Podcast Detail

SANS Stormcast Friday, March 6th, 2026: Targeted or Not? pac4j-jwt auth bypass; freescout dangerous uploads; MSFT Authenticator vs Graphene OS

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9838.mp3

previous
Podcast Logo
Targeted or Not? pac4j-jwt auth bypass; freescout dangerous uploads; MSFT Authenticator vs Graphene OS
00:00

Podcast Transcript

 Hello and welcome to the Friday, March 6, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich and today I'm recording from Jacksonville,
 Florida. And this episode is brought to you by the SANS.edu
 Graduate Certificate Program in Cloud Security. Today we
 got another guest diary from one of our undergraduate
 interns. This time it was Joseph Gruen's turn to write
 up some of his observations from a honeypot. Now one of
 the things about honeypots is that honeypots are usually
 easy to identify as a honeypot. And they're not
 typically getting you sort of these zero days or targeted
 exploits. But they're really measuring sort of the
 background radiation of the internet as I sometimes call
 it. Basically sort of all the background noise that you
 typically end up with from these ubiquitous scans. And
 Joseph is going over one particular actor like that.
 What you often have happening here is that these individual
 scanners are then sort of zooming in on a particular
 type of exploit, type of artifact they're looking for.
 Now where this becomes kind of valuable then is also when
 you're looking at our honeypot network. And the data we
 publish on the internet storms on our website. If you're
 getting attacked by an IP address and you wonder, hey is
 this someone that's only attacking me? Or is this
 someone that is basically scanning the internet for this
 particular issue? Well just search for the IP address on
 the internet storms on our website. And see what our
 sensors picked up about that IP address and whether the
 activity that you're seeing is different in some ways. And
 then sadly we do have another one of those open source
 library vulnerabilities to talk about that may send you
 scrambling to figure out which particular systems in your
 network are using this particular library. The
 library in question here is the PAC4J JWT library and
 CodeAnt which is a company that delivers AI tools for
 code review did find this particular vulnerability. JWT
 or JWT it's sometimes called or JSON web tokens if you want
 to spell it out. It is a commonly used format to
 deliver authentication information. It's basically
 JSON data that's digitally signed. So it can be used for
 all kinds of authentication purposes, maybe with OAuth but
 also sort of in other contexts. The problem has been
 with JWT like many of these standards is a fairly flexible
 standards. There were issues where the signature was
 optional in some cases or a problem and this one is a
 little bit like it but not quite called algorithm
 confusion where I can replace asymmetric algorithm with a
 symmetric algorithm and then I can just use the public key to
 sign the statement instead of the secret key. That's a
 little bit like this here. So what happens here is that we
 do have a JWT JSON web token that's actually not signed. We
 wrap it in a signature created by using the public key and
 then the signature works out. It's basically a valid
 signature and because the token itself doesn't really
 say that it needs to be signed.
 So it's easy to exploit and yes Code Ant has released
 basically all the steps you need in order to make a good
 and valid token using this vulnerability. There's also
 this issue a little bit with making the public keys public
 and well they're called public keys so it shouldn't really be
 an issue but some implementations are hesitating
 to this part because of some of these algorithm confusion
 issues but on the other hand there are many standards
 around JWT like OpenID and such that require the public
 keys to be actually public as the name implies. So far patch
 this vulnerability keeping the public keys secret is probably
 not the right solution here. The next one I believe we have
 to talk about is another favorite of mine and that's
 Unicode FreeScout. It's an open source help desk and
 shared mailbox solution. Well it has the ability to deal
 with file uploads and that's what help desks and email
 systems have to deal with. So not that they can easily get
 around it but they make sort of a classic mistake here and
 that's relying on filtering for malicious content by
 extension. That usually fails and if you then allow
 unrestricted file uploads as a result you end up with remote
 code execution. The problem here is white spaces again
 that can get sort of inserted that really don't change how
 the extension works and well are then bypassing the
 .htaccess filters used. If you are allowing people to upload
 files to your server really the only option is save them
 outside the document root and then you know pipe them back
 via some kind of loader script that does not execute any code
 no matter what the file type is that you're displaying.
 Well in a few episodes ago I talked about how Microsoft is
 going to tighten up how it's going to run its Microsoft
 Authenticator on iOS and on Android by basically not
 allowing it to run on rooted devices. There's one case
 where this is causing issues and that's Graphene OS.
 Graphene OS is a well respected sort of more secure
 Android version but well it's not Android so it's not being
 recognized as non-rooted and as a result right now
 Authenticator will not run on Graphene OS so you pretty much
 have to run an Android version not Graphene OS version on
 your phone. Well and this is it for today. Thanks for
 listening. Thanks for liking. Thanks for commenting in your
 favorite podcast platform and talk to you again on Monday.
 Bye.
 Bye. Bye. Bye. Thank you.