腾讯玄武实验室安全动态推送(Tencent Xuanwu Lab Security Daily News)

腾讯玄武实验室安全动态推送

Tencent Xuanwu Lab Security Daily News

2017/04/14

Costin Raiu @craiu

[ APT ] Good paper from F-Secure on #Callisto APT (known as #DancingSalome at Kaspersky): https://www.f-secure.com/documents/996508/1030745/callisto-group

"来自 F-Secure 的关于 Callisto（DancingSalome） APT 攻击行动的分析报告︰ https://t.co/A2n0SrDEY6"
Binni Shah @binitamshah

[ Browser ] Chrome 59 has cross-platform headless support : https://www.chromestatus.com/features/5678767817097216

"Chrome 59 已支持 headless 模式︰ https://t.co/Yrv3HGPsdW"
Binni Shah @binitamshah

[ Detect ] Network-based Ransomware Detection : http://conference.hitb.org/hitbsecconf2017ams/materials/D1T4%20-%20Paulus%20Meesen%20and%20Don%20Mulders%20-%20A%20Passive%20Listing%20Ransomware%20Detector.pdf (Slides)

"基于网络的勒索软件检测︰ https://t.co/cJgD7Q4m78 "
Francisco Alonso @revskills

[ Industry News ] Intel and Lenovo have restricted access to debugging interface of CPUs after Positive Technologies' revelations http://blog.ptsecurity.com/2017/04/intel-and-lenovo-have-restricted-access.html

"2016 年年底 Positive 团队爆出攻击者可以滥用 CPU JTAG 调试接口，通过 USB 3.0 可以访问 JTAG 接口，完全控制系统。最近，Intel 和联想表示已经开始限制对该调试接口的访问： https://t.co/TNDNif2cdq"
Nicolas Krassas @Dinosn

[ Linux ] CVE-2016-10229 - Linux kernel (< 4.5) remote code execution via UDP recv() using MSG_PEEK flag https://nvd.nist.gov/vuln/detail/CVE-2016-10229

" Linux 内核被发现了一个可以通过 UDP 触发的 RCE 漏洞（CVE-2016-10229），漏洞位于 udp.c 的校验和计算过程（与 MSG_PEEK 标志位有关），影响 4.5 之前版本的内核： https://t.co/SqyytyDD50 "
Hacker Fantastic @hackerfantastic

[ macOS ] GNS-3 Mac OS-X local root LPE in “ubridge” #0day - https://github.com/HackerFantastic/Public/blob/master/exploits/gns3super-osx.sh @ gns3 https://t.co/jygb4Bp2PN

"GNS-3 Mac OS-X LPE 本地 Root Exploit： https://t.co/PvvUMkL0BU "
HITBSecConf @HITBSecConf

[ MalwareAnalysis ] #HITB2017AMS D1T4 - Patrick Wardle - Meet and Greet with the MacOS Malware Class of 2016 - http://conference.hitb.org/hitbsecconf2017ams/materials/D1T4%20-%20Patrick%20Wardle%20-%20Meet%20and%20Greet%20with%20the%20MacOS%20Malware%20Class%20of%202016.pdf

"2016 年 MacOS 上的恶意软件总结分析，来自 HITB 2017 AMS 大会议题： http://conference.hitb.org/hitbsecconf2017ams/materials/D1T4%20-%20Patrick%20Wardle%20-%20Meet%20and%20Greet%20with%20the%20MacOS%20Malware%20Class%20of%202016.pdf"
Binni Shah @binitamshah

[ Operating System ] Breaking the Security Model of Subgraph OS : https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/ cc @ micahflee

"打破 Subgraph OS 安全模式︰ https://t.co/0XkUCC06W8 "
TechSolidarity @TechSolidarity

[ Others ] Here are instructions for adding a security key to your Gmail account. Every Gmail user should do this: https://t.co/saU5oeKSQH

"给自己的 Gmail 账户添加一个物理 Token︰ https://t.co/saU5oeKSQH"
MDSec @MDSecLabs

[ Popular Software ] Interested in how to exploit #CVE-2017-0199? @ vysecurity explains how https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/

"针对 CVE-2017-0199 的漏洞利用，无需用户交互： https://t.co/bdPz4dtsQb"
Binni Shah @binitamshah

[ Programming ] Go-SCP : Go programming language secure coding practices guide : https://github.com/Checkmarx/Go-SCP

"Go SCP - Go 语言安全编码指南︰ https://t.co/5LoOubx4jl"
That worked?! @HackingThings

[ Tools ] Use Wireshark to sniff CAN traffic in windows for under 20$ worth of hardware: https://github.com/laplinker/CAN-pipe

"CAN-pipe - 创建管道方便在 Windows 系统中用 WireShark 截获 CAN Bus 流量数据的工具︰ https://t.co/U3ZXsZ5kjr"
Binni Shah @binitamshah

[ Tools ] Xenotix-Python-Keylogger : Xenotix Python Keylogger for Windows : https://github.com/ajinabraham/Xenotix-Python-Keylogger/blob/master/xenotix_python_logger.py cc @ ajinabraham

"Xenotix Python Keylogger for Windows ： https://t.co/fNcSx0BBIV "
Nicolas Krassas @Dinosn

[ Vulnerability ] Magento Arbitrary File Upload Vulnerability (Remote Code Execution, CSRF) http://www.defensecode.com/advisories/DC-2017-04-003_Magento_Arbitrary_File_Upload.pdf

"开源电商系统 Magento 任意文件上传漏洞，最终可以导致远程代码执行（DC-2017-04-003）： https://t.co/CRGvFoZRFr"
Enno Rey @Enno_Insinuator

