Hello, welcome to the Wednesday, June 6, 2018 edition of the Sandcent Storm Centers.

Stormcast, my name is Johannes Ulrich, and you're an recording from Augusta, Georgia.

Xavier went hunting again on virus total and came across an interesting script that apparently was used in order to further compromise a system.

So this is not the actual exploit per se, but a script that would be installed by the initial

exploit, or as Xavier points out, a malicious user who already has access to the system.

In part, what's sort of interesting about this script

is that it's very modular, so it loads, for example, individual components from GitHub

and then has also a build-in update mechanism that can be used to update the script itself. It uses

only command line utilities, so with that it

presents sort of a simple text-based user interface that you can use to select and execute

individual components. One disadvantage, of course, of the virus total hunting approach is that

we don't really have a lot of sort of context

around the script so not really sure who used it how it is possibly being used in the wild if

it's being used in the wild and then of course what the initial exploit was that was used to

install this script on an affected host.

And researchers at SNCC security, a company that specializes in enumerating and securing dependencies

in open source projects, did find interesting vulnerability in many projects that deal with SIP files. Now, they sort of focus here on SIP files, but the vulnerability certainly applies to other archive file formats.

The problem is that SIP and other archives may include file names, and if you unsip the file, you may

blindly use the file names that are located

inside the file these file names may also include directory names and that in turn

can then lead to directory traversal or the overriding of existing files

which then of course could be executed.

...