腾讯玄武实验室安全动态推送(Tencent Xuanwu Lab Security Daily News)

腾讯玄武实验室安全动态推送

Tencent Xuanwu Lab Security Daily News

2017/05/03

Binni Shah @binitamshah

[ Browser ] Getting Started With Headless Chrome : https://developers.google.com/web/updates/2017/04/headless-chrome cc @ ebidel

"命令行环境下的 Chrome 使用入门： https://developers.google.com/web/updates/2017/04/headless-chrome"
Will Harris @parityzero

[ Browser ] We're now migrating Chrome users from 32-bit to 64-bit if their system can support it. #security #stability #speed https://chromereleases.googleblog.com/2017/05/stable-channel-update-for-desktop.html

"Chrome 更新 58.0.3029.96 版本，修复了一个 WebRTC 条件竞争高危漏洞（CVE-2017-5068）： https://chromereleases.googleblog.com/2017/05/stable-channel-update-for-desktop.html "
Francisco Falcon @fdfalcon

[ Browser ] I wrote "Exploiting MS16-145: MS Edge TypedArray.sort UAF (CVE-2016-7288)", involving Quicksort, COOP and more http://blog.quarkslab.com/exploiting-ms16-145-ms-edge-typedarraysort-use-after-free-cve-2016-7288.html

"2 月份，Project Zero 公开了一个 ChakraCore TypedArray.sort 的 UAF 漏洞，Quarkslab 这篇 Blog 介绍如何修改 PoC 才能强制漏洞对象的释放稳定 Crash，之后继续介绍如何借助 WebGL 获得读写能力，最终利用 COOP 技术 Bypass CFG 实现代码执行： http://blog.quarkslab.com/exploiting-ms16-145-ms-edge-typedarraysort-use-after-free-cve-2016-7288.html "
Shahriyar Jalayeri @ponez

[ Fuzzing ] KFUZZ story continued, Improving Coverage Guided Fuzzing, Using Static Analysis https://repret.wordpress.com/2017/05/01/improving-coverage-guided-fuzzing-using-static-analysis/

"使用静态分析的方法提升 Guided Fuzzing 过程中的代码覆盖率： https://repret.wordpress.com/2017/05/01/improving-coverage-guided-fuzzing-using-static-analysis/"
Nikhil Mittal @nikhil_mitt

[ Others ] Slides for my talk "PowerShell for Practical Purple Teaming" at @x33fcon. Blog post soon. #PowerShell #PurpleTeam https://t.co/Zu7Pe6SjWu

" Powershell 在红蓝两队中的应用： https://www.slideshare.net/nikhil_mittal/powershell-for-practical-purple-teaming"
Charlie Miller @0xcharlie

[ Others ] Here's a paper called "A system to recognize intruders in CAN" but should have included "unless from remote attack" http://ewic.bcs.org/content/ConWebDoc/55108

"识别 CAN Bus 总线上的攻击： http://ewic.bcs.org/upload/pdf/ewic_icscsr2015_paper15.pdf "
Beau Bullock @dafthack

[ Others ] A good walkthrough for stripping metadata from PDFs - https://blog.joshlemon.com.au/protecting-your-pdf-files-and-metadata/

"一篇有关删除 PDF 元数据并锁定 PDF 以防止文档被再次编辑的教程： https://blog.joshlemon.com.au/protecting-your-pdf-files-and-metadata/"
Nicolas Krassas @Dinosn

[ Popular Software ] QuickZip 4.60 - Win7 X64 SEH Overflow (Egghunter) With Custom Encoder http://blog.knapsy.com/blog/2017/05/01/quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/

"利用 QuickZip 4.60 的缓冲区溢出漏洞在 Win7 X64 系统上弹计算器： http://blog.knapsy.com/blog/2017/05/01/quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/ "
dragosr @dragosr

[ Protocol ] IPv6 clue-bat: consider Extension Header(EH) injection and NDP, SEND, MLD, MRD, inverses, and tunnelled packets http://goo.gl/BYnXWR

