腾讯玄武实验室安全动态推送(Tencent Xuanwu Lab Security Daily News)

腾讯玄武实验室安全动态推送

Tencent Xuanwu Lab Security Daily News

2017/05/19

Dorian Cussen @doriancussen

[ Android ] Android Developers Blog:Android and Architecture https://android-developers.googleblog.com/2017/05/android-and-architecture.html via @ google

" 来自 Android 开发者官网的《Android 与架构》： https://t.co/jVwngxyBLr "
Manuel Caballero @magicmac2000

[ Browser ] IE11 - popUp blocker bypass - Combined with zombie alerts? popUps from everywhere! https://www.cracking.com.ar/demos/iepopups/ Video:… https://twitter.com/i/web/status/865198883563032576

" IE 11 popUp blocker Bypass PoC： https://twitter.com/i/web/status/865198883563032576 "
MDSec @MDSecLabs

[ IoTDevice ] We've just released a short blog post and code for an intro to fuzzing UART from an Arduino.. https://www.mdsec.co.uk/2017/05/hacking-hardware-with-an-arduino/

" 使用 Arduino 对路由器进行调试： https://t.co/VTDOqOiiV4 "
Jóseph Mlodzìanowskì @cedoxX

[ MalwareAnalysis ] Adylkuzz Cryptocurrency Mining #Malware Spreading for Weeks Via #EternalBlue #DoublePulsar by @ kafeine https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar

" aAdylkuzz - 与 WannaCry 一样的方式传播但是目的是 "挖矿" 的恶意软件： https://securingtomorrow.mcafee.com/mcafee-labs/adylkuzz-coinminer-spreading-like-wannacry/ https://www.symantec.com/connect/ko/blogs/adylkuzz-crytocurrency-miner-not-next-wannacry "
TrendLabs @TrendLabs

[ MalwareAnalysis ] #UIWIX and #WannaCry ransomware: A summary of their differences: http://bit.ly/2reIjTe https://t.co/zXEgLBiwb4

" 勒索软件 WannaCry 、UIWIX 大对比： https://t.co/cVaOqS3WpS "
Binni Shah @binitamshah

[ Others ] ELF Hello World Tutorial : http://www.cirosantilli.com/elf-hello-world/ cc @ cirosantilli

" ELF 文件格式入门教程： https://t.co/i8mUBYe7Um "
Ryan Cobb @cobbr_io

[ Pentest ] [blog] PowerShell ScriptBlock Logging Bypass - https://cobbr.io/ScriptBlock-Logging-Bypass.html

" PowerShell 5.0 引入了一个非常有用的特性 - ScriptBlock logging，ScriptBlock 可以记录执行过的每一行 PowerShell 代码，反病毒软件可以基于此检测恶意代码。这篇 Blog 中，作者尝试 Bypass 这个特性，禁用 Logging： https://cobbr.io/ScriptBlock-Logging-Bypass.html "
Binni Shah @binitamshah

[ Popular Software ] The Case of the Stolen Source Code : https://panic.com/blog/stolen-source-code/

" 开源视频转码软件 HandBrake 的镜像下载服务器遭到入侵，软件被植入后门，源码也遭到泄露。攻击者随后还发送电子邮件，勒索大量比特币。其中源码的原因是创始人恰好在服务器遭到入侵期间手动更新了软件： http://www.solidot.org/story?sid=52446 https://panic.com/blog/stolen-source-code/ "
Jerry Gamblin @JGamblin

[ SCADA ] Introduction to Attacking ICS/SCADA Systems for Penetration Testers. http://blog.gdssecurity.com/labs/2017/5/17/introduction-to-attacking-icsscada-systems-for-penetration-t.html

" ICS/SCADA 系统的渗透测试介绍，文中最后收集了几起近些年发生的工控安全事件案例： https://t.co/Xpt8st9Baq "
SecuriTeam (SSD) @SecuriTeam_SSD

[ SecurityProduct ] SSD Advisory – @ Bitdefender Code Signing organizationName Buffer Overflow For more details: https://blogs.securiteam.com/index.php/archives/3211 https://t.co/pXFPQBMMJn

" Bitdefender PE 引擎在处理 PE 代码签名的 organizationName 时存在缓冲区溢出漏洞： https://blogs.securiteam.com/index.php/archives/3211 "
Adrien Guinet @adriengnt

[ Tools ] #wannacry in-memory private RSA key recovery for Windows XP : https://github.com/aguinet/wannakey

" wannakey - 内存中暴力搜索 WannaCry 勒索软件的加密 RSA 密钥，有了这个 Key 就可以解密还原被 WannaCry 加密后的文件。作者表示这个工具仅在 Windows XP 上工作，并且成功与否也要看运气。这个工具利用的是 WannaCry 调用的加密 API 之后释放 RSA Private Key 内存之前没有清 0： https://t.co/nMqVKgfv58 "
Alex Hude @getorix

[ Tools ] Just pushed IDA plugin to load processor configurations. If you don't know what that is, you probably don't need it? https://github.com/alexhude/LoadProcConfig

" LoadProcConfig - IDA 中加载 CPU 配置文件以优化汇编展示效果的插件： https://t.co/k8CI3ABA19 "
x0rz @x0rz

[ Tools ] Analysis of EPICHERO: RCE with root privileges in Avaya call server http://blog.infobytesec.com/2017/05/nsa-shadowbrokers-leak-analyzing.html #EquationGroup #ShadowBrokers #vulnerability

