Tencent Security Xuanwu Lab Daily News
• MyBB 0day Authenticated Remote code execution:
https://0x1337.ninja/2022/07/19/mybb-0day-authenticated-remote-code-execution/
・ MyBB 0day Authenticated Remote code execution
– Jett
• GitHub – Muirey03/CVE-2022-32832: Proof-of-concept and write-up for the CVE-2022-32832 vulnerability patched in iOS 15.6:
https://github.com/Muirey03/CVE-2022-32832
・ iOS 15.6 昨天修复的 APFS CVE-2022-32832 漏洞的 PoC
– Jett
• 云沙箱流量识别技术剖析:
https://paper.seebug.org/1939/
・ 从流量的角度识别云沙箱
– Jett
• Gitlab Project Import RCE Analysis (CVE-2022-2185) | STAR Labs:
https://starlabs.sg/blog/2022/07-gitlab-project-import-rce-analysis-cve-2022-2185/
・ Gitlab Project Import RCE Analysis (CVE-2022-2185)
– Jett
• API Key, a Key to Credential Leakage & Manipulation | CIP Blog:
https://blog.criminalip.io/2022/07/20/api-key-leak/
・ 有团队研究发现,通过搜索开启 Debug 模式的 Django 发现,超过 3100 个应用的 API Keys 暴露在公网
– Jett
• Dependency Confusion:
https://blog.doyensec.com//2022/07/21/dependency-confusion.html
・ 用 Confuser 工具检测类 NPM 包管理器存在的 Dependency Confusion 依赖注入问题
– Jett
• 2314 – project-zero – Project Zero – Monorail:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2314
・ Issue 2314: Chrome: raw_ptr broke implicit scoped_refptr for receivers in base::Bind.
– Jett
• SVF:
http://svf-tools.github.io/SVF/
・ SVF – 针对 C/C++ 的过程间依赖分析的静态分析工具
– Jett
• The Return of Candiru: Zero-days in the Middle East – Avast Threat Labs:
https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/
・ 有攻击者利用 Chrome WebRTC 的 0Day 攻击中东地区的 Avast 用户
– Jett
• Tomcat WebSocket内存马原理浅析:
https://tttang.com/archive/1673/
・ Tomcat WebSocket内存马原理浅析
– lanying37
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab
原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(07-22)
