Hello, welcome to the Tuesday, August 29th, 2020, 3 edition of the Sands and Storms anders Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Today we got a very interesting and timely diary by Xavier. Xavier is looking closer at the Wynrarr Warnability, CVE 2020-23-38-831, how it's being

exploited and how you can detect it.

To detect it, Xavier uses zipdump.

PY, a quick Python script that analyzes zip files. And the trick that's being

abused here in order to exploit the vulnerability is space at the end of a directory name and

a space ahead of the extension. So the file that Xavier sipped here as part of his

exploit archive is test.ttXT space slash test.txtspace.combe, and that leads then to the execution

of the code in the dot bat file. In addition to use

this proof of concept exploit in order to show how exploitation works here, Xavier also is

looking at exploit that he found on virus total to show well it works for real samples,

and then also how to go further and extract the actual script being executed.

And Juniper, a little bit more than a week ago, did release a bulletin with an out-of-cycle fix for June OS.

This particular bulletin does fix a number of vulnerabilities.

The trick here is that by themselves, some of these vulnerabilities may not sound that bad,

but together they can actually then be exploited to gain full unauthenticated remote code execution.

I mentioned yesterday how hard it can be to just look at the CVSS score and figure out how severe vulnerability is.

Of course, there's nothing better than to bring home the severity of vulnerability

than an actual proof-of-concept exploit,

and we now have that thanks to Watchtower Labs.

And exploitation is actually not all that terribly difficult.

It is essentially an arbitrary remote code upload vulnerability that

...