每日安全动态推送(1-30)

Tencent Security Xuanwu Lab Daily News

• CVE-2022-27226: CSRF to RCE in iRZ Mobile Routers through 2022-03-16:
https://johnjhacking.com/blog/cve-2022-27226/

   ・ CVE-2022-27226:iRZ Mobile Routers中CSRF到RCE – crazyman

• [Linux] Linux 6.3 To Support Pluton’s CRB TPM2 On AMD Ryzen CPUs:
https://www.phoronix.com/news/Linux-6.3-CRB-TPM2-Pluton

   ・ Linux 6.3 将在 AMD 锐龙 CPU 上支持 Pluton 的命令响应缓冲区 CRB 以及受信任平台模块 TPM2 – ThomasonZhao

• CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion:
https://www.thezdi.com/blog/2023/1/18/cve-2022-35690-unauthenticated-rce-in-adobe-coldfusion

   ・ CVE-2022-35690:ADOBE COLDFUSION中对用户提供的数据检查不全,导致出现内存溢出漏洞,成功利用可以导致在SYSTEM用户层的RCE – crazyman

• [CTF, Forensics] idek CTF 2022* Forensics – HiddenGem Mixtape Writeup:
https://hackmd.io/@crazyman/ryDLmrzoi

   ・ idek CTF 2022* 取证系统题目 – HiddenGem Mixtape详细writeup – crazyman

• [Linux] Exploiting null-dereferences in the Linux kernel:
https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html

   ・ 在新版Linux内核中利用空指针引用 – crazyman

• EmojiDeploy: Smile! Your Azure web service just got RCE’d ._.:
https://ermetic.com/blog/azure/emojideploy-smile-your-azure-web-service-just-got-rced

   ・ EmojiDeploy:影响Azure web服务的RCE,其主要通过SCM服务 Kudu上的CSRF漏洞将带有恶意载荷的zip部署到Azure,再调用相关的功能从zip部署代码实现rce – crazyman

• ManageEngine CVE-2022-47966 Technical Deep Dive:
https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/

   ・ ManageEngine CVE-2022-47966 技术的深入分析 – crazyman

• idek 2022* ctf MISC && OSINT && BlockChain Writeup by r3kapig:
https://mp.weixin.qq.com/s/1xUncQ7CBht3q55T3rKl1w

   ・ r3kapig战队发布关于idek 2022* CTF的Misc,OSINT,BlockChain类别所有题目的详细writeup – crazyman

• [PDF] https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf:
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf

   ・ CVE-2023-22809:sudoedit中存在一个有意思的逻辑漏洞,sudoedit通过sudo_edith函数中’–‘来判断文件列表进而影响执行的command_details,同时find_editorh函数会从EDITOR,SUDO_EDITOR,EDITOR环境变量中提取信息,并且调用resolve_editor函数进行解析,resolve_editor函数既解析了编辑器的路径,还解析了以’–‘为分割的参数.而如果在环境变量中加入’–‘,则在最后的执行命令中造成了命令行的混淆,让sudo认为”–”参数之后的所有内容都视为要编辑的文件.从而可以利用这个漏洞去编辑任意敏感文件以达到提权的目的 – crazyman

• GitHub – bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad: CVE-2023-0297: The Story of Finding Pre-auth RCE in pyLoad:
https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad

   ・ CVE-2023-0297:pyLoad中由于js2py的eval_js安全配置不当导致未授权RCE – crazyman

• [Tools, macOS] objective-see/DumpBTM: And open-source version of % sfltool dumpbtm:
https://github.com/objective-see/DumpBTM/

   ・ 解析BackgroundItems-v4.btm中的启动项信息,可用于MacOS的取证 – crazyman

• [Tools, Malware] Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations:
https://blogs.blackberry.com/en/2023/01/gamaredon-abuses-telegram-to-target-ukrainian-organizations

   ・ Gamaredon使用Telegram为网络中转媒介(目标是躲避流量监控)以攻击乌克兰目标 – crazyman

• CVE-2022-47966 SAML ShowStopper:
https://blog.viettelcybersecurity.com/saml-show-stopper/

   ・ CVE-2022-47966:viettel安全的名为khoadha的安全研究员发布使用DocumentHandler来攻击xslt transformer的研究 – crazyman

• idek 2022* Pwn && Reverse Writeup by r3kapig:
https://mp.weixin.qq.com/s/nBJU1jWaD2TFsij6OtM-_A

   ・ r3kapig战队发布关于idek 2022* CTF的Pwn和Reverse大部分题目的writeup – crazyman

• [Browser] 2381 – Chrome: Copy-on-write check bypass in JSNativeContextSpecialization::BuildElementAccess – project-zero:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2381

   ・ JSNativeContextSpecialization::BuildElementAccess中的Copy-on-write检查绕过,可能导致rce不过可能难以利用 – crazyman

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab

原文始发于微信公众号（腾讯玄武实验室）：每日安全动态推送(1-30)