Hello, welcome to the Thursday, April 26th, 2018 edition of the Sansonet Storms and a Stormcast.

My name is Johannes Ulrich and the I'm recording from Jacksonville, Florida.

Well, triple users be aware there is a new critical remote code execution vulnerability that you need to patch for and this time the vulnerability

has already been exploited by the time I record this. Now this new remote code execution vulnerability

is apparently a variation of the vulnerability that was patched in March, but apparently the patch didn't go far enough

and still allowed some versions of the attack to pass. Given that, it's no surprise that attackers

were able to weaponize this new vulnerability rather quickly. Exploid code has been published to paste bin. The exploit

against Drupal 7 published to pastebin does require that the attacker is logged in to the system.

So a little bit more tricky to exploit in this particular variant than the old one, but there is a possibility that other

exploits that do not require authentication may be released as well. If you have looked at

Linux malware, like the ones that may be installed by the triple vulnerability, you probably

came across a number of shell scripts.

What attackers often do is they use Unix utilities like WGet or curl to then download additional code.

But Xavier today wrote up a little shell script that a redirection submitted to us that uses neither.

It does establish a simple IRC bot using nothing but batch.

The trick that's being used here is that you can actually pipe data to dev TCP and

establish TCP connection that way and stream data both ways.

Now, of course, a lot of the low-level work has to be done in batch as well, but for something simple,

like for example, an IRC bot, this may actually work quite nicely.

And in particular, if you're thinking minimum

systems in and of things style systems, tricks like this may work on systems that don't have

a lot of these tools like W get and curl installed. And if you're like me traveling quite a bit,

...