Hello, welcome to the Tuesday, May 7, 2019 edition of the Sanctur Storm Center's Stormcast. My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

The DA today wrote up a quick note regarding an issue that Xavier ran into when he looked at these malicious UDF files recently.

Part of these files were actually in UTF-16 encoding.

UTF-16 uses at least two bytes per character, and with that what you typically end up

with if it's ASCII text, one of the bytes is zero

followed by the ASCII code.

So not terribly difficult to decode this and make sense of it, but the DA is going over

some of the tools that you have available in order to actually decode and then read the data more easily.

One set of vulnerabilities that is really sort of taking off is HTTP services starting on the

loopback interface to interact with various software packages.

Latest example, VMware Fusion.

VMware Fusion is setting up this listener on Port 8,698, and by connecting to it,

you were able to actually execute arbitrary commands on the guest without authentication. Since these are WebSocket and Rest

APIs that are being exposed here, all you need is some JavaScript so an attacker could execute

arbitrary code if the victim is visiting a malicious website and loads the respective JavaScript.

The envir patched this issue late in March, so about a month ago, and the actual proof

of concert exploit was released.

Also late March, but really didn't run into this until now.

So I figured I'll still mention

because this is a real simple exploit. So make sure that you are patched if you're running

VMware Fusion. And then again, this kind of vulnerabilities, we just have seen it with

Dell last week and with everybody moving to these sort of HTTP

...