腾讯玄武实验室安全动态推送
Tencent Xuanwu Lab Security Daily News
-
[ Android ] initroot: Bypassing Nexus 6 Secure Boot Kernel Cmdline Injection #bootloader #security #vuln CVE-2016-10277 @ roeehay https://alephsecurity.com/2017/05/23/nexus6-initroot/
" initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection: https://t.co/yIe3DGqnon "
-
[ Industry News ] Hacked in Translation – from Subtitles to Complete Takeover - http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
" Check Point 的研究员发现了一个新的攻击界面 - 视频字幕文件,通过构造畸形的字幕文件,可以成功触发播放器 RCE,攻破用户系统。VLC, Kodi (XBMC), Popcorn-Time 等都存在该漏洞,2 亿用户受影响: https://t.co/ID29BnPmd9 "
-
[ iOS ] Doing iOS security reviews? This guide will be useful: https://github.com/felixgr/secure-ios-app-dev #ios #security
" Project Zero 研究员 Felix 总结的 iOS APP 层面的常见漏洞案例: https://t.co/wY1njikZDq "
-
[ Linux ] Surprise, I ported Windows Defender to Linux. ?https://github.com/taviso/loadlibrary
" Tavis 将 Windows DLL 移植到了 Linux,支持在 Linux 中加载和调用 DLL 中的函数。移植到 Linux 上之后可以方便在 Linux 上 Fuzz Windows 库。为了演示效果,他把 Windows Defender 移植到了 Linux: https://t.co/7eP48O87Vi "
-
[ Linux ] [CVE-2017-1000363] Linux lp.c Out-of-Bounds Write via Kernel Command-line https://alephsecurity.com/vulns/aleph-2017023
" Linux 内核 4.12-rc1 lp.c 存在一个数组越界写漏洞(CVE-2017-1000363): https://t.co/O330tTYVEI "
-
[ Linux ] Linux Kernel 3.11 < 4.8 0 SO_SNDBUFFORCE SO_RCVBUFFORCE Local Privilege Escalation https://cxsecurity.com/issue/WLB-2017050084 #Kernel… https://t.co/NOIB0S1IO0
" Linux Kernel 3.11 < 4.8 0 SO_SNDBUFFORCE SO_RCVBUFFORCE 本地提权漏洞利用(CVE-2016-9793): https://cxsecurity.com/issue/WLB-2017050084 "
-
[ macOS ] MacOS local EoP due to lack of bounds checking in HIServices custom CFObject serialization https://bugs.chromium.org/p/project-zero/issues/detail?id=1219
" macOS local EoP due to lack of bounds checking in HIServices custom CFObject serialization(CVE-2017-6978): https://t.co/8edDxvhDrn "
-
[ macOS ] iOS/OS X NSKeyedArchiver memory corruption due to lack of bounds checking in CAMediaTimingFunctionBuiltin https://bugs.chromium.org/p/project-zero/issues/detail?id=1175
" iOS/macOS CAMediaTimingFunctionBuiltin NSKeyedArchiver 边界检查处理不当引起的内存破坏漏洞(CVE-2017-2527): https://t.co/H2xHJDxjqu "
-
[ macOS ] iOS/MacOS NSKeyedArchiver heap corruption due to rounding error in TIKeyboardLayout initWithCoder: https://bugs.chromium.org/p/project-zero/issues/detail?id=1172
" iOS/macOS NSKeyedArchiver heap corruption due to rounding error in TIKeyboardLayout initWithCoder(CVE-2017-2524): https://t.co/7Xdfp4Dmpa "
-
[ macOS ] iOS/MacOS memory corruption due to bad bounds checking in NSCharacterSet coding for NSKeyedUnarchiver https://bugs.chromium.org/p/project-zero/issues/detail?id=1168
" iOS/macOS NSKeyedUnarchiver NSCharacterSet coding 边界检查处理不当引起的内存破坏漏洞(CVE-2017-2522): https://t.co/wuPSDe3Wkq "
-
[ macOS ] iOS/MacOS kernel memory disclosure due to lack of bounds checking in netagent socket option handling https://bugs.chromium.org/p/project-zero/issues/detail?id=1140
" macOS netagent_handle_register_setopt 因缺少边界检查造成的内核信息泄露漏洞(CVE-2017-2507): https://t.co/wn6ijmManJ "
-
[ macOS ] iOS/MacOS kernel uaf due to bad locking in unix domain socket file descriptor externalization https://bugs.chromium.org/p/project-zero/issues/detail?id=1123
" iiOS/macOS 内核文件描述符 unp_externalize 锁处理不当引起的 UAF(CVE-2017-2501): https://t.co/3ZU90BVYzl "
-
[ MalwareAnalysis ] Interested in @ FireEye's detailed malware analysis of #WannaCry? https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html Yara rules are in Appendix B
" FireEye 对 Wannacry 勒索软件的分析: https://t.co/u6hXNjMNw6YARA "
-
[ Mobile ] Samsung Galaxy S8 iris based biometrics bypass (blog post in german), video: https://media.ccc.de/v/biometrie-s8-iris-en (english) https://twitter.com/raviborgaonkar/status/866969707601158144
" Hacking Samsung Galaxy S8 虹膜扫描器(Irisscanner): https://t.co/Fexoove8j2 "
-
[ OpenSourceProject ] Slides for OAuth Nightmares https://cloud.app.box.com/s/9xgb9yzfcgla5hsd7bdltl78k74dzot7 presentation at #hackmiamiCon
