with today's AI -enabled tools, we still often rely on signatures. Even with AI, you just don't really know what the signatures are because they're often then created by various machine learning algorithms. Well, and Horizon 3 did release a blog post outlining how to exploit a recently patched Cisco iOS vulnerability. This particular vulnerability did affect Cisco's wireless controller software, and it was related to a hard-coded JSON web token that then was able to upload arbitrary files. That's exactly what Siad Badawi here from Horizon 3 is walking us through. First of all, that particular hard-coded JWT that then allows the file upload, but not only the simple file upload, but also how to do the directory traversal to then upload arbitrary files in arbitrary locations, which then leads to remote code execution. Pretty straightforward exploit, so something that definitely you must patch now, given that all the details are now available to the bad guys. At this point, I haven't seen any exploit attempts in our own Honeypot data yet, but remember, our Honeypots don't necessarily emulate these particular devices, so there may be better attackers out there that are just targeting these particular devices. And bulletin boards are certainly no longer quite as popular as they used to be in the old days. Well, a little bit replaced by social media and Discord and channels like that, but, well, they're still out there, and one of the popular bulletin boards still remains vButtetin. vButtetin patched a vulnerability about a year ago without really announcing the patch as a patch for this vulnerability. We now have a blog post by Carmain Security showing the nature of the vulnerability and how to exploit it. This particular blog post was released May 23rd. The reason I bring this up now is, well, we are actually seeing exploitation of this particular vulnerability starting about May 25th. So there's certainly some internet-wide scans going for it. The vulnerability is not that terribly difficult to exploit, and the blog post does include a little sample as to how to exploit particular vulnerability. Essentially, you're replacing this ad template with PHP code that is then being executed. Relatively straightforward again, and that's why we are seeing these internet-wide scans for exploitation of this particular vulnerability. Well, and this is it for today. So thanks for listening. Remember, sands fire coming up. So if you're interested, please sign up in D.C. in July. We'll have a bunch of extra content going on for Inlet Storm Center, in particular our honeypot workshop, where we will also give away a limited number of our honeypots. So hope to see some of you there. Thanks for listening, and talk to you again tomorrow. Bye.