Hello, welcome to the Thursday, August 4, 2020 edition of the Sands and at Storm Center's

Stormcast.

My name is Johannes Ulrich, and today I am recording from Jacksonville, Florida.

Today I noticed a small group of IP addresses scanning the same set of a bit unusual odd vulnerabilities.

The vulnerabilities are odd because they're not your normal, simple remote code execution

vulnerabilities that we often see by botnets, but they're really more looking sort of for

information leakage issues like exposed environment variables and configuration files.

Well, turns out the scans all use the L9 Explorer user action, so I dug a little bit into

that.

And turns out it's related to the Leakex platform LeakeX, according to the site is sort of a

buck bounty helper tool to help identify,

notify sites leaking data. You may, of course, just block the user agent. We also offer

a feed-off leakix associate IP addresses, but then again, why not just use that list of

URLs they're scanning for and double check that you are not exposing

any data via these URLs. And researcher Derek Abdein uncovered a critical and simple to exploit

directory traversal vulnerability in ERIS DSL and fiber routers.

ERIS is one of the larger manufacturer of these devices.

They also make cable modems, and it's not clear if they are affected as well.

The root cause here is really the MyHTPD demon.

That's the web server that's installed on these devices.

You may also find ARIs devices being used by various ISPs and sort of preinstalled by them

if you rented your modem or router from your ISP, and they're sometimes then also

...