Podcast Detail

SANS Stormcast Monday, June 2nd, 2025: PNG with RAT; Cisco IOS XE WLC Exploit; vBulletin Exploit

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9474.mp3

Podcast Logo
PNG with RAT; Cisco IOS XE WLC Exploit; vBulletin Exploit
00:00

A PNG Image With an Embedded Gift
Xavier shows how Python code attached to a PNG image can be used to implement a command and control channel or a complete remote admin kit.
https://isc.sans.edu/diary/A+PNG+Image+With+an+Embedded+Gift/31998

Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis
Horizon3 analyzed a recently patched flaw in Cisco Wireless Controllers. This arbitrary file upload flaw can easily be used to execute arbitrary code.
https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/

Don't Call That "Protected" Method: Dissecting an N-Day vBulletin RCE
A change in PHP 8.1 can expose methods previously expected to be “safe”. vBulletin fixed a related flaw about a year ago without explicitly highlighting the security impact of the fix. A blog post now exposed the flaw and provided exploit examples. We have seen exploit attempts against honeypots starting May 25th, two days after the blog was published.
https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

Podcast Transcript

 Hello and welcome to the Monday, June 2nd, 2025 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich and this episode brought to you by the
 SANS.edu Graduate Certificate Program in Penetration Testing
 and Ethical Hacking is recorded in Jacksonville,
 Florida. Well, and in diaries, we do have yet more fun with
 images from Xavier. Xavier came across a PNG image that
 included malware. Now, this one didn't use sort of the
 steganography we have talked about a lot in the last couple
 of weeks. Instead, it used sort of a simpler form where
 the malicious code is just being appended to the image.
 With PNG images, there is an end marker. Any data after the
 end marker is ignored, meaning that if you display the image
 in a normal image viewer, well, all will look fine
 because the script in the end is just ignored. But as Xavier
 points out, the script or that data in the end is really just
 a little zip archive that then unpacks into a Python script.
 Now, one trick they're sort of doing here is that they are
 replacing the desktop wallpaper with their own sort
 of little wallpaper. Now, Xavier considers this a little
 bit more proof of concept than actual malware. In part
 because, well, it's just a very simple, straightforward,
 basic remote admin tool. Also, this particular wallpaper
 sounds more like something that's sort of being done to
 indicate, hey, this is sort of something that could be
 exploited rather than the exploit itself. Regardless,
 virus total detection for this image is very low, indicating
 that, well, there aren't really a lot of antivirus
 products that are, for example, looking for code
 being appended to an image like this, which should really
 always be considered malicious. In this case, you
 may say, okay, you know, this is a little custom tool.
 That's probably not going to be a specific signature for
 it. But it's exactly the point, the problem with a
 signature-based detection, which even with today's AI
 -enabled tools, we still often rely on signatures. Even with
 AI, you just don't really know what the signatures are
 because they're often then created by various machine
 learning algorithms. Well, and Horizon 3 did release a blog
 post outlining how to exploit a recently patched Cisco iOS
 vulnerability. This particular vulnerability did affect
 Cisco's wireless controller software, and it was related
 to a hard-coded JSON web token that then was able to upload
 arbitrary files. That's exactly what Siad Badawi here
 from Horizon 3 is walking us through. First of all, that
 particular hard-coded JWT that then allows the file upload,
 but not only the simple file upload, but also how to do the
 directory traversal to then upload arbitrary files in
 arbitrary locations, which then leads to remote code
 execution. Pretty straightforward exploit, so
 something that definitely you must patch now, given that all
 the details are now available to the bad guys. At this
 point, I haven't seen any exploit attempts in our own
 Honeypot data yet, but remember, our Honeypots don't
 necessarily emulate these particular devices, so there
 may be better attackers out there that are just targeting
 these particular devices. And bulletin boards are certainly
 no longer quite as popular as they used to be in the old
 days. Well, a little bit replaced by social media and
 Discord and channels like that, but, well, they're still
 out there, and one of the popular bulletin boards still
 remains vButtetin. vButtetin patched a
 vulnerability about a year ago without really announcing the
 patch as a patch for this vulnerability. We now have a
 blog post by Carmain Security showing the nature of the
 vulnerability and how to exploit it. This particular
 blog post was released May 23rd. The reason I bring this
 up now is, well, we are actually seeing exploitation
 of this particular vulnerability starting about
 May 25th. So there's certainly some internet-wide scans going
 for it. The vulnerability is not that terribly difficult to
 exploit, and the blog post does include a little sample
 as to how to exploit particular vulnerability.
 Essentially, you're replacing this ad template with PHP code
 that is then being executed. Relatively straightforward
 again, and that's why we are seeing these internet-wide
 scans for exploitation of this particular vulnerability.
 Well, and this is it for today. So thanks for
 listening. Remember, sands fire coming up. So if you're
 interested, please sign up in D.C. in July. We'll have a
 bunch of extra content going on for Inlet Storm Center, in
 particular our honeypot workshop, where we will also
 give away a limited number of our honeypots. So hope to see
 some of you there. Thanks for listening, and talk to you
 again tomorrow. Bye.