SANS Stormcast Thursday, October 9th, 2025: Polymorphic Python; ssh ProxyCommand Vuln;

October 08, 2025

Episode Transcript

Polymorphic Python Malware
Xavier discovered self-modifying Python code on Virustotal. The remote access tool takes advantage of the inspect module to modify code on the fly.
https://isc.sans.edu/diary/Polymorphic%20Python%20Malware/32354
SSH ProxyCommand Vulnerability
A user cloning a git repository may be tricked into executing arbitrary code via the SSH proxycommand option.
https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
Framelink Figma MCP Server CVE-2025-53967
Framelink Figma s MCP server suffers from a remote code execution vulnerability.

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Thursday October 9th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Denver, Colorado. And this episode is brought to you by the SANS.edu Master's Degree Program in Information Security Engineering. Xavier again went out hunting for a malware on virus total and came across an interesting Python script that's actually polymorphic. Polymorphic code modifies itself as it runs. The intent here is usually to evade signatures that may otherwise detect the malware. Well, this turned out to be a remote access tool, a RAT, and it took advantage of the Python Inspect module. That module allows you to read the code from various functions and then, of course, modified. And it's then being executed using the exec function in Python that will execute the resulting string. It not only modifies code by, for example, XORing it and then decoding it, but it also injects random junk code, which will, again, mostly be used to fool detection algorithms to not detect this particular malware. So far, that seems to be somewhat successful with only two antivirus tools detecting it on virus total. Otherwise, this is your standard RAT. It has the standard functionality like keystroke loggers, reporting, retrieving files, and the like. So, it's certainly possibly dangerous malware. Whether or not this was actually used in an attack or is really sort of a proof of concept, of course, is open at this point. And in vulnerabilities, we have a little bit of an odd vulnerability to start out with. It's not very severe, but I still decided to include it because it's interesting how the vulnerability is being exploited. And also, it affects SSH, which, of course, is a very widely used tool for secure remote access. The problem with this vulnerability is the proxy command directive in SSH. The intent of the proxy command directive is to, well, execute code before the connection is established. If you need to set up, like, a tunnel through an HTTP proxy or something like this, well, then proxy command is your friend. The problem, of course, is, as always, that it does allow for arbitrary code execution. Now, at first, this doesn't really sound like a big deal. This is an option that you would usually add to a SSH config file, so something that a user controls. And, well, being able to modify the .SSH config file is kind of like, well, just executing code on the shell itself. And it doesn't really need any tricks to sort of accomplish that. It gets a little bit more tricky when you're cloning Git repositories. When you're cloning Git repositories, this may include submodules that are being included in the main Git repository. And these submodules will tell you, well, where to get the code for these submodules, which is a URL which includes also SSH as an option. And by using tricky combinations of escape characters and new lines, it's now possible for the submodule to include a tricky URL that will execute code on the user that is cloning the Git repository. So how risky is this? Well, if you're cloning a Git repository, you usually intend to execute that code. So overall, shouldn't really be a big deal. You are already kind of executing code. And so far, executing more code via a tricky SSH directive may not really be seen as an additional risk. However, the vulnerability was fixed. It's now more restrictive as to what control characters you may use as part in particular of the username part. And that should prevent exploitation of this particular issue. But I think it remains that you just need to be careful if you are cloning Git repositories, you are essentially executing code. If you're doing this, executing code that you're pulling in from the Git repository. So this additional vulnerability, I don't think is such a big deal. It's an interesting vulnerability and also maybe a lesson how a minor vulnerability can under certain circumstances do cause serious harm. I think we're having some fun with AI again. This time it's the Framelink Figma MCP server. Figma is a very popular design tool and the Framelink Figma MCP server is an open source tool while it allows your AI tools to interact with Figma. The problem here is a code execution vulnerability. And the way it happens is that, well, the MCP server attempts to connect and if the connection fails, it does just call curl with a command exec option and that can easily be exploited via a URL being passed to curl. That includes things like a pipe character to execute arbitrary commands. So your standard OS command injection vulnerability. MCP servers are still pretty new and being somewhat rushed out because everybody sort of wants to be part of the game with MCP servers, I would highly recommend to use them cautiously as there are likely many similar vulnerabilities hiding. Well, that's all I have for today. A little bit of quiet day today. Hope you like that and thanks for liking, subscribing and recommending this podcast. Talk to you again tomorrow. Bye. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show