腾讯玄武实验室安全动态推送(Tencent Xuanwu Lab Security Daily News)

腾讯玄武实验室安全动态推送

Tencent Xuanwu Lab Security Daily News

[ Attack ] compact.exe 可用做对抗沙箱分析的技巧: http://www.hexacorn.com/blog/2018/11/11/compact-exe-wofcompressed-streams-as-an-anti-sandbox-trick/
[ Browser ] 浏览器扩展安全 Part 2 : https://leucosite.com/WebExtension-Security-Part-2/
[ Challenges ] Vulnhub Matrix 挑战通关记录: http://www.hackingarticles.in/matrix-1-vulnhub-walkthrough/
[ Pentest ] 渗透测试工程师的 Serverless 工具集介绍： https://blog.ropnop.com/serverless-toolkit-for-pentesters/
[ Tools ] awesome-sec-talks - 从 2012 年到 2018 年各安全大会的视频资源列表： https://github.com/PaulSec/awesome-sec-talks/
[ Tools ] Linux 性能相关的工具： http://www.brendangregg.com/linuxperf.html
[ Virtualization ] VirtualBox VMSVGA 的多个虚拟机逃逸漏洞分析: https://www.voidsecurity.in/2018/11/virtualbox-vmsvga-vm-escape.html
[ Vulnerability ] WP GDPR Compliance 插件漏洞的相关信息： https://www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/
[ Vulnerability ] 通过滥用 docker socket 实现容器逃逸并以 root 权限在 host 主机上执行任意代码： https://strm.sh/post/abusing-insecure-docker-deployments/

[ Blockchain ] 从一起“盗币”事件看以太坊存储 hash 碰撞问题： https://xlab.tencent.com/cn/2018/11/09/pay-attention-to-the-ethereum-hash-collision-problem-from-the-stealing-coins-incident/
[ Firmware ] Intel Microcode Boot Loader，用于针对 Intel 主板的微码漏问题解决方案： https://www.ngohq.com/intel-microcode-boot-loader.html
[ Mitigation ] Shadesmar - 新影子栈设计： https://arxiv.org/pdf/1811.03165.pdf
[ Tools ] XSStrike - XSS 漏洞利用套件： https://github.com/s0md3v/XSStrike
[ Vulnerability ] ColdFusion 最新任意文件上传漏洞的利用活动分析(CVE-2018-15961)： https://www.volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/