每日安全动态推送(05-13)

admin 腾讯玄武实验室 2019-05-13
Tencent Security Xuanwu Lab Daily News


• [Windows] DfMarshal系列漏洞CVE-2018-8550调试记录: 
https://whereisk0shl.top/post/2019-05-11

   ・ Windows DFMARSHAL 系列漏洞 CVE-2018-8550 调试记录 – Jett


• RichFaces 反序列化致EL表达式注入RCE漏洞浅析 - CVE-2018-14667 - LandGrey's blog: 
https://landgrey.me/richfaces-cve-2018-14667/

   ・ 影响 RichFaces 框架 3.x — 3.3.4 版本,漏洞原因是由 org.ajax4jsf.resource.UserResource$UriData 反序列化引入 EL 表达式执行导致 RCE – Jett


• [Wireless, Conference] [PDF] https://conference.hitb.org/hitbsecconf2019ams/materials/HAXPO%20D1%20-%20VoLTE%20Phreaking%20-%20Ralph%20Moonen.pdf: 
https://conference.hitb.org/hitbsecconf2019ams/materials/HAXPO%20D1%20-%20VoLTE%20Phreaking%20-%20Ralph%20Moonen.pdf

   ・ VoLTE Phreaking - 在 Android 手机上劫持 VoLTE 的通信流量 – Jett


• [Wireless] [PDF] https://conference.hitb.org/hitbsecconf2019ams/materials/D1T3%20-%20Wireless%20Hacking%20with%20Hack%20Cube%20-%20Jie%20Fu.pdf: 
https://conference.hitb.org/hitbsecconf2019ams/materials/D1T3%20-%20Wireless%20Hacking%20with%20Hack%20Cube%20-%20Jie%20Fu.pdf

   ・ 基于 HackCUBE 设备的无线 Hacking – Jett


• [Vulnerability, Web] KTN1990/CVE-2019-10869: 
https://github.com/KTN1990/CVE-2019-10869/blob/master/README.md

   ・ WordPress Ninja Forms File Uploads 插件任意文件上传漏洞 PoC(CVE-2019-10869) – Jett


• [Windows] Debugging and fixing the Twitch desktop client: 
https://medium.com/@kevingosse/debugging-and-fixing-the-twitch-desktop-client-d1b38a349186

   ・ 借 Windows 系统 Twitch desktop 客户端应用的一个 Bug 谈调试的方法和技巧 – Jett


• [Linux] [RFC] x86: Speculative execution warnings: 
https://lore.kernel.org/lkml/d204035e-6cf7-e7cb-85d2-cebf42d75852@infradead.org/T/

   ・ Linux 内核将要引入对 Speculative execution warnings 的支持(SPEC_WARN_ON) – Jett


• [Tools] Working With Ghidra's P-Code To Identify Vulnerable Function Calls: 
https://www.riverloopsecurity.com/blog/2019/05/pcode/

   ・ 利用 GHIDRA 逆向框架的 P-Code 识别有潜在漏洞的函数调用 – Jett


• [Tools] Trashing the Flow of Data: 
https://googleprojectzero.blogspot.com/2019/05/trashing-flow-of-data.html?m=1

   ・ 介绍了V8中如何巧妙地利用GC将一个相对难利用的OOB Read转化成任意地址读写实现RCE的技巧– LW


• [Windows] Exploring Mimikatz - Part 1 - WDigest: 
https://blog.xpnsec.com/exploring-mimikatz-part-1/

   ・ 分析了 Mimikatz 中获取 WDigest 类型的凭据过程,以及说明了 Windows Server 2008 后在 lsass 进程中获取不到明文的凭据的原因以及解决方法 – Tomato" a>


• [Windows] CVE-2019-0604: Details of a Microsoft SharePoint RCE Vulnerability: 
https://www.thezdi.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability

   ・ 微软 2 月份修复的 SharePoint RCE 漏洞的分析(CVE-2019-0604) – Jett


• [Conference] [PDF] https://conference.hitb.org/hitbsecconf2019ams/materials/D2T1%20-%20Compiler%20Bugs%20and%20Bug%20Compilers%20-%20Marion%20Marschalek.pdf: 
https://conference.hitb.org/hitbsecconf2019ams/materials/D2T1%20-%20Compiler%20Bugs%20and%20Bug%20Compilers%20-%20Marion%20Marschalek.pdf

   ・ Compiler Bugs and Bug Compilers,来自 HITB 会议,介绍编译器编译过程以及编译器的 Bugs –Jett


• [Windows] Shellcode to Dump the Lsass Process: 
https://osandamalith.com/2019/05/11/shellcode-to-dump-the-lsass-process/

   ・ 用于 Dump Lsass 进程内存的 ShellCode – Jett


• [Web] Joplin ElectronJS based Client: from XSS to RCE: 
https://blog.devsecurity.eu/en/blog/joplin-electron-rce

   ・ 将基于 Electron 实现的 Joplin 的 XSS 漏洞转化成远程代码执行漏洞,弹出计算器 – Jett


• [Tools, macOS] foxlet/macOS-Simple-KVM: 
https://github.com/foxlet/macOS-Simple-KVM

   ・ 在 QEMU 中安装 macOS 系统,支持 KVM 加速 – Jett


• [Wireless, Conference] [PDF] https://conference.hitb.org/hitbsecconf2019ams/materials/HAXPO%20D1%20-%20Hacking%20LTE%20Public%20Warning%20Systems%20-%20Weiguang%20Li.pdf: 
https://conference.hitb.org/hitbsecconf2019ams/materials/HAXPO%20D1%20-%20Hacking%20LTE%20Public%20Warning%20Systems%20-%20Weiguang%20Li.pdf