[ Vulnerability ] Three new vulns of ISC BIND https://kb.isc.org/article/AA-01465/0 https://kb.isc.org/article/AA-01466 https://kb.isc.org/article/AA-01471 #groundhogday… https://t.co/e0gfxET1DK

"三个 ISC BIND 漏洞： https://t.co/ektbh6i9bH https://t.co/rxLBkulbjW https://t.co/pPH4VO3Ttq "
HITBSecConf @HITBSecConf

[ Windows ] #HITB2017AMS D1T1 - Richard Johnson - Harnessing Intel Processor Trace on Windows for Vulnerability Discovery - https://t.co/7qU9Q4OgOn

"利用 Intel 的 Processor Trace 挖掘 Windows 漏洞，里面提到，利用 Intel Processor Trace 使 AFL Fuzz 工具快了 5 倍，来自 HITB 2017 AMS 大会议题： https://t.co/7qU9Q4OgOn"
Project Zero Bugs @ProjectZeroBugs

[ Windows ] Windows Kernel stack memory disclosure in win32kfull!SfnINLPUAHDRAWMENUITEM https://bugs.chromium.org/p/project-zero/issues/detail?id=1192

"Windows win32kfull!SfnINLPUAHDRAWMENUITEM 内核栈内存信息泄漏（CVE-2017-0167）： https://t.co/sXmSz5n0dl"
Project Zero Bugs @ProjectZeroBugs

[ Windows ] Windows Kernel win32k.sys multiple bugs in the NtGdiGetDIBitsInternal system call https://bugs.chromium.org/p/project-zero/issues/detail?id=1078

" Windows win32k.sys NtGdiGetDIBitsInternal 系统调用多个漏洞（CVE-2017-0058）： https://t.co/r5ppUu7VpE"
Binni Shah @binitamshah

[ Windows ] Disarming EMET 5.52 : http://conference.hitb.org/hitbsecconf2017ams/materials/D1T4%20-%20Niels%20Warnars%20-%20Disarming%20EMET.pdf (Slides) h/t @ _odisseus

"Disarming EMET 5.52： https://t.co/kSISlROE9p "

Xuanwu Spider via conference.hitb.org/

[ Browser ] ChakraCore 的秘密，来自 360 两位研究员在 HITB 会议的演讲，介绍了他们在 ChakraCore 中挖掘漏洞的经验以及漏洞利用的技巧： http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20Linan%20Hao%20and%20Long%20Liu%20-%20The%20Secret%20of%20ChakraCore.pdf
Xuanwu Spider via twitter

[ Browser ] HTTP 响应中如果 Content-Type 修改为 image/jpeg，而传输的是脚本。Firefox 和 Chrome 将不会执行脚本内容，但是 IE/Edge/Safari 会正常执行： https://twitter.com/ericlaw/status/852243435591417856 测试页：https://bayden.com/test/mime/script.asp
Xuanwu Spider via conference.hitb.org/

[ Conference ] HITB AMS 2017 阿姆斯特丹会议的大部分议题资料公开了： http://conference.hitb.org/hitbsecconf2017ams/materials/
Xuanwu Spider via blog.trustlook.com

[ Industry News ] 移动安全厂商 Trustlook 表示，38% 的勒索软件受害者付过款： https://blog.trustlook.com/2017/04/13/38-of-consumers-affected-by-ransomware-pay-up/
Xuanwu Spider via blog.gdssecurity.com

[ Industry News ] VMware VCenter 也受 Apache Struts2 S2-045 RCE 漏洞的影响： http://blog.gdssecurity.com/labs/2017/4/13/vmware-vcenter-unauthenticated-rce-using-cve-2017-5638-apach.html
Xuanwu Spider via solidot.org

[ Industry News ] 因为 StartCom 的证书已经不被信任，StartCom 一元 (1.5 美元) 贱卖所有证书，包括 EV 证书： http://www.solidot.org/story?sid=52033
Xuanwu Spider via doyensec.com

[ macOS ] Doyensec 公司在 macOS/iOS/watchOS 中发现的几个漏洞的公告： https://doyensec.com/research.html
Xuanwu Spider via conference.hitb.org

[ Network ] FemtoCell Hacking - 来自研究员 Jeonghoon Shin 在 HITB 会议的演讲，主要是关于 LTE 网络以及 FemtoCell 设备的 Hacking： http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20JeongHoon%20Shin%20-%20Femotcell%20Hacking.pdf
Xuanwu Spider via 三好学生 's blog

[ Pentest ] 渗透测试中的Application Verifier(DoubleAgent利用介绍)： https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Application-Verifier(DoubleAgent%E5%88%A9%E7%94%A8%E4%BB%8B%E7%BB%8D)/
Xuanwu Spider via weibo

[ Private ] typedarrbuff 的两个NB漏洞一个oob一个uaf，马上就要被修补了，5月9号出补丁。又是难得的好洞好利用没有了。 http://weibo.com/2246379231/EEqsj9iII?ref=collection&type=comment
Xuanwu Spider via XLAB wechat group

[ Private ] Google Creative Lab 推出的基于机器学习的 AutoDraw 画图服务： https://www.autodraw.com/
Xuanwu Spider via 看雪

[ Tools ] VirtualHook—基于 VirtualApp 的 Java 代码 hook 工具： http://weibo.com/ttarticle/p/show?id=2309404096133176661738
Xuanwu Spider via msdn.microsoft.com

[ Tools ] Containers - Bringing Docker To Windows Developers with Windows Server Containers， Windows 开发者也能用上 Docker: https://msdn.microsoft.com/en-us/magazine/mt797649

2017/04/14