Tencent Security Xuanwu Lab Daily News
• [Web] Turning bad SSRF to good SSRF: Websphere Portal:
https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
・ Turning bad SSRF to good SSRF: Websphere Portal
– Jett
• Exploits/Chains/Hydseven at main · forrest-orr/Exploits:
https://github.com/forrest-orr/Exploits/tree/main/Chains/Hydseven
・ Firefox RCE(CVE-2019-11707) + Sandbox Escape(CVE-2019-11708) Exploit
– Jett
• Animated Bugs: The New Remote Attack Surface in Telegram – HITB+ CyberWeek 2021:
https://cyberweek.ae/2021/presentations/animated-bugs-the-new-remote-attack-surface-in-telegram/
・ HITB Cyberweek 会议议题:Telegram 的远程攻击面研究
– Jett
• [Tools] ADExplorerSnapshot.py:
https://github.com/c3c/ADExplorerSnapshot.py
・ AD 域环境探测工具,支持为 server 打快照
– Jett
• [Tools] log4jscanner:
https://github.com/google/log4jscanner
・ log4jscanner – Google 开源的 log4j 漏洞文件系统扫描工具
– Jett
• README.md:
https://github.com/kkamagui/alcatraz
・ Alcatraz – 构建一个 Hypervisor Sandbox 来防御内部 KVM/QEMU 中的虚拟机逃逸漏洞攻击
– Jett
• +overview:
https://cyberweek.ae/2021/presentations/5g-cyber-security-challenges-and-solution/
・ HITB Cyberweek 会议议题:5G 安全的风险挑战与解决方案
– Jett
• JavaScript Engines Exploitation: a Jscript9 Case Study:
https://zerodayengineering.com/research/javascript-engines-exploitation-jscript9.html
・ Jscript9 一个 2017 年的类型混淆漏洞的利用分析
– Jett
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab
原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(12-30)
