腾讯玄武实验室安全动态推送(Tencent Xuanwu Lab Security Daily News)

腾讯玄武实验室安全动态推送

Tencent Xuanwu Lab Security Daily News

2016/09/26

Masato Kinugawa @kinugawamasato

[ Browser ] Blogged! / CVE-2016-4758: UXSS in Safari's showModalDialog http://masatokinugawa.l0.cm/2016/09/safari-uxss-showModalDialog.html (日本語) http://mksben.l0.cm/2016/09/safari-uxss-showModalDialog.html (English)

" Safari showModalDialog 的 UXSS（CVE-2016-4758）： http://mksben.l0.cm/2016/09/safari-uxss-showModalDialog.html "
Francisco Alonso @revskills

[ Linux ] CVE-2016-7545 -- SELinux sandbox escape http://seclists.org/oss-sec/2016/q3/606

" SELinux 沙箱逃逸漏洞（CVE-2016-7545）： https://t.co/feteaIf7p1"
Binni Shah @binitamshah

[ Malware ] Anti VM Tricks : https://sentinelone.com/blogs/anti-vm-tricks/ cc @ caleb_fenton

" Sentinelone 团队最近捕获的一个恶意 Word 样本所用的两个虚拟机对抗小技巧︰ https://t.co/YSWfJE473b "
Sebas Guerrero ⚡ @0xroot

[ Others ] (State of) The Art of War: Offensive Techniques in Binary Analysis - https://www.cs.ucsb.edu/~vigna/publications/2016_SP_angrSoK.pdf via @ marcograss

" 二进制分析中的攻击技术，Paper： https://t.co/SFPNpwmDFa"
Binni Shah @binitamshah

[ Others ] OWA-Toolkit : Powershell module to assist in attacking Exchange/Outlook Web Access : https://github.com/Shellntel/OWA-Toolkit

" OWA-Toolkit - 辅助攻击 Exchange/Outlook Web Access 的 PowerShell 模块： https://t.co/3wsA6zxDEI"
Nicolas Krassas @Dinosn

[ Windows ] Windows 10's undocumented certificate pinning feature http://hexatomium.github.io/2016/09/24/hidden-w10-pins/

"Windows 10 有个未文档化的严格证书检查（Certificate Pinning）特性： https://t.co/3BRQemQMe6"
Casey Smith @subTee

[ Windows ] Slides and Code From @ DerbyCon Talk Establishing a Foothold With JavaScript https://github.com/subTee/DerbyCon2016 Feedback Welcome

" 来自 Casey Smith 在 DerbyCon 会议的演讲《用 JavaScript 在 Windows 构建落脚点》，PPT 和代码： https://t.co/8pY72W0Ci6 "

Xuanwu Spider via FreeBuf

[ Android ] Android 虚拟机调试器原理与实现： http://www.freebuf.com/articles/terminal/114869.html
Xuanwu Spider via GitHub

[ Android ] Tinker - 腾讯开源的一个 Android Hot-Fix 库： https://github.com/Tencent/tinker
Xuanwu Spider via GitHub

[ Android ] avmdbg - 轻量级的 Android 虚拟机调试器： https://github.com/cheetahsec/avmdbg
Xuanwu Spider via SecurityIntelligence

[ Malware ] 剖析 DDoS 攻击工具 Saphyra iDDoS Priv8 Tool： https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/
Xuanwu Spider via GitHub

[ Fuzzing ] Fuzz 工具 AFL 的 Android 移植版本： https://github.com/ele7enxxh/android-afl
Xuanwu Spider via riusksk Blog

[ Conference ] BlackHat USA 2016 议题分析： http://riusksk.me/2016/09/25/BlackHat-USA-2016-%E8%AE%AE%E9%A2%98%E5%88%86%E6%9E%90/

2016/09/26