Looking for something to do in ~90 minutes over a meal? Drop by for the @runZeroInc Hour webcast today with me, @lorddimwit, and @blainsmith.

We're chatting about remote detection of the xz-utils affected SSH binaries, our upcoming research report, the Palo Alto Networks RCE and surprise #golang zero-day in gorilla/sessions, Binarly's epic lighttpd vulnerability and supply chain research, and much more!

https://runzero.zoom.us/webinar/register/1217102670048/WN_4Po_Qnx4S1Og3Plm9KyiZA#/registration

The #golang `gorilla/sessions` directory traversal and file (over)write is now being tracked as GO-2024-2730: https://go-review.googlesource.com/c/vulndb/+/579655

This issue was (co)-discovered as part of watchTowr's analysis of the Palo Alto Networks RCE (#CVE_2024_3400), but is entirely separate, and affects a wide range of Go-based web services.

https://github.com/golang/vulndb/issues/2730

If you use gorilla/sessions with the FilesystemStore, please switch to the CookieStore instead until a patch is available.

Huh. So the Gorilla project went into archive-only mode in 2022. The gorilla/sessions project opened an issue asking for a new maintainer, this issue was closed as "stale", and a final comment was added indicating that the project is archived: https://github.com/gorilla/sessions/issues/250

The Gorilla project website, however, states that as of July 2023, a new maintainer has been identified, and the gorilla/mux project is seeing recent commits, so hopefully the same maintainers are also managing gorilla/sessions. The gorilla/sessions CI automation is failing with a bad credential and it looks like the sessions project specifically hasn't seen much love lately. #golang #vulnerability

Looks like quite a few projects are using session.FilesystemStore: https://github.com/search?q=sessions.NewFilesystemStore+language%3Ago+&type=code

The watchTowr folks published an in-depth article today covering the Palo Alto Networks unauthenticated RCE at: https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

Even more impressive is they also disclosed a zero-day directory traversal vulnerability in the #golang gorilla/sessions package (used far and wide). The gorilla vulnerability only applies to code using the FilesystemStore, but it is still likely to impact a huge range of products and services. A pull request to fix this is open at https://github.com/gorilla/sessions/pull/274

Huge thanks to @alizthehax0r and the watchTowr team as well as @moloch of Bishop Fox for co-discovery (and providing a fix for) of the gorilla/sessions bug.

Thank you @CypherCon! What an amazing event and a great community! Opening slides from my keynote today:

Hello #cyphercon! Badge line con is moving along fast, please say hi if you see me! I’m excited for today’s lineup and stoked to share some work during my 11am keynote tomorrow!

Fantastic work by @amlw - xzbot

Exploration of the xz backdoor (CVE-2024-3094). Includes the following:

* honeypot: fake vulnerable server to detect exploit attempts

* ed448 patch: patch liblzma.so to use our own ED448 public key

* backdoor format: format of the backdoor payload

* backdoor demo: cli to trigger the RCE assuming knowledge of the ED448 private key

https://github.com/amlweems/xzbot

If you spent this weekend scrambling to respond to CVE-2024-3094 (the libxz-utils backdoor), we have good news! The universe of affected distributions seems small and relatively easy to track down: https://www.runzero.com/blog/how-to-find-systems-impacted-by-cve-2024-3094-libxz-utils-with-runzero/

TL;DR: The "rolling" releases affected by this issue all use very new builds of OpenSSH (9.6p1/9.7p1) which simplifies the search.

maybe an interesting listen to follow it: "This is an hour long conversation with Jon Lebkowsky, Ed Cavazos, and John Quarterman discussing the history of EFF-Austin, an independent organization that was originally supposed to be a chapter of the Electronic Frontier Foundation (EFF), but established its own identity when EFF decided not to have chapters in 1992.": https://archive.org/details/JoelGreenbergEFFAHistoryPart1

A couple of ancient photos from my first #DEFCON