每日安全动态推送(09-13)

渗透技巧 2年前 (2022) admin

673 0 0

Tencent Security Xuanwu Lab Daily News

• Attackers Can Bypass GitHub Required Reviewers to Submit Malicious Code:
https://www.legitsecurity.com/blog/bypassing-github-required-reviewers-to-submit-malicious-code

・绕过 GitHub Required Reviewers 限制，向开源代码库提交恶意代码 – Jett

• [Fuzzing] google/silifuzz:
https://github.com/google/silifuzz

・ SiliFuzz – Fuzzing CPUs by proxy – Jett

• The seventh way to call a JavaScript function without parentheses:
https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses

・不使用括号调用 JavaScript 函数的技巧 – Jett

• Paper read <<The Convergence of Source Code and Binary Vulnerability Discovery – A Case Study>>:
https://o0xmuhe.github.io/2022/09/12/Paper-read-The-Convergence-of-Source-Code-and-Binary-Vulnerability-Discovery-%E2%80%93-A-Case-Study/

・论文“The Convergence of Source Code and Binary Vulnerability Discovery – A Case Study”的解读 – Jett

• Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free – Arctic Wolf:
https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/

・ Lorenz 勒索软件利用 Mitel MiVoice 的漏洞入侵目标公司，利用 BitLocker 实现数据加密 – Jett

• Authenticode (I): Understanding Windows Authenticode:
https://reversea.me/index.php/authenticode-i-understanding-windows-authenticode/

・ Authenticode (I): Understanding Windows Authenticode – lanying37

• “GIFShell” — Covert Attack Chain and C2 Utilizing Microsoft Teams GIFs:
https://medium.com/@bobbyrsec/gifshell-covert-attack-chain-and-c2-utilizing-microsoft-teams-gifs-1618c4e64ed7

・利用 Microsoft Teams 的 GIF 图片处理流程实现隐蔽的 C&C – Jett

• 2301 – Windows: Credential Guard ASN1 Decoder Type Confusion EoP – project-zero:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2301

・ Windows Kerberos CG API 在处理 ASN1 数据结构时缺乏对 PDU 类型的检查，导致本地提权漏洞（CVE-2022-34709） – Jett

• GitHub – bytedance/Elkeid: Elkeid is a Cloud-Native Host-Based Intrusion Detection solution project to provide next-generation Threat Detection and Behavior Audition with modern architecture.:
https://github.com/bytedance/Elkeid

・ Elkeid – 一个云原生的基于主机的安全(入侵检测与风险识别)解决方案 – Jett

• [Fuzzing, Tools] GitHub – ex0dus-0x/fuzzable: Framework for Automating Fuzzable Target Discovery with Static Analysis. Featured at Black Hat Arsenal USA 2022.:
https://github.com/ex0dus-0x/fuzzable

・ Fuzzable – 通过静态分析定位可 Fuzz 目标的工具 – Jett

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab