腾讯玄武实验室安全动态推送(Tencent Xuanwu Lab Security Daily News)

腾讯玄武实验室安全动态推送

Tencent Xuanwu Lab Security Daily News

2016/10/20

Nicolas Krassas @Dinosn

[ Android ] Targeting Android for OTA Exploitation http://contextis.com/resources/blog/targeting-android-ota-exploitation/

" 攻击 Android OTA（空中下载）技术： https://t.co/p9Xi4eGobj"
Project Zero Bugs @ProjectZeroBugs

[ Browser ] Microsoft Edge: Heap Overflow in Array.map https://bugs.chromium.org/p/project-zero/issues/detail?id=923

" Edge 浏览器 Array.map 堆溢出漏洞（CVE-2016-7190）： https://t.co/940Jffbpf0 "
Project Zero Bugs @ProjectZeroBugs

[ Browser ] Microsoft Edge: Info Leak in Function.apply https://bugs.chromium.org/p/project-zero/issues/detail?id=920

" Edge 浏览器 Function.apply 信息泄漏漏洞（CVE-2016-7194）： https://t.co/5mrZEuIDv5 "
Project Zero Bugs @ProjectZeroBugs

[ Browser ] Microsoft Edge: Info Leak in Array.join https://bugs.chromium.org/p/project-zero/issues/detail?id=919

"Edge 浏览器 Array.join 信息泄漏漏洞（CVE-2016-7189）： https://t.co/cnPKuULuau "
Project Zero Bugs @ProjectZeroBugs

[ Browser ] Microsoft Edge: Stack Overflow in Spread Operator https://bugs.chromium.org/p/project-zero/issues/detail?id=910

" Edge 浏览器对象展开运算符栈溢出漏洞（CVE-2016-3386），来自 Project Zero： https://t.co/lqBVtIz1px "
Project Zero Bugs @ProjectZeroBugs

[ Browser ] Windows: Edge/IE Isolated Private Namespace Insecure Boundary Descriptor EoP https://bugs.chromium.org/p/project-zero/issues/detail?id=878

" Edge/IE 浏览器隔离的私有命名空间不安全边界描述符 EoP： https://t.co/ZV8vbZ4WlC"
Saumil Shah @therealsaumil

[ Defend ] Slides from my #hacklu talk on moving from reactive to proactive defense. https://www.slideshare.net/mobile/saumilshah/hacklu-the-infosec-crossroads @ hack_lu

" 从被动防御到主动防御，来自 Hack.lu 会议： https://t.co/uJ6E7QfDyW "
Nicolas Krassas @Dinosn

[ Firmware ] Adventures in Reverse Engineering Smart Bulb Firmware https://medium.com/@ urish/inside-the-bulb-adventures-in-reverse-engineering-smart-bulb-firmware-1b81ce2694a6#.m0bfihhqe

"逆向智能电灯的固件： https://hackernoon.com/inside-the-bulb-adventures-in-reverse-engineering-smart-bulb-firmware-1b81ce2694a6#.m0myg8lfi "
Julien Bachmann @milkmix_

[ Linux ] published the slides from my workshop on ROP exploitation at @ hack_lu Thanks to all the attendees! https://speakerdeck.com/milkmix/advanced-exploitation-on-linux-rop-and-infoleaks

"来自2016 hack.lu 大会上的议题：Linux 上的 ROP 漏洞利用： https://t.co/waVeWJHRVQ"
arbornetworks @arbornetworks

[ Malware ] NEW from #ASERT - The Great #DGA of Sphinx. Examine the backup DGA algorithm used in Zeus variant. https://t.co/CGDaFuwXrH #BotNet #Malware

"Zeus 木马变种 Sphinx 所使用的域名生成算法（ domain generation algorithm）介绍： https://t.co/CGDaFuwXrH"
Nicolas Krassas @Dinosn

[ Malware ] The new .LNK between spam and Locky infection https://blogs.technet.microsoft.com/mmpc/2016/10/19/the-new-lnk-between-spam-and-locky-infection/

"垃圾邮件和恶意勒索软件之间的新联系： https://blogs.technet.microsoft.com/mmpc/2016/10/19/the-new-lnk-between-spam-and-locky-infection/"
McAfee Labs @McAfee_Labs

[ Malware ] We observed a new variant of macro malware delivering ransomware via password-protected attachment.… https://twitter.com/i/web/status/788596072587399168

"McAfee Labs 发现 macro 恶意软件新变种，该变种诱使用户打开邮件中的恶意 word 文档: https://blogs.mcafee.com/mcafee-labs/password-protected-attachment-serves-ransomware/?utm_source=twitter&;utm_campaign=Labs#sf39238061"
McAfee Labs @McAfee_Labs

[ Malware ] XTBL ransomware family uses the CreateFileW API in nonshare mode as an antidebugging technique. We explore:… https://twitter.com/i/web/status/788610154606563328

"McAfee Lab 对于 XTBL 恶意软件的分析： https://t.co/nqTyNeBWen"
Full Disclosure @SecLists

[ OpenSourceProject ] OpenSSL 1.1.0 remote client memory corruption https://goo.gl/fb/eFgszQ #FullDisclosure

"OpenSSL 1.1.0 remote client memory corruption： http://seclists.org/fulldisclosure/2016/Oct/66?utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed%3A+seclists%2FFullDisclosure+%28Full+Disclosure%29 "
TinySec @TinySecEx

[ Others ] simple and useful tool IAT hook function that supported both windows kernel mode and usermode https://github.com/tinysec/iathook

"windows kernelmode and usermode IAT hook： https://github.com/tinysec/iathook"
Mike_Mimoso @Mike_Mimoso

[ Popular Software ] Another giant @ Oracle patch release: 253 CVEs. https://threatpost.com/oracle-fixes-253-vulnerabilities-in-last-cpu-of-2016/121375/ via @ threatpost

"甲骨文公司修复了253个漏洞，囊括了76条产品线： https://t.co/EuovnqyJA7"
Full Disclosure @SecLists

[ Popular Software ] Evernote for Windows DLL Loading Remote Code Execution https://goo.gl/fb/xmGi19 #FullDisclosure

"知名笔记应用 Evernote 存在动态库劫持漏洞，可致使远程代码执行： http://seclists.org/fulldisclosure/2016/Oct/72?utm_source=feedburner&;utm_medium=twitter&utm_campaign=Feed%3A+seclists%2FFullDisclosure+%28Full+Disclosure%29"
Open Source Security @oss_security

[ Popular Software ] Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day ): Posted by Dawid Golunsk... https://t.co/QEkzG1pKDr

" CVE-2016-6662 - MySQL 远程代码执行漏洞： https://t.co/QEkzG1pKDr"
Peter Mbele @p3t3_r3c0n

[ Protocol ] Assessing and Exploiting XML Schema's Vulnerabilities http://www.ioactive.com/Arnaboldi-XML-Schema-Vulnerabilities.pdf

"对于 XML Schema的漏洞分析，以及基于此分析推断的新攻击向量： http://www.ioactive.com/Arnaboldi-XML-Schema-Vulnerabilities.pdf"
Capstone Engine @capstone_engine

[ Tools ] A new Capstone user: Firminsight is a tool collection to crawl, gather, extract & analyze firmwares from internet https://t.co/MpfsoDZj5C

"firminsight -- 一个可用于从网上收集、提取固件信息的自动化工具： https://github.com/ilovepp/firminsight"
PythonArsenal @PythonArsenal

[ Tools ] WdbDBG - Python WDB RPC monitor for VxWorks 5.x and 6.x Based on Capstone. https://bitbucket.org/yformaggio/wdbdbg/src

"Python WDB RPC monitor for VxWorks 5.x and 6.x： https://t.co/qIOQgamyf7"
Nicolas Krassas @Dinosn

[ Windows ] How to run userland code from the kernel on Windows https://thisissecurity.net/2016/10/19/how-to-run-userland-code-from-the-kernel-on-windows-version-2-0/

"如何在Windows内核中运行用户级代码: https://t.co/lpg1W5qa9J"
Project Zero Bugs @ProjectZeroBugs

[ Windows ] Windows: NtLoadKeyEx Read Only Hive Arbitrary File Write EoP https://bugs.chromium.org/p/project-zero/issues/detail?id=871

" Windows: NtLoadKeyEx Read Only Hive Arbitrary File Write EoP： https://t.co/2CqsfzqRzQ"
雪碧0xroot @cn0Xroot

[ WirelessSecurity ] Hands-on GSM Analysis with GNU Radio and AirProbe [PDF] http://static1.1.sqspcdn.com/static/f/679473/25461571/1411158642820/Sep15_09_Otterbach_GSM.pdf #SDR #GnuRadio https://t.co/Vck3dV3eOU

"使用 GNU Radio 和 AirProbe 分析 GSM： https://t.co/5TLgspoLk1"

Xuanwu Spider via GitHub

[ Tools ] x64dbg Plugin SDK For x64 Assembler： https://github.com/mrfearless/x64dbg-Plugin-SDK-For-x64-Assembler
Xuanwu Spider via FreeBuf

[ Linux ] 如何进行 Linux 平台共享库替换： http://www.freebuf.com/articles/system/116489.html
Xuanwu Spider via GitHub

[ iOS ] Facebook 开源的 WebDriverAgent， WebDriverAgent is a WebDriver server implementation for iOS that can be used to remote control iOS devices. It allows you to launch & kill applications, tap & scroll views or confirm view presence on a screen：https://github.com/facebook/WebDriverAgent
Xuanwu Spider via 上海交大 GoSSIP

[ Defend ] HeapSentry - 内核辅助的堆溢出保护： https://loccs.sjtu.edu.cn//gossip/blog/2016/10/19/2016-10-19/
Xuanwu Spider via Solidot

[ Browser ] Mozilla 将对 SHA-1证书展示连接不可信的错误信息：SHA-1算法签名的证书已经不再安全，它很快就能被一个有足够动机和资源的实体伪造。为了加快淘汰SHA-1证书，Mozilla将从明年初其对 SHA-1证书展示连接不可信的错误信息： http://www.solidot.org/story?sid=50050
Xuanwu Spider via 网易安全应急响应中心

[ Pentest ] 子域名搜集思路与技巧梳理： http://mp.weixin.qq.com/s?__biz=MzIxNDI0MDAxNg==&mid=2247483684&idx=1&sn=dbc58596968b2203262c6cc71d89795a&chksm=97abdf5ba0dc564d84a1ddbeaaef49f2aa905a227d616637d9cef5583552e88c2e46a5da9b37&mpshare=1&scene=1&srcid=1018QHnHkSDI89AyGz2ANyWE#rd

2016/10/20