Hello, welcome to the Thursday, December 9th, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

We do have a new forensic challenge thanks to Brad who posted this again for this month.

So as usual, there is a packet capture that you're expected to analyze with WireShark in order to answer the questions that Brad posted here.

Speed doesn't matter in this case.

You just have to submit the answer before the deadline. That's Wednesday, December 22nd. As usual, we'll give away a raspberry pie and, well, probably won't make it before the holidays, given that we determine the winner on December 22nd, but well, shortly thereafter,

you'll hopefully get it.

Raspberry pies have been a little bit in short supply, so sorry if there's a little bit

delay then in shipping them out.

One of the services offered by cloud providers is the ability to run entire desktop operating systems

in the cloud and access them remotely. This, of course, provides a nicely remote managed

solution for workers to have a protected system in the cloud that they are then using sort of for the daily work and that's

isolated from anything that they may be doing in their home networks. But of course, you do want

to connect some physical devices that are located in the user's office to these remote desktops,

in particular USB devices like webcams.

So you essentially can run Zoom on the remote desktop in the cloud

and at the same time use the USB webcam that you have connected to your home computer.

In order to provide this capability,

the providers are using a library by Elthema that is implementing a USB over Ethernet

protocol. Sadly, according to a blog post by Sentinel Labs, this particular SDK has numerous vulnerabilities

that allow for privilege escalation on the remote desktop up to the kernel level, which

then in turn could be used to, for example, disable some security services.

There are various providers that are offering these

...