Tencent Security Xuanwu Lab Daily News
• [Fuzzing] [PDF] https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-de-ruiter.pdf:
https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-de-ruiter.pdf
・ Protocol State Fuzzing of TLS Implementations
– Jett
• Router security report 2021:
https://securelist.com/router-security-2021/106711/?reseller=usa_regular-sm_acq_ona_smm__onl_b2c_twi_post_sm-team______&utm_source=twitter&utm_medium=social&utm_campaign=us_regular-sm_en0177&utm_content=sm-post&utm_term=us_twitter_organic_177bnl1zdlynfec
・ 2021 年的路由器安全报告总结
– lanying37
• CVE-2022-25845 – Fastjson RCE vulnerability analysis:
https://jfrog.com/blog/cve-2022-25845-analyzing-the-fastjson-auto-type-bypass-rce-vulnerability/
・ Fastjson “Auto Type Bypass” RCE 漏洞分析(CVE-2022-25845)
– Jett
• [Browser] Bypassing CSP with dangling iframes:
https://portswigger.net/research/bypassing-csp-with-dangling-iframes
・ Bypassing CSP with dangling iframes
– Jett
• SBOM in Action: finding vulnerabilities with a Software Bill of Materials:
http://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html
・ 基于软件资产清单(SBOM)在 Kubernetes 项目中检测漏洞
– Jett
• An Autopsy on a Zombie In-the-Wild 0-day:
https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html
・ Safari 2013 年漏洞修复后由于项目代码重构 2016 年出现变种,该漏洞变种(CVE-2022-22620)今年被发现野外利用
– Jett
• Hertzbleed Attack:
https://www.hertzbleed.com/
・ Hertzbleed – x86 处理器动态主频的侧信道攻击,攻击成功甚至可以远程泄露加密密钥
– Jett
• HyperDbg’s One Thousand and One Nights | Rayanfam Blog:
https://rayanfam.com/topics/hyperdbg-one-thousand-and-one-nights/
・ HyperDbg 调试器背后的一些设计理念
– Jett
• A Survey of Windows RPC Discovery Tools | clearbluejar:
https://clearbluejar.github.io/posts/surveying-windows-rpc-discovery-tools/
・ Windows RPC 研究工具调研
– Jett
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab
原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(06-15)
