Hello, welcome to the Thursday, September 26, 2019 edition of the Sandstone Storm Center's Stormcast. My name is Johannes Ulrich.

And then I'm recording from London, England. Today we got a diary from Brad talking about how Melsbaum is distributing the Quaser Remote Access tool.

This remote access tool is publicly available via GitHub, but often distributed maliciously in

email attachments like the one that Brad documented.

As usual, you'll find links to packet captures and the like.

So create a little example to hone your packet skills.

And we got an update to the Bulletin vulnerability that I was talking about yesterday. the Bulletin has now released a patch for this vulnerability.

You should apply it very quickly. It's critical. It's already being exploited.

Actually, according to Cerrodeum, this particular vulnerability has been known in the underground for about the last three years and has been actively exploited since then.

Of course, a little bit odd that the vulnerability hasn't been patched before that or hasn't been reported to the bulletin over the last three years.

The vulnerability itself is actually really straightforward, shouldn't really be that difficult to find

and really in any kind of code review, this particular code snippet which directly calls the Eval function in PHP with user input

should certainly have been flagged.

The bulletin is not free software.

It's software that you have to pay for, so I haven't been able to review the patch that the bulletin came up with.

The bulletin user has also come up with an unofficial patch.

This unofficial patch will essentially just comment out the Eval function

and possibly will break some functionality.

Not sure what the ultimate patch that the bulletBulletin came up with actually does.

I've seen a couple of reports from V-Bulletin users that they have seen attacks against

their sites.

In one case, at least, essentially, the attacker just deleted the V-Bulletin database.

...