Podcast Detail

SANS Stormcast Monday, June 23rd, 2025: ADS and Python; More Secure Cloud PCs; Zend.to Path Traversal; Parser Differentials

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9500.mp3

previous
Podcast Logo
ADS and Python; More Secure Cloud PCs; Zend.to Path Traversal; Parser Differentials
00:00

ADS & Python Tools
Didier explains how to use his tools cut-bytes.py and filescanner to extract information from alternate data streams.
https://isc.sans.edu/diary/ADS%20%26%20Python%20Tools/32058

Enhanced security defaults for Windows 365 Cloud PCs
Microsoft announced more secure default configurations for its Windows 365 Cloud PC offerings.
https://techcommunity.microsoft.com/blog/windows-itpro-blog/enhanced-security-defaults-for-windows-365-cloud-pcs/4424914

CVE-2025-34508: Another File Sharing Application, Another Path Traversal
Horizon3 reveals details of a recently patched directory traversal vulnerability in zend.to.
https://horizon3.ai/attack-research/attack-blogs/cve-2025-34508-another-file-sharing-application-another-path-traversal/

Unexpected security footguns in Go's parsers
Go parsers for JSON and XML are not always compatible and can parse data in unexpected ways. This blog by Trails of Bits goes over the various security implications of this behaviour.
https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/

Podcast Transcript

 Hello and welcome to the Monday, June 23rd, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and this episode brought to you by
 the Graduate Certificate Program in Industrial Control
 Systems Security is recorded in Stockheim, Germany. So off
 this podcast I have mentioned the mark of the web and also
 alternate data streams. Now if you're running Windows and
 you're using the NTFS file system then well the mark of
 the web is encoded in the file as an alternate data stream.
 But of course we sometimes also have other interesting
 data, sometimes malicious data hidden in alternate data
 streams. Didier today talked about how to decode some of
 these alternate data streams using some of his tools. Most
 notably cut-bytes.py. That's one of the many Python tools
 that Didier maintains. But he also has a file scanner which
 is faster. It's written in C but not maybe quite as
 flexible as the cut-bytes tool. Both tools make it
 really easy to get the information out of these
 alternate data streams. And personally I think
 specifically for the mark of the web to sort of see the
 provenance of a particular file that was downloaded. Well
 that's certainly quite useful. And Microsoft made some
 changes to make their virtualized cloud PCs more
 secure. Now this affects virtual cloud PCs running in
 Windows 11. And really the goal of these cloud PCs is to
 have sort of this isolated system in the cloud that's
 well not really connected to anything locally. Of course by
 default this hasn't been true in the past. For example by
 default clipboards were connected or you had a USB
 pass through enabled. This is now disabled by default
 starting in the second half of the year. This is something
 that you should be aware of. You can of course enable it if
 you need to. In May Microsoft already sort of increased some
 of the isolation of these virtual cloud PCs by enabling
 features. Like for example the hypervisor protected code
 integrity or credential guard. And then of course the
 virtualization based security which makes it more difficult
 for an attacker to really gain access to any data on that
 particular cloud PC. Since they're sort of behaving like
 a real PC well they're actually meant to be
 persistent. So any malware or such would basically affect
 one of these PCs just like a real PC. And that's why you
 have to be as careful with them. But of course you can
 also use them as a more ephemeral machine where you
 just basically destroy them and then create a new one as
 needed. Software used to exchange files with business
 partners and the like seems to be notoriously buggy and
 vulnerable. The latest example is documented by Horizon 3 AI.
 They found a path traversal vulnerability in Zend.to. That's
 Zend with Z in the beginning. This path traversal isn't
 quite as critical as some of the other issues that we have
 seen in similar tools. But it still does allow access to
 files from different users. Not just read access but also
 write access. The one thing I haven't seen here yet is an
 arbitrary code execution vulnerability that often comes
 with these type of path traversal vulnerabilities. But
 apparently that's sort of one item they prevented here as
 they designed their system. A patch has been made available
 on June 10th. One security vulnerability that I've sort
 of mentioned a couple times but I don't think ever really
 covered properly is related to parser differentials. What
 this refers to is that in one particular programming
 language you may have multiple parsers for complex formats
 like JSON and XML that behave slightly different. And this
 can easily then lead to problems as you're translating
 for example JSON to XML or back or as you're using one
 particular parser to for example parse data for input
 validation then later a different parser as you're
 actually using the data. Trails of Bits has a real
 great blog post where they're going over some of these
 differentials in Go. Now Go is just one programming language.
 These issues like I said exist in other languages as well. We
 have covered them at times in other languages also not just
 with JSON and XML also with other sort of more complex
 formats as they're being parsed. So definitely
 something to be aware of and I think this blog post makes a
 good read even if you're not coding in Go to really tell
 you a little bit what to look for as you are for example
 investigating how different parsers work and how they may
 or may not be compatible with each other. Well and this is
 it for today. So thanks for listening and talk to you
 again tomorrow. Bye.