Hello and welcome to the Thursday, September 18th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in
Incident Response. Well, in diaries today, we do have
Xavier talk about Ctrl-Z DLL hooking. The trick that Xavier
is referring to here is, well, first of all, if you are
reverse analyzing malware, you're trying to introduce
breakpoints into the code where you're able to better
analyze what's happening in particular segments of the
code. The problem with this is that you're going to modify
some of the code in memory by essentially, well, adding
these software breakpoints to specific API calls. Now,
malware has a couple different options here in order to
bypass this. They can like, you know, check whether or not
these breakpoints are present. That's a little bit tricky
because they have to go through all the different
possible API calls that you may have added these
breakpoints to. But a simpler solution is just reloads the
code from a disk for that particular DLL with that
overriding any modifications that may have made after the
DLL was loaded into memory. And that's exactly what Xavier
illustrates here and how it is being done in a particular
malware sample that Xavier came across. This malware
sample appears to be some prototype, not quite finished
yet, ransomware that's written in Python. So interesting that
aspect as well. And it just performs this simple trick
where it reloads the DLL in order to basically invalidate
whatever breakpoint or other modifications an analyst may
have made. And we got an interesting blog post by Dirk
-Jan Mollema about a vulnerability that Dirk-Jan
did disclose to Microsoft and which was addressed as part of
this September's patch Tuesday. This wasn't Azure
vulnerability. So nothing that you have to patch. Microsoft
patched it on their end and the possibility here with this
vulnerability was that anybody with an Azure tenant would be
able to authenticate as any other tenant in Azure. So that
security boundary between tenants essentially broke
down. The problem here was something called actor tokens.
And this is something that's sort of on the back end that
Microsoft doesn't really disclose, talk about because
you never really should see or interact with them. So you
have a lot of information when one of your service is talking
to Microsoft service. And then that Microsoft service
internally sends a connection to another Microsoft service.
So these service to service communications, they are
protected with these actor tokens that essentially sort
of carry forward any access rights and such that the
original user had, or at least that's the idea. So that's the
idea here. But part of the here is that the actual sort
of signatures are being replaced. And with that, well,
an attacker could essentially just issue a token on their
end using their tenant claiming to be another user on
another tenant. And, well, the actor token will just carry
that information along without validating it properly,
without authenticating it properly. And that basically
then creates credentials that you can use as this other
user. Interesting vulnerability. And, well, yet
again, a good example on these complexities in these large
public cloud environments that often lead to these oversight
and great work here by Dirk-Jan actually figuring it out.
Well, the blog post URL will be in the show notes with lots
more details. I tried to represent what's happening
here, but of course, there are a lot more details to it in
the blog post. And then we got a couple of vulnerabilities to
talk about. First off, security appliance, of course,
and this time it's WatchGuard Firebox. It suffers from an
out-of-bounds write vulnerability that could be
used by an unauthenticated attacker to compromise the
appliance. It affects the iked daemon, which, well, is
part of IPsec VPNs. So you're only vulnerable if you
actually have IPsec VPNs configured. So if the iked
daemon is running and once it's running, well, then an
attacker could launch that buffer overflow vulnerability.
Patches have been made available. So apply them as
quickly as you can. And then to everybody out there playing
with AI, NVIDIA published a critical update for its Triton
inference server. This affects the Linux and Windows version.
There are a number of interesting vulnerabilities
being addressed here. First of all, that's probably the
number one vulnerability here, a remote code execution
vulnerability. This looks like a simple OS command injection
vulnerability that can be triggered by essentially
setting a specific model name parameter. Try a semicolon,
try a pipe and see what happens. And then we have a
second vulnerability here that's not that much lower
than the other one, but it's not considered critical. It's
only considered high. And this is an input validation issue.
So also exploit may lead here to code execution. Definitely
get this updated. And this is also the system that you
probably don't want to leave exposed to the world. Well,
and this is it for today. So thanks for listening. Thanks
for liking. Thanks for recommending this podcast and
subscribing to it. And talk to you again tomorrow. Bye.
