Hello and welcome to the Monday, December 18th, 2023 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich. And then I'm again recording back from Jacksonville, Florida.

Xavier this weekend wrote about an interesting exploit script. He found that targets a recent rocket MQ vulnerability.

The vulnerability CVE 202033-346 was made public in July, and a proof of concept was actually

released pretty much a couple days after, if not the same day the patch was released.

The script Xavier found attempts to find an exploit random Rocket MQ servers.

An initial Bash script will install dependencies needed to compile the scanning tool Mass Scan.

Once compiled, it will then scan the Internet for exposed Rocket MQ servers to exploit.

The attacker appears to have done similar scans before.

Interestingly, Xavier noted that there was some common out tool in the code that basically

pointed to other vulnerabilities, like, for example, Webmin and WordPress.

And Xavier isn't only going for the latest Bash and Python, Malberry.

He's also found a self-compiling C-sharp script.

In this case, the exploit downloads the C-sharp code and compiles it on the victim's

system. Not terribly unusual for something like this to happen because that, of course,

guarantees it's compiled for the correct libraries, the correct architecture and such, versus

just downloading the binary.

This requires that the victim has the dot-net framework installed,

but as Xavier points out in the diary,

almost all Windows systems have the dot-net framework installed because it's so commonly used for software written for Windows.

Voice over IP technology company 3CX is in the news again, this time alerting customers

of a vulnerability in the company's 3CX tool. The vulnerability is a sequel injection

vulnerability and in order for it to be exploited, the SQL integration needs to be enabled.

...