"Cisco 对 IPV6 扩展头(EH)的分析与思考，侧重于分析扩展头对网络设备转发 IPV6 流量的性能影响： http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html"
Giuseppe `N3mes1s` @gN3mes1s

[ SecurityReport ] related to Intel AMT EoP, INTEL-SA-00075 Mitigation Guide - https://downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20Mitigation%20Guide-Rev%201.1.pdf tl;dr disable Local Management Service (LMS)

"针对 Intel 平台管理引擎的严重漏洞，官方发布了一份缓解指南： https://downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20Mitigation%20Guide-Rev%201.1.pdf"
Hack with GitHub @HackwithGithub

[ Tools ] kcshell: Simple #Python interactive assembly / #disassembly shell for various architectures Author: @fdiskyou https://t.co/AxQ0VzbJML

"kcshell - 一个基于 Python3 实现的交互式汇编与反汇编 shell，适用于 Keystone/Capstone 提供支持的各种架构"
파울로스 ጳዉሎስ @PaulosYibelo

[ Vulnerability ] Twitter XSS with CSP Bypass http://www.paulosyibelo.com/2017/05/twitter-xss-csp-bypass.html #bugbounty

"Twitter XSS with CSP Bypass： http://www.paulosyibelo.com/2017/05/twitter-xss-csp-bypass.html"
雪碧0xroot @cn0Xroot

[ WirelessSecurity ] Tracking Rockets with GNSS-SDR https://www.gnuradio.org/blog/tracking-rockets-gnss-sdr/ #GNURadio #SDR cc @ gnuradio https://t.co/aSgvR4y9uD

"利用 GNSS-SDR 追踪火箭： https://www.gnuradio.org/blog/tracking-rockets-gnss-sdr/"

XuanwuSpider via 某个盖子 's weibo

[ Challenges ] C 程序黑手大赛（The Underhanded C Contest），考验参赛者如何神不知鬼不觉的在代码中藏后门： http://underhanded-c.org/
XuanwuSpider via medium.com

[ Industry News ] 印度移动运营商 Airtel 一直在嗅探 CloudFlare 的流量： https://medium.com/@karthikb351/airtel-is-sniffing-and-censoring-cloudflares-traffic-in-india-and-they-don-t-even-know-it-90935f7f6d98
XuanwuSpider via 长亭知乎专栏

[ Linux ] PWN2OWN 2017 Linux 内核提权漏洞分析，长亭实验室研究员公开了他们攻击 PWN2OWN Ubuntu 16.10 Desktop 本地提权漏洞的细节： https://zhuanlan.zhihu.com/p/26674557
XuanwuSpider via drive.google.com

[ Mitigation ] Architecting a Modern Defense using Device Guard，来自微软和 Mandiant 的两位研究员介绍 Device Guard 的攻与防： https://drive.google.com/file/d/0B-K55rLoulAfOGVteEllR0xnRnc/view
XuanwuSpider via sensepost.com

[ Popular Software ] 去年推送过利用 Outlook Rules 触发 Shell 执行攻击用户的技术，最近这个方法被微软修复了，于是作者看看能不能尝试新方法，于是找到了 Outlook Forms： https://sensepost.com/blog/2017/outlook-forms-and-shells/
XuanwuSpider via www.verizonenterprise.com

[ SecurityProduct ] Verizon 发布 2017 年的数据泄露调查报告： http://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_en_xg.pdf
XuanwuSpider via xenbits.xen.org

[ Virtualization ] Xen 发布漏洞公告，修复了 3 个漏洞： PV guest 逃逸漏洞： https://xenbits.xen.org/xsa/advisory-213.html System 内存访问、提权、信息泄露漏洞： https://xenbits.xen.org/xsa/advisory-214.html 物理内存页改写提权漏洞： https://xenbits.xen.org/xsa/advisory-215.html
XuanwuSpider via 安全客

[ Windows ] 从hash传递攻击谈相关Windows安全机制： http://bobao.360.cn/learning/detail/3793.html

2017/05/03