每日安全动态推送(12-8)

• Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks:
https://www.legitsecurity.com/blog/github-actions-that-open-the-door-to-cicd-pipeline-attacks

   ・ CI/CD 的供应链安全案例，如果一个项目使用了有漏洞的Github action，攻击者可以通过发起MR实现提权 – Atum

• VMware vCenter vScalation Privilege Escalation:
https://packetstormsecurity.com/files/170116/vcenter_java_wrapper_vmon_priv_esc.rb.txt

   ・ VMware vSphere/vCenter 权限提升漏洞(CVE-2021-22015)在metasploit框架上的利用代码。 – P4nda

• [Vulnerability] Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass:
https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/

   ・ 使用 Akamai WAF Bypass 在 Spring Boot 错误页面上通过 SSTI 而进行 RCE – crazyman

• GOAD – part 11 – ACL:
https://mayfly277.github.io/posts/GOADv2-pwning-part11/

   ・ GOAD lab part11 ACL writeup – crazyman

• [Linux] pipe_buffer arbitrary read write:
https://interruptlabs.co.uk/labs/pipe_buffer/

   ・ 使用 pipe_buffer 的任意读/写技术,用于linux kernel 利用 – crazyman

• GHSL-2022-068: Remote Code Execution (RCE) in PDFMake – CVE-2022-46161:
https://securitylab.github.com/advisories/GHSL-2022-068_pdfmake/

   ・ pdfmake支持通过js创建pdf，但未对用户输入做任何验证，也没有使用沙箱环境，造成RCE – keenan

• Largest Mobile Malware Darkweb Marketplace Discovered Having Over 1900 Injection Scripts:
https://cybersecuritynews.com/largest-mobile-malware-darkweb-marketplace/

   ・ 暗网中的 “InTheBox” 市场为移动恶意软件制造者提供了多种类别的 Webinjects 模板 – andreszeng

• [Android] It’s all about Bypassing Android SSL Pinning and Intercepting Proxy Unaware applications.:
https://kishorbalan.medium.com/its-all-about-android-ssl-pinning-bypass-and-intercepting-proxy-unaware-applications-91689c0763d8

   ・ 如何在已root的手机上绕过Android SSL Pinning劫持HTTPS流量，以及如何修改APK以绕过Proxy Unaware劫持HTTP流量。 – P4nda

• 2345 – Integer overflow in pixman_sample_floor_y leads to heap out-of-bounds write – project-zero:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2345

   ・ X server所使用的底层像素管理库pixman存在整数溢出漏洞可导致堆越界写 – WireFish

• [Browser] Apple Safari JavaScriptCore Inspector Type Confusion – SSD Secure Disclosure:
https://ssd-disclosure.com/apple-safari-javascriptcore-inspector-type-confusion/

   ・ Safari浏览器JSC存在类型混淆漏洞CVE-2022-42823，含触发PAC异常的PoC – keenan

• CVE-2022-25765-pdfkit-Exploit-Reverse-Shell:
https://github.com/CyberArchitect1/CVE-2022-25765-pdfkit-Exploit-Reverse-Shell

   ・ pdfkit的命令注入漏洞可导致命令执行，PoC已公开 – xmzyshypnc

• [Pentest] Bypassing MFA with the Pass-the-Cookie Attack:
https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack/

   ・ 尽管进行了多因素身份认证，但若能获取到受害者用户登录后的 Cookie，就可以通过直接传递 Cookie 的方式接管受害者用户的账户 – andreszeng

• [Malware] DEV-0139 launches targeted attacks against the cryptocurrency industry:
https://msft.it/6016eKDus

   ・ 微软披露DEV-0139(疑似Lazarus)针对加密货币行业发起定向攻击,其主要通过社工获取信任后使用Telegram为载体投递武器化的macro宏文档,宏执行后释放另一个xls并且其内嵌的宏下载一个png文件(由白文件,黑dll,带有Guid xor加密后的backdoor程序组成),然后将这三个部分分割后提取出来再写入本地.然后其通过白加黑的手法运行载荷。除了xls载荷还有利用msi安装包进行植入的活动,其也是利用白加黑以进行木马的植入  – crazyman

• [Malware, Tools] Technical Analysis of DanaBot Obfuscation Techniques:
https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques

   ・ DanaBot恶意软件的混淆技术分析，涉及多种对抗逆向工程的实用方法 – ArisXu

• The Last Breath of Our Netgear RAX30 Bugs – A Tragic Tale before Pwn2Own Toronto 2022 : netsec:
https://www.reddit.com/r/netsec/comments/ze8pr7/the_last_breath_of_our_netgear_rax30_bugs_a/

   ・ 介绍Netgear RAX30 1.0.7.78版本的DHCP命令注入和WAN利用链 – crazyman

• [Tools] README.md:
https://github.com/JusticeRage/Gepetto

   ・ 使用 OpenAI 的 davinci-003 模型为 IDA Pro 反编译的函数提供注释和变量重命名信息的插件 – ArisXu

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab

原文始发于微信公众号（腾讯玄武实验室）：每日安全动态推送(12-8)