Hello, welcome to the Wednesday, September 20th, 2017 edition of the Sandton and Storm Center's

Stormcast. My name is Johannes Ulrich, I'm recording from Jacksonville, Florida.

Forensics investigations often involve the collections of file access and modification time and the probably go-to tool for

this in the open source world is Mac robber. Now Mac here doesn't stand for Macintosh

instead it's short for modification, access and creation which are the three basic timestamps that you usually find

associated with files.

Now, Jim ran into a case where this tool didn't work for him, so he rewrote it in Python

with a couple of changes.

That's sort of a typical open source thing, of course, that tools like this get redeveloped.

And, well, a Mac robber itself actually started out as Grave robber and was then later, for

similar reasons, rewritten as Mac robber.

And now you have a Python version that will work on various

operating systems more seamless than the old version. A link to the GitHub repository for

this tool can be found in Jim's diary. And Apache released an update for Tomcat that does fix two vulnerabilities.

The first one is a remote code execution vulnerability that is enabled if you are enabling

the HTTP put method.

Now HTTP put allows someone to upload files to a system. In this particular case,

of course, if they're downloading JSP scripts, these scripts may be executed. The second vulnerability

does take advantage of the virtual dear context in order to view source code.

So no remote code execution here, but still something you probably do want to fix.

Overall, these vulnerabilities do only affect these specific configurations.

They're not quite as severe as these recent struts vulnerabilities, but certainly

...