Tencent Security Xuanwu Lab Daily News
• GitHub – l0ggg/VMware_vCenter: VMware vCenter 7.0.2.00100 unauth Arbitrary File Read + SSRF + Reflected XSS:
https://github.com/l0ggg/VMware_vCenter
・ VMware vCenter 7.0.2.00100 版本任意文件读、SSRF、XSS 漏洞
– Jett
• GitHub – trailofbits/pip-audit: Audits Python environments and dependency trees for known vulnerabilities:
https://github.com/trailofbits/pip-audit
・ pip-audit – 用于扫描 Python 环境依赖库是否涉及已知漏洞的工具
– Jett
• Tracking a P2P network related to TA505 – NCC Group Research:
https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/
・ Tracking a P2P network related to TA505
– Jett
• Azure Privilege Escalation via Azure API Permissions Abuse:
https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48
・ Azure Privilege Escalation via Azure API Permissions Abuse
– Jett
• Project Zero: This shouldn’t have happened: A vulnerability postmortem:
https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html
・ Project Zero Tavis Ormandy 在 Mozilla NSS 加密库中发现一个内存破坏漏洞
– Jett
• Jumping the air gap: 15 years of nation‑state effort | WeLiveSecurity:
https://www.welivesecurity.com/2021/12/01/jumping-air-gap-15-years-nation-state-effort/
・ ESET 研究员对近 15 年公开攻击中涉及的穿透物理隔离边界的框架的分析
– Jett
• Where in the World is Carmen Sandiego: Abusing Location Services on macOS | by Justin Bui | Dec, 2021 | Medium:
https://medium.com/@slyd0g/where-in-the-world-is-carmen-sandiego-abusing-location-services-on-macos-10e9f4eefb71
・ Abusing Location Services on macOS
– Jett
• TALOS-2021-1352 || Cisco Talos Intelligence Group – Comprehensive Threat Intelligence:
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1352
・ Google Chrome Blink setBaseAndExtent use after free vulnerability
– Jett
• Exploiting Vulnerabilities in a TLD Registrar to Takeover Tether, Google, and Amazon:
https://palisade.consulting/blog/tld-hacking
・ Exploiting Vulnerabilities in a TLD Registrar to Takeover Tether, Google, and Amazon
– Jett
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab
原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(12-02)