Hello and welcome to the Friday, April 3rd, 2006 edition of the Sands Internet Storms Centers.

Stormcast, my name is Johannes Ulrich, recording today from Orlando, Florida.

And this episode is brought you by the Sands.edu graduate certificate program in incident response.

Today I noticed in our honeypots that we are seeing some scans for a vulnerability in the developer tool Veed.

This vulnerability was discovered by OffSec last July and now apparently is being exploited.

It's fairly straightforward to exploit vulnerability, even though I doubt that there will be a lot of

exposed systems. Typically, this particular tool listens on port 5173.

Well, this is not where the scans are going to.

These scans are going to standard HTTP ports.

So that's the first thing that made me a little bit think that maybe they're looking for someone

who may be misconfigured this particular tool.

The problem with the tool is that it does provide

access to files on the local file system via simple HTTP requests. All you need is a prefix slash

at FS slash and that will then basically just map to the file system disregarding the document route or any settings like this.

However, there is some access control as is provided that basically limits this access to certain directories.

However, the vulnerability discovered last July does allow arbitrary access as long as the URL ends in question mark, question mark,

raw question mark. So that particular suffix essentially then bypasses the access control.

If you're running Veed, please make sure that you are running it securely, that you're not

exposing it, and that you're also running the

latest version. And by the way, this tool, well, it's pronounced feed, but it's really sort of a

French tool and this spelling is VITE. So some people may pronounce it like VIDI or something like that.

And Open SSH version 10.3 has been released and with that number of security issues were addressed. None of these security issues I would consider critical or something that

...