   ・ 利用 LTE 网络协议中的漏洞攻击公共预警系统(Public Warning System),来自 360 Unicorn Team – Jett


• [Vulnerability] 1614 – BootGuard TOCTOU vulnerability: 
https://bugzilla.tianocore.org/show_bug.cgi?id=1614

   ・ Intel BootGuard 的 TOCTOU 漏洞的 Bug Issue,利用这个漏洞可以实现物理内存访问进而实现代码执行。 – Jett


• qingxp9/CVE-2019-6203-PoC: 
https://github.com/qingxp9/CVE-2019-6203-PoC

   ・ macOS Mojave 10.14.4 802.1X 组件网络流量劫持逻辑漏洞的 PoC – Jett


• [Web] Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction: 
http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1

   ・ 利用 SMB 共享来绕过 php 远程文件包含的限制 – Tomato" a>


• [Tools] Adventures in WhatsApp DB — extracting messages from backups (with code examples): 
https://medium.com/@1522933668924/extracting-whatsapp-messages-from-backups-with-code-examples-49186de94ab4?source=friends_link&sk;=0126a0b4d88cf7e24f33b1631f2722b5

   ・ 从 WhatsApp 本地 App 客户端的 SQLite 数据中提取并还原会话消息 – Jett


• [Vulnerability, Exploit] [PDF] https://conference.hitb.org/hitbsecconf2019ams/materials/D1T1%20-%20Toctou%20Attacks%20Against%20Secure%20Boot%20-%20Trammell%20Hudson%20&%20Peter%20Bosch.pdf: 
https://conference.hitb.org/hitbsecconf2019ams/materials/D1T1%20-%20Toctou%20Attacks%20Against%20Secure%20Boot%20-%20Trammell%20Hudson%20&%20Peter%20Bosch.pdf

   ・ Intel BootGuard 的 TOCTOU 漏洞及利用的细节,来自 HITB 2019 会议 – Jett


• [Windows] [PDF] https://conference.hitb.org/hitbsecconf2019ams/materials/D1T2%20-%20Automated%20Discovery%20of%20Logical%20Privilege%20Escalation%20Bugs%20in%20Windows%2010%20-%20Wenxu%20Wu%20&%20Shi%20Qin.pdf: 
https://conference.hitb.org/hitbsecconf2019ams/materials/D1T2%20-%20Automated%20Discovery%20of%20Logical%20Privilege%20Escalation%20Bugs%20in%20Windows%2010%20-%20Wenxu%20Wu%20&%20Shi%20Qin.pdf

   ・ Battle of Windows Service - Windows 10 系统逻辑提权漏洞的自动化发现,来自腾讯安全玄武实验室在 HITB 2019 会议的分享 – Jett


• [Android] [PDF] https://conference.hitb.org/hitbsecconf2019ams/materials/D2T2%20-%20Binder%20-%20The%20Bridge%20to%20Root%20-%20Hongli%20Han%20&%20Mingjian%20Zhou.pdf: 
https://conference.hitb.org/hitbsecconf2019ams/materials/D2T2%20-%20Binder%20-%20The%20Bridge%20to%20Root%20-%20Hongli%20Han%20&%20Mingjian%20Zhou.pdf

   ・ Android Binder: The Bridge To Root,来自 360 C0RE 团队 – Jett


• [Linux, Exploit] xairy/easy-linux-pwn: 
https://github.com/xairy/easy-linux-pwn

   ・ Easy Linux PWN - Linux 系统多个平台栈溢出漏洞利用 Exploit 的编写训练题 – Jett


• [Windows, Tools] Interface Identifier (IID) list « Thoughts on Security: 
https://www.scriptjunkie.us/2019/05/interface-identifier-iid-list/

   ・ 有研究员总结了一份 Windows 应用注册的 Interface Identifiers (IID) 列表,有了这个列表,就可以获得 COM 对象的接口函数了 – Jett


• [Windows] linhlhq/CVE-2019-0604: 
https://github.com/linhlhq/CVE-2019-0604

   ・ 微软 2 月份修复的 SharePoint RCE 漏洞的 PoC 代码(CVE-2019-0604) – Jett


• [Browser] Circumventing Chrome's hardening of typer bugs: 
https://doar-e.github.io/blog/2019/05/09/circumventing-chromes-hardening-of-typer-bugs/

   ・ 本文介绍了V8在关闭了CheckBounds的优化之后如何利用Turbofan引擎中Typer型漏洞的技巧 – LW


* 查看或搜索历史推送内容请访问: 
https://sec.today

* 新浪微博账号: 腾讯玄武实验室 
https://weibo.com/xuanwulab


    阅读原文
    已同步到看一看

    发送中

    本站仅按申请收录文章,版权归原作者所有
    如若侵权,请联系本站删除
    觉得不错,分享给更多人看到
    腾讯玄武实验室 热门文章:

    BadTunnel:跨网段劫持广播协议    阅读/点赞 : 3386/54

    安全动态推送春节合辑(上)    阅读/点赞 : 449/5

    每日安全动态推送(02-21)    阅读/点赞 : 392/4

    每日安全动态推送(03-13)    阅读/点赞 : 390/6

    每日安全动态推送(09-19)    阅读/点赞 : 380/4

    每日安全动态推送(10-11)    阅读/点赞 : 378/4

    每日安全动态推送(06-20)    阅读/点赞 : 368/6

    每日安全动态推送(10-19)    阅读/点赞 : 344/4

    每日安全动态推送(11-25)    阅读/点赞 : 331/4

    每日安全动态推送(07-18)    阅读/点赞 : 320/4

    腾讯玄武实验室 微信二维码

    腾讯玄武实验室 微信二维码