腾讯玄武实验室安全动态推送(Tencent Xuanwu Lab Security Daily News) - 2018/09/17

腾讯玄武实验室安全动态推送

Tencent Xuanwu Lab Security Daily News

[ iOS ] 通过 CSS 强制重启所有的 iOS 设备: https://twitter.com/pwnsdx/status/1040944750973595649
[ Pentest ] 使用 Metasploit 绕过 UAC 的多种方法： http://www.hackingarticles.in/multiple-ways-to-bypass-uac-using-metasploit/
[ Tools ] edm - HTTP MitM 攻击中感染文件的 POC 项目: https://github.com/LeonardoNve/edm

[ Mobile ] 对高通基带的逆向工程： https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf
[ Others ] Mozilla 是如何保护其 GitHub 存储库不被恶意篡改的： https://blog.mozilla.org/security/2018/09/11/protecting-mozillas-github-repositories-from-malicious-modification/
[ Pentest ] 从 ADS 流中运行程序的技巧： https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
[ Tools ] Octopus - WebAssembly 模块和 Blockchain Smart Contract的安全分析框架： https://github.com/quoscient/octopus
[ Tools ] Aarch64PAC - ARM v8.3 - 指针验证扩展： https://github.com/xerub/idastuff/blob/master/arm64/aarch64_pac/aarch64_pac.cpp
[ Tools ] bitcracker - BitLocker 密码破解工具: https://github.com/e-ago/bitcracker
[ Web Security ] CORS 安全指南： https://www.bedefended.com/papers/cors-security-guide
[ Web Security ] 使用 Python CGIHTTPServer 绕过注入时的 CSRF Token 防御: https://www.purehacking.com/blog/andre-onofre-lima/bypassing-csrf-tokens-with-pythons-cgihttpserver
[ Windows ] 2种 lsass 保护方法探讨: https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a