每日安全动态推送(12-7)

• [Programming] Debugging Protected Processes:

https://itm4n.github.io/debugging-protected-processes/

   ・ 如何使用PPLKiller绕过PPL保护调试受保护的进程及相关技术原理。 – P4nda

• Threat Analysis: MSI – Masquerading as a Software Installer:
https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer

   ・ 伪装成MSI的植入物分析 – crazyman

• [Tools] Neton – Tool For Getting Information From Internet Connected Sandboxes:
http://www.kitploit.com/2022/12/neton-tool-for-getting-information-from.html

   ・ Neton，用于获取沙箱指纹的工具 – keenan

• [Web] pocs/flipper_rce_xss.js at main · caioluders/pocs:
https://github.com/caioluders/pocs/blob/main/flipper_rce_xss.js

   ・ XSS 2 RCE on flipper_zero  – crazyman

• [Web] CVE-2022-46169: Critical vulnerability affects Cacti network graphing solution:
https://securityonline.info/cve-2022-46169-critical-vulnerability-affects-cacti-network-graphing-solution/

   ・ Cacti修复了评分9.8的命令注入漏洞CVE-2022-46169，攻击无需认证。 – keenan

• [Malware] A Detailed Analysis Of The Last Version Of R Evil Ransomware:
https://securityscorecard.pathfactory.com/research/detailed-analysis-revil

   ・ REvil勒索软件的分析报告 – keenan

• [Windows] The Defender’s Guide to the Windows Registry:
https://posts.specterops.io/the-defenders-guide-to-the-windows-registry-febe241abc75

   ・ 介绍Windows注册表内部构成及相关安全防护措施 – WireFisher

• [Web] Cache Poisoning? – Solution to November ’22 XSS Challenge:
https://www.youtube.com/watch?v=nY7HT1lNHwQ

   ・ 利用缓存投毒进行XSS – November ’22 XSS 挑战的官方解决方案 – crazyman

• [Wireless, Tools] Hacking Bluetooth to Brew Coffee from GitHub Actions: Part 1 – Bluetooth Investigation:
https://grack.com/blog/2022/12/01/hacking-bluetooth-to-brew-coffee-on-github-actions-part-1

   ・ Hacking Bluetooth to Brew Coffee from GitHub Actions: Part 1 – Bluetooth Investigation – lanying37

• DuckLogs 恶意软件在野外执行多种恶意活动:
https://paper.seebug.org/2034/

   ・ DuckLogs 恶意软件在野外执行多种恶意活动 – lanying37

• Hackers Actively Attack RDP Servers To Deploy Ransomware:
https://cybersecuritynews.com/rdp-servers-actively-targeted-by-hackers/

   ・ 恶意软件新趋势：越来越多的勒索软件利用已知口令或漏洞对 RDP 服务端进行攻击 – andreszeng

• [Tools] PrideLocker – a new fork of Babuk ESX encryptor:
https://www.synacktiv.com/publications/pridelocker-a-new-fork-of-babuk-esx-encryptor.html

   ・ Synacktiv发布了对针对ESXi名为PrideLocker的勒索的详细分析  – crazyman

• [Windows] deepinstinct/Lsass-Shtinkering:
https://github.com/deepinstinct/Lsass-Shtinkering

   ・ 通过滥用 Windows 错误报告服务以dump LSASS 的方法,来自DC30议题LSASS Shtinkering Abusing Windows Error Reporting to Dump LSASS – crazyman

• Weaponizing Discord Shell via SMB:
https://medium.com/@lsecqt/weaponizing-discord-shell-via-smb-92375e730e26

   ・ 在Discord中植入RCE后门的尝试，作者起初选择使用Python调用API与server通信，并通过Nuitka将其打包为PE，但会使得程序文件大小增加40+ MB，后续尝试通过SMB进行优化。 – keenan

• [Windows, Tools] CVE-2022-41120 PoC released for Windows Sysmon Elevation of Privilege Vulnerability:
https://securityonline.info/cve-2022-41120-poc-released-for-windows-sysmon-elevation-of-privilege-vulnerability/

   ・ Sysmon 中包含一个能让普通用户以 “NT AUTHORITYSYSTEM” 用户的身份完成任意文件/目录删除操作的漏洞，将该漏洞与 “利用任意文件删除进行提权” 技术相结合，可完成EoP – andreszeng

• [Linux, Reverse Engineering] Resources:
https://github.com/romainthomas/reverse-engineering-workshop

   ・ 一个逆向工程研讨会的ppt，讲到了很多x86下逆向的技巧 – ArisXu

• [Pentest] Data exfiltration using Excel:
https://systemweakness.com/data-exfiltration-using-excel-d12271525fb6

   ・ C2 新思路：利用 Excel 的 WEBSERVICE 函数 “在检测到 url 发生变化时自动发起新请求” 这一特性进行数据泄露 – andreszeng

• [Browser] Sandboxing V8:
https://docs.google.com/presentation/d/1iDWDHuAZ8ee-dRF5Lkf0nwO2mkLdZG_YJEP1yPvJ09E/edit?usp=sharing

   ・ V8 heap sandbox安全机制设计思路及防御的主要漏洞类型。 – P4nda

• [Windows, Forensics] An Introduction To Memory Forensics: Windows Process Internals | by Joseph Moronwi:
https://bit.ly/3MxqS6j

   ・ 从取证的角度分析Windows进程中的有趣的数据结构 – Atum

• [IoT] CVE-2022-45313: Mikrotik RouterOs flaw can lead to execute arbitrary code:
https://securityonline.info/cve-2022-45313-mikrotik-routeros-flaw-can-lead-to-execute-arbitrary-code/

   ・ MikroTik RouterOS 的 hotspot 程序存在越界读漏洞，可能导致有权限的用户获得任意代码执行能力 – WireFisher

• [Vulnerability] CVE-2022-46164: Account Takeover Vulnerability Found in NodeBB:
https://securityonline.info/cve-2022-46164-account-takeover-vulnerability-found-in-nodebb/

   ・ NodeBB 中存在一个原型污染漏洞，攻击者可利用该漏洞接管他人的账户 – andreszeng

• Critical Ping bug potentially allows remote hack of FreeBSD systems:
https://securityaffairs.co/wordpress/139300/hacking/cve-2022-23093-freebsd-systems-flaw.html

   ・ freebsd的ping有一个栈溢出漏洞，一个恶意的ICMP response可能会导致运行ping的主机被RCE。 – Atum

• r/ReverseEngineering – How to replicate OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786 and use libfuzzer:
https://www.reddit.com/r/ReverseEngineering/comments/zbyx41/how_to_replicate_openssl_vulnerabilities/

   ・ 两个OpenSSL高危漏洞分析（CVE-2022-3786、CVE-2022-3602），以及如何使用libfuzzer去发现上述漏洞。 – P4nda

• Bug in Honda, Nissan, Toyota Cars App Let Hackers Unlock & Start The Car Remotely:
https://cybersecuritynews.com/vulnerability-in-honda-nissan-toyota-cars-app/

   ・ SiriusXM 某一网站存在漏洞可影响多家车企，允许攻击者仅通过VID即可获取客户信息，通过进一步提权可导致受害客户的汽车被远程解锁、启动、定位、鸣笛。 – WireFisher

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab

原文始发于微信公众号（腾讯玄武实验室）：每日安全动态推送(12-7)