SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Monday, December 22nd, 2025: TLS Callbacks; FreeBSD RCE; NIST Time Server Issues
6 snips
Dec 22, 2025 Explore the abuse of Thread Local Storage (TLS) callbacks in DLLs and how they can execute overlooked pre-main code. Discover a critical vulnerability in FreeBSD, allowing remote code execution through crafted IPv6 router advertisements. Learn about the NIST Boulder time server outage caused by a power failure, disrupting accurate time references for internet services. The discussion also addresses mitigation strategies and the importance of syncing with multiple NTP sources for reliability.
AI Snips
Chapters
Transcript
Episode notes
TLS Callbacks Run Code Before Main
- TLS in this context means Thread Local Storage, not encryption, and it can run code early in program startup.
- Didier shows TLS callbacks work in DLLs too, making pre-main execution easy to miss in static analysis.
Check TLS Callbacks During Malware Analysis
- If you reverse Windows malware, read Didier's post about TLS callbacks to spot code that executes before main.
- Include TLS/DLL entry checks in your static and dynamic analysis workflows to avoid blind spots.
Router Advertisements Can Lead To RCE
- FreeBSD had an RCE via IPv6 router advertisements because RA-provided DNS search domains were passed to a shell script without validation.
- Systems listen to RAs even if IPv6 isn't configured, widening exposure.