每日安全动态推送(5-31)

Tencent Security Xuanwu Lab Daily News

• Stack overflow in imagemagick coders/tiff.c:
https://seclists.org/oss-sec/2023/q2/200

   ・ imagemagick coders/tiff.c 中的栈溢出 – SecTodayBot

• 记一次全设备通杀未授权 RCE 的挖掘经历:
https://paper.seebug.org/2071/

   ・ 国内某大厂发现一个未授权命令执行漏洞，可远程攻击路由器、交换机、中继器、无线接入点AP和无线控制器AC等众多设备 – SecTodayBot

• hardwaterhacker/DigDug:
https://github.com/hardwaterhacker/DigDug

   ・ Dig Dug 通过将字典中的单词附加到可执行文件来增加给定的可执行文件大小，从而帮助您逃避某些 AV/EDR 检测。 – SecTodayBot

• cymulate-framework: help red team construct fully customizable and automated APT attacks easily:
https://securityonline.info/cymulate-framework-help-red-team-construct-fully-customizable-and-automated-apt-attacks-easily/

   ・ 帮助红队轻松构建完全可定制和自动化的 APT 攻击 – SecTodayBot

• CVE-2023-30601: Apache Cassandra: Privilege escalation when enabling FQL/Audit logs:
https://seclists.org/oss-sec/2023/q2/201

   ・ Apache Cassandra：启用 FQL/审计日志时会造成权限提升 – SecTodayBot

• New MVC Shop 1.0 SQL Injection / Missing Attributes:
https://packetstormsecurity.com/files/172597

   ・ 新版MVC Shop 1.0版本存在SQL注入漏洞 – SecTodayBot

• www.bleepingcomputer.com:
https://www.bleepingcomputer.com/news/security/flash-loan-attack-on-jimbos-protocol-steals-over-75-million/

   ・ 基于 Arbitrum 的 DeFi 项目 Jimbos Protocol 遭受闪电贷攻击，导致超过 4000 个 ETH 代币丢失，目前价值超过 7,500,000 美元。 – SecTodayBot

• RISC-V: Emoji Shellcoding ?:
https://github.com/RischardV/emoji-shellcoding

   ・ 来自 DEFCON30 的 Hаdrien аrrаl 和 Georges-Axel Jaloyan 的 Emoji Shellcoding 幻灯片 – SecTodayBot

• PentestGPT – A GPT-empowered Penetration Testing Tool:
https://www.kitploit.com/2023/05/pentestgpt-gpt-empowered-penetration.html

   ・ 一种自动化渗透测试