Hello and welcome to the Thursday, May 18th, 2020, edition of the Sands and at Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Savvy wrote a quick diary about an increase in the use of self-extracting rar files that he's observing.

Self-extracting files are always interesting because by definition, as they're being

expanded, they will execute code.

Same here with these rar files.

The attacker can pretty much just include a simple visual basic script

as is shown in this example and then execute it as the files are being expanded.

Most of the files in the archive are actually harmless and just garbage data, but the script

and a couple configuration files to go with it

are what actually causes the damage here.

Xavier offers a Yara rule to detect self-extracting RAR files.

They shouldn't really be that hard to spot given that usually they also just use dot eXE as an extension,

which probably should be treated with caution anyway and stripped out in any mail filters.

And then we have an interesting vulnerability in Waymo smart plugs.

These smart plugs are made by a Belkin and it's a pretty straightforward buffer

overflow in the friendly name. The name is supposed to be up to 30 characters long, but this

limit is really only enforced in the app that's used to control the plug.

If you can send the update name command directly without the app,

then you can specify whatever length you want, giving you ample space for a buffer overflow.

Amid Serper and Ruhn Yaka, who discovered the vulnerability, did write a lengthy blog, including

proof-of-concept exploit code.

...