meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Monday, March 28th, 2022

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News

4.9754 Ratings

🗓️ 28 March 2022

⏱️ 6 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. XLSB File Analysis; Dirty Pipe Container Escape; PHP Filter Vuln; OpenBSD slaacd vuln; Google Chrome 0 Day

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Monday, March 28th, 2020 edition of the Sandsenet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

0:14.0

As a follow-up to one of Brad's Diaries, Xavier posted analysis of XLSB files.

0:23.6

This extension showed up in a quarkbot infection that Brad looked at,

0:29.6

and Xavier explains a little bit how to analyze these files

0:34.6

and the YNet hacker may choose to use an XLSB file.

0:39.1

Usual modern office documents are essentially compressed XML files, but there is an option

0:45.6

and that's what the B or binary in XLSB stands for to use a binary format. And that's exactly what happened here.

0:55.3

Of course, once you have your macros in this binary format,

0:59.8

then it gets more difficult to analyze them,

1:02.2

strings and similar tools will no longer really yield any results.

1:08.0

Xavier shows how sort of some of DDA's tools are actually analyzing these files.

1:15.1

And then recommends if you want something quick and dirty to look at these files, you're

1:21.1

probably best off just carefully, of course, opening the files in Excel and then just save the macros. Now, you don't need to enable

1:32.4

macros in order to do this. So yes, you can do this reasonably safe, but again, you know,

1:38.6

be careful whenever you open a known or suspected malicious file.

1:50.9

And Datadog published a blog post showing how the recently discovered dirty pipe Linux privilege escalation vulnerability can be used to break out of unprivileged containers.

1:57.5

Now, in particular with Kubernetes containers, they demonstrate how RunC essentially can be used in order to break out.

2:07.9

All the attacker has to do, and this is what this script released by Datadog does, is to wait for RunC to run inside a container.

2:17.9

Then the dirty pipe exploit is used to override the RunC binary on the host

2:23.4

with malicious binary, which then of course leads to code execution on the host.

2:32.3

Overall, no real big surprise. In essence, a container is a lower privileged

2:37.6

process, so if I approach escalation and I can trigger it from inside the container, I may be able,

...

Please login to see the full transcript.

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2026.