Hello and welcome to the Friday, September 9, 2020 edition of the Sands Inn at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Cyber Chef is one of those deceptively simple tools that is a joy to use, in my opinion,

and probably took an army of JavaScript

geniuses to create in order to make it so simple. Well, actually, maybe it was an army

given that it came out of the British GCHQ. But today, DDA wrote a nice example showing

how to analyze obfuscated visual basic script with nothing but CyberChef.

The DA assemble's recipe in Cyber Chef starting with UTF6 decoding, the hex dump pulled from the malware,

and after filtering some empty lines and some visual basic

code becomes evident. But that was pretty straightforward. Did he then goes further and shows how

the actual obfuscated strings within the visual basics code can further be de-offuscated using Cyber Chef and

how in the end you'll end up with the URL the next stage of the malware was downloaded

from. A full link to the recipe is shared by DDE as well.

Now earlier this week I saw a vulnerability announced in PF Census, PF Blocker, NCHN,

and honestly just forgot to cover it.

So thanks to Joe from Sands for reminding me earlier today.

I know there are a number of IAC readers who use this tool.

PF Blocker NG is a plug-in for the open-source firewall PFSense.

I'm not really sure if it's also available in OpenSense,

but the problem here is that it does allow for arbitrary code execution.

The plugin itself does not validate the host header correctly.

And of course, the host header is supplied by the user.

...