" OAuth 安全性研究: https://t.co/mwY5fuEKJ9 "
-
[ Others ] Security Implications of Publicly Reachable Building Automation Systems https://www.net.in.tum.de/fileadmin/bibtex/publications/papers/bacnet-amplification.pdf [PDF] https://t.co/Hfu0tbUeIw
" 楼宇自动控制网络数据通信协议BACnet的安全问题探究(paper): https://t.co/qPzARRBUpf "
-
[ Others ] Read the details on the state of #SCADA #HMI security - a new whitepaper analyzing more than 250 vulns HMI systems http://bit.ly/2qRKRE2
" 在阅读# # HMI SCADA安全状态的新白皮书分析超过250 vulns HMI系统 https://t.co/dDLBwysuGI细节 "
-
[ Others ] [CORE-2017-0002] - Trend Micro ServerProtect Multiple Vulnerabilities https://goo.gl/fb/ybruXd #FullDisclosure
" [ core-2017-0002 ] -趋势科技serverprotect多漏洞 https://t.co/O9bOtSzA4i #充分披露 "
-
[ SecurityProduct ] Trend Micro ServerProtect Multiple Vulnerabilities by @ CoreSecurity https://www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities
" Trend Micro ServerProtect 产品被发现多个漏洞: https://t.co/Anr5cIBLf2 "
-
[ Tools ] Mac OSX - Unauthenticated Sudo access for all users (USB Rubber Ducky) @ hak5darren @ mubix https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Sudo-for-all-users-without-password
" USB Rubber Ducky 一个针对 OS X 的 Payload,用于改写 /etc/sudoers,sudo 不再需要密码: https://t.co/mdS7xnkf3x "
-
[ Vulnerability ] Decided to release my old Code Integrity bypass PoC https://github.com/int0/ltmdm64_poc
" 利用 ltmdm64.sys 的漏洞 Bypass Windows 7 SP1 x64 的代码完整性检查, PoC: https://t.co/SIoRMfqSN5 "
-
[ Vulnerability ] NSUnarchiver heap corruption due to lack of bounds checking in [NSBuiltinCharacterSet initWithCoder:] https://bugs.chromium.org/p/project-zero/issues/detail?id=1170
" NSUnarchiver heap corruption due to lack of bounds checking in [NSBuiltinCharacterSet initWithCoder:](CVE-2017-2523): https://t.co/3gCCUSTEe5 "
-
[ Vulnerability ] SSD Advisory – @IBM Informix Dynamic Server and Informix Open Admin Tool Multiple Vulnerabilities For more details:… https://t.co/wCxrXv9InJ
" IBM Informix Dynamic Server 与 Informix Open Admin Tool 多个高危漏洞详情,包含 PHP代码注入、堆溢出、远程 DLL 注入多个漏洞: https://blogs.securiteam.com/index.php/archives/3210 "
-
[ Vulnerability ] A good old but tricky CRLF injection with session fixation against OpenVPN Access Server. More info: https://sysdream.com/news/lab/2017-05-05-cve-2017-5868-openvpn-access-server-crlf-injection-with-session-fixation/
" OpenVPN Access Server 存在 CRLF 注入漏洞(CVE-2017-5868),利用 %0A 可以成功注入 Headers 和 Content: https://t.co/FMq8ykhFcF "
-
[ Web Security ] Identifier based XSSI attacks : http://www.mbsd.jp/Whitepaper/xssi.pdf (wp/pdf)
" XSSI 攻击技术白皮书: https://t.co/neE3tW2WIP "
-
[ Windows ] [blog] How To Pass the Ticket Through SSH Tunnels https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/
" 如何通过 SSH 隧道实现 Windows Pass the Ticket (PtT) 攻击: https://t.co/U3SRkbCoQY "
-
[ Android ] Android O 开始,Google 提出 Treble 计划,用来将 Android 系统与硬件厂商的固件和驱动隔离,方便 Google 及时发布 Android 补丁: https://threatpost.com/google-elevates-security-in-android-o/125848/
-
[ Browser ] 利用 Edge/IE 浏览器处理特殊字符的奇怪行为绕过 Facebook 的 URL 安全检测服务 Linkshim: http://www.paulosyibelo.com/2017/05/exploiting-odd-behaviors-in-ms-edge-ie.html
-
[ Hardware ] EPOXY - 前两天 IEEE 安全研讨会《Protecting Bare-metal Embedded Systems With Privilege Overlays》议题中提到的编译器源码: https://github.com/HexHive/EPOXY
-
[ OpenSourceProject ] OAuth 2 实现库 Doorkeeper 没有正确实现 RFC 7009 关于 token 吊销的请求,吊销客户端 access token 时会失败(CVE-2016-6582): https://blog.justinbull.ca/cve-2016-6582-doorkeeper-fails-to-revoke-access-token-in-revocation-request/
-
[ Popular Software ] 利用 PowerUpSQL 实现从本地管理员用户权限提权至 SQL Server 的 Sysadmin 权限: https://blog.netspi.com/get-sql-server-sysadmin-privileges-local-admin-powerupsql/
-
[ Tools ] SysInternals 套件最近更新了几个工具: http://myitforum.com/myitforumwp/2017/05/17/sysinternals-updates-procdump-autoruns-bginfo-livekd-process-monitor-process-explorer/
-
[ Windows ] Windows 10 RS3 16199 版本 COMAutoApprovalList 删除了 UninstallStringLauncher,本来这个可以用于 UAC Bypass: https://twitter.com/hfiref0x/status/866948342269530112