Podcast Detail

SANS Stormcast Thursday, October 9th, 2025: Polymorphic Python; ssh ProxyCommand Vuln;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9648.mp3

previous
Podcast Logo
Polymorphic Python; ssh ProxyCommand Vuln;
00:00

Polymorphic Python Malware
Xavier discovered self-modifying Python code on Virustotal. The remote access tool takes advantage of the inspect module to modify code on the fly.
https://isc.sans.edu/diary/Polymorphic%20Python%20Malware/32354

SSH ProxyCommand Vulnerability
A user cloning a git repository may be tricked into executing arbitrary code via the SSH proxycommand option.
https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984

Framelink Figma MCP Server CVE-2025-53967
Framelink Figma’s MCP server suffers from a remote code execution vulnerability.

Podcast Transcript

 Hello and welcome to the Thursday October 9th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from Denver,
 Colorado. And this episode is brought to you by the SANS.edu
 Master's Degree Program in Information Security
 Engineering. Xavier again went out hunting for a malware on
 virus total and came across an interesting Python script
 that's actually polymorphic. Polymorphic code modifies
 itself as it runs. The intent here is usually to evade
 signatures that may otherwise detect the malware. Well, this
 turned out to be a remote access tool, a RAT, and it
 took advantage of the Python Inspect module. That module
 allows you to read the code from various functions and
 then, of course, modified. And it's then being executed using
 the exec function in Python that will execute the
 resulting string. It not only modifies code by, for example,
 XORing it and then decoding it, but it also injects random
 junk code, which will, again, mostly be used to fool
 detection algorithms to not detect this particular
 malware. So far, that seems to be somewhat successful with
 only two antivirus tools detecting it on virus total.
 Otherwise, this is your standard RAT. It has the
 standard functionality like keystroke loggers, reporting,
 retrieving files, and the like. So, it's certainly
 possibly dangerous malware. Whether or not this was
 actually used in an attack or is really sort of a proof of
 concept, of course, is open at this point. And in
 vulnerabilities, we have a little bit of an odd
 vulnerability to start out with. It's not very severe,
 but I still decided to include it because it's interesting
 how the vulnerability is being exploited. And also, it
 affects SSH, which, of course, is a very widely used tool for
 secure remote access. The problem with this
 vulnerability is the proxy command directive in SSH. The
 intent of the proxy command directive is to, well, execute
 code before the connection is established. If you need to
 set up, like, a tunnel through an HTTP proxy or something
 like this, well, then proxy command is your friend. The
 problem, of course, is, as always, that it does allow for
 arbitrary code execution. Now, at first, this doesn't really
 sound like a big deal. This is an option that you would
 usually add to a SSH config file, so something that a user
 controls. And, well, being able to modify the .SSH config
 file is kind of like, well, just executing code on the
 shell itself. And it doesn't really need any tricks to sort
 of accomplish that. It gets a little bit more tricky when
 you're cloning Git repositories. When you're
 cloning Git repositories, this may include submodules that
 are being included in the main Git repository. And these
 submodules will tell you, well, where to get the code
 for these submodules, which is a URL which includes also SSH
 as an option. And by using tricky combinations of escape
 characters and new lines, it's now possible for the submodule
 to include a tricky URL that will execute code on the user
 that is cloning the Git repository. So how risky is
 this? Well, if you're cloning a Git repository, you usually
 intend to execute that code. So overall, shouldn't really
 be a big deal. You are already kind of executing code. And so
 far, executing more code via a tricky SSH directive may not
 really be seen as an additional risk. However, the
 vulnerability was fixed. It's now more restrictive as to
 what control characters you may use as part in particular
 of the username part. And that should prevent exploitation of
 this particular issue. But I think it remains that you just
 need to be careful if you are cloning Git repositories, you
 are essentially executing code. If you're doing this,
 executing code that you're pulling in from the Git
 repository. So this additional vulnerability, I don't think
 is such a big deal. It's an interesting vulnerability and
 also maybe a lesson how a minor vulnerability can under
 certain circumstances do cause serious harm. I think we're
 having some fun with AI again. This time it's the Framelink
 Figma MCP server. Figma is a very popular design tool and
 the Framelink Figma MCP server is an open source tool while
 it allows your AI tools to interact with Figma. The
 problem here is a code execution vulnerability. And
 the way it happens is that, well, the MCP server attempts
 to connect and if the connection fails, it does just
 call curl with a command exec option and that can easily be
 exploited via a URL being passed to curl. That includes
 things like a pipe character to execute arbitrary commands.
 So your standard OS command injection vulnerability. MCP
 servers are still pretty new and being somewhat rushed out
 because everybody sort of wants to be part of the game
 with MCP servers, I would highly recommend to use them
 cautiously as there are likely many similar vulnerabilities
 hiding. Well, that's all I have for today. A little bit
 of quiet day today. Hope you like that and thanks for
 liking, subscribing and recommending this podcast.
 Talk to you again tomorrow. Bye.
 Bye.