" Infobyte Security 研究员对 NSA 军火库中的 EPICHERO 工具进行了详细的分析，该工具是针对 Avaya Communication Manager 的 RCE 漏洞利用： https://t.co/hTR0MAo4eR "
Matthew Risck @Mateusz_Jozef

[ Tools ] Technical analysis of the Equation Group's post-exploitation tools (DanderSpritz and more) Part 1 https://research.kudelskisecurity.com/2017/05/18/the-equation-groups-post-exploitation-tools-danderspritz-and-more-part-1/

" Shadow Broker 公开的方程式的 DanderSpritz 渗透框架分析： https://t.co/LDONsjnhtA "
OSR @OSRDrivers

[ Tools ] WinDbg, Debugger Objects, and JavaScript! Oh, My! https://www.osr.com/blog/2017/05/18/windbg-debugger-objects-javascript-oh/

" WinDbg, Debugger Objects(dx 命令) 与调试器 JavaScript 扩展： https://www.osr.com/blog/2017/05/18/windbg-debugger-objects-javascript-oh/ "
Steve Weis @sweis

[ Tools ] Google released new Tink crypto library: https://github.com/google/tink From Thai Duong, Daniel Bleichenbacher, Bartosz Przydatek, & Quan Nguyen

" tink - Google 开源的一个简单、快速的加密库，可以基于此快速实现常见的加密需求： https://github.com/google/tink "
Rapid7 @rapid7

[ Tools ] Latest @ Metasploit release includes a scanner and exploit module for the #EternalBlue vulnerability http://r-7.co/2qADOj4

" Metasploit 发布了针对 EternalBlue 的扫描与利用模块(MS17-010)： https://t.co/sl6pV1F3d7 "
Nicolas Krassas @Dinosn

[ Vulnerability ] A critical Improper Authentication vulnerability in Uber allowed password reset for any account http://securityaffairs.co/wordpress/59210/hacking/uber-improper-authentication.html

" Uber 任意用户密码重置漏洞详情： https://t.co/ZSvETqpLKj "
Francisco Alonso @revskills

[ Web Security ] The 5k Error Page, Google bug bounty https://slashcrypto.org/2017/05/17/5k_Error_Page/

" 价值 5000 刀的 404 错误页面 - 一不小心开启了调试输出模式，来自 Google Bug Bounty 项目： https://t.co/AE9SRD8bFz "
PT Security @PTsecurity_UK

[ Windows ] A closer look at the CVE-2017-0263 privilege escalation vulnerability in #Windows http://blog.ptsecurity.com/2017/05/a-closer-look-at-cve-2017-0263.html

" 本月修复的 win32k!xxxDestroyWindow UAF 提权漏洞的分析（CVE-2017-0263），来自 Positive Technologies 团队，前两周推送过 FireEye 关于这个漏洞的分析： http://blog.ptsecurity.com/2017/05/a-closer-look-at-cve-2017-0263.html "
Casey Smith @subTee

[ Windows ] [Blog Post] Subvert CLR Process Listing With .NET Profilers http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html Basic POC To Hide from Get-Process Feedback Welcome :-)

" .NET 4 开始，CLR 进程允许通过环境变量指定 Runtime Profiler。研究员 subTee 发现可以利用这个机制劫持 .NET 进程，加载自己的 DLL： https://t.co/63bp75tzPU "

XuanwuSpider via threatpost

[ Android ] Google I/O 大会上，官方表示新版本的 Android 将集成 Google Play Protect 服务，用来检查下载的 App 的安全性： https://threatpost.com/android-gets-security-makeover-with-google-play-protect/125781/
XuanwuSpider via twitter

[ Browser ] Firefox 的这个 button 特性也许可以被用来 Bypass WAF：<button onauxclick=alert(1)>Right-Click Me</button>： https://twitter.com/0x6d6172696f/status/865092205182152705
XuanwuSpider via blog.trendmicro.com

[ iOS ] 近期几款色情 App 开始大量在 Android 和 iOS 平台上传播，他们甚至找到了上架 Apple App Store 的方式： http://blog.trendmicro.com/trendlabs-security-intelligence/pua-operation-spreads-thousands-explicit-apps-wild-legitimate-app-stores/
XuanwuSpider via heimdalsecurity.com

[ MalwareAnalysis ] WannaCry 勒索软件还没完，Heimdal 安全团队通过蜜罐捕获了一个新的蠕虫样本 - BlueDoom，BlueDoom 几乎集成了 NSA 泄露的所有攻击武器，BlueDoom 攻破用户电脑后并没有释放勒索软件 Payload，也许是在为将来的攻击做准备： https://heimdalsecurity.com/blog/bluedoom-worm-eternablue-nsa-exploits/?utm_content=buffera78a0&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
XuanwuSpider via Github

[ Tools ] aria2 - 一个轻量级的、支持多种协议、跨平台的命令行下载工具，支持 HTTP/HTTPS, FTP, SFTP, BitTorrent and Metalink： https://github.com/aria2/aria2
XuanwuSpider via Github

[ Vulnerability ] PLASMA PULSAR - kde4/kde5 KAuth 逻辑漏洞 Root Exploit（CVE-2017-8422/8849）： https://github.com/stealth/plasmapulsar

2017/05/19