Hello, welcome to the Friday, November 3, 2003 edition of the Sandcented Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

We talked a couple times already this week about attackers using artificially inflated PE files, basically very large files in order to bypass security tools.

Today we got a solution.

DDA is walking us in his quick tip through how to, first of all,

figure out if you're dealing with a file that just has some padding at the end,

and secondly, also how to

remove that padding to make analysis easier it's really a combination of two of dda's famous tools

a p e check will summarize the different sections of a p e file and will tell you that you have this

very large overlay with just one unique

byte and in this case just zeros and then using a second tool at tail.p.I.

It's then able to extract just the part that actually matters.

So hope this helps and for details details again, refer to DDA's diary.

And Apache just patched a vulnerability in Active MQ, the message Q tool that's being maintained

by the Apache Foundation.

This vulnerability does allow arbitrary remote code execution. that's being maintained by the Apache Foundation.

This vulnerability does allow arbitrary remote code execution to anybody with network access to the broker.

This vulnerability is now already being exploited.

Apparently, the Hello Kitty Ransomber group is exploiting this vulnerability, according to Rapid 7.

Proof of concepts have been around for about a week, and sadly, exploitation is actually pretty trivial for this vulnerability.

You literally just have to basically include some XML in the message with the bash command you would like to execute.

And in new vulnerabilities, we did get patches from Cisco, in particular noteworthy.

Here is CVE 2020-8.

...