Hello and welcome to the Friday, March 28, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, the last couple of days I spent a little bit time on creating a couple new reports for the Internet Storm Center website.

One of them summarizes

HTTP headers. And the reason I started looking more at HTTP headers was of course Next.js

and the header-related vulnerability. We didn't, we collected the headers from our honeypots, but didn't really sort of routinely look at them.

And, well, with these new reports, actually, I immediately sort of spotted one interesting

header here, and that's the Thumbnail Access token header. Only a couple of requests this last

month with this particular header being set.

Well, a little bit researched and showed that this actually attempts to exploit a vulnerability in SightCore.

SiteCore is CMS and it uses this header for access control.

The problem, however, is that the content of the header,

the value is actually a dot-net object.

And then it uses the binary formatter class

to actually extract data from this object,

and that class is most famously known for being, well, subject to deseralization

vulnerabilities. And that's exactly what's happening here. There was a couple weeks ago,

a blog post by Searchlight Cyber. They initially discovered the vulnerability.

The vulnerability was actually patched back in January, as far as I can tell, but not a lot

of details were released by SiteCorp at the time.

Now with the blog from Searchlight Cyber, we do have a proof of concept exploit.

The one problem from our data is that we are only recording the first 250 characters of header

...