This post was originally published on this site

YARA-X's 1.10.0 release brings a new command: fix warnings.

If you have a rule that would generate a warning with a help section (explaining how to fix it), like this example rule:

 

rule FixableCountWarning
{
    strings:
        $a1 = "malicious"
        $a2 = "badstuff"

    condition:
        0 of ($a*)
}

Then YARA-X from version 1.10.0 on can fix this for you

You will get a warning when you use this rule:

The suggested fix is to replace 0 with none.

This can be done automatically with command fix warnings:

Remark that this command alters your original rule file, and doesn't make a backup of the unaltered file:

 

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

Searchlight Cyber today released a blog detailing CVE-2025-61757, a vulnerability they reported to Oracle. Oracle released a patch for the vulnerability as part of its October Critical Patch Update, which was released on October 21st.

Based on Searchlight Cyber's blog, the issue is pretty trivial to exploit: All URLs that end in ".wadl" are exempt from authentication. Adding just ".wadl" to a URL would not work, as this would point to a different, non-existent file. Searchlight Cyber's blog shows that adding ";.wadl" is the solution to access arbitrary URLs. They offer the following PoC:

/iam/governance/applicationmanagement/templates;.wadl

and show how it can lead to remote code execution.

Seeing this PoC, I went over our logs to look for possible uses of this pattern and found one:

/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl

This URL was accessed several times between August 30th and September 9th this year, well before Oracle patched the issue. There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker.

Attacker IP Addresses:

89.238.132.76
185.245.82.81
138.199.29.153

The User Agent: 

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Sadly, we did not capture the bodies for these requests, but they were all POST requests. The content-length header indicated a 556-byte payload.

The participating IP addresses also scanned for these notable URLs/Vulnerabilities:

/o/portal-settings-authentication-opensso-web/com.liferay.portal.settings.web/test_opensso.jsp (CVE-2025-4581)

as well as some scans that appear to be bug bounties and URLs that attempt to exploit Log4j.

 

—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.