Tencent Security Xuanwu Lab Daily News
• CVE-2022-2294: Heap buffer overflow in WebRTC:
https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-2294.html
・ Chrome 浏览器 WebRTC 堆溢出漏洞分析,该漏洞已被发现野外利用
– Jett
• A CSRF vulnerability in the popular csurf package:
https://fortbridge.co.uk/research/a-csrf-vulnerability-in-the-popular-csurf-package/
・ CSRF Token 中间件组件 csurf npm 包被发现 CSRF 漏洞
– Jett
• Harvesting Active Directory credentials via HTTP Request Smuggling:
https://northwave-security.com/harvesting-active-directory-credentials-via-http-request-smuggling/
・ Harvesting Active Directory credentials via HTTP Request Smuggling
– Jett
• Bypassing Voice Biometrics with Deep Fakes | Red Team:
https://www.netspi.com/blog/technical/adversary-simulation/using-deep-fakes-to-bypass-voice-biometrics/
・ 利用 Deep Fakes 技术绕过基于声音的认证
– Jett
• Who pollutes your prototype? Find the libs on cdnjs in an automated way:
https://blog.huli.tw/2022/09/01/en/angularjs-csp-bypass-cdnjs/
・ cdnjs + AngularJS CSP bypass
– Jett
• [Tools] GitHub – Gui774ume/krie: Linux Kernel Runtime Integrity with eBPF:
https://github.com/Gui774ume/krie
・ KRIe – 基于 eBPF 实现的内核运行时保护组件
– Jett
• PART 1: How I Met Your Beacon – Overview – MDSec:
https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/
・ 一些商业和开源框架检测 C&C Beacon 方案和逃逸方法
– Jett
• So You Wanna Pwn The Kernel?:
https://sam4k.com/so-you-wanna-pwn-the-kernel/
・ 关于 Linux 内核漏洞研究的一些想法、方法和建议
– Jett
• SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250) – NCC Group Research:
https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
・ Exploiting a limited UAF in nf_tables (CVE-2022-32250)
– Jett
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab
原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(09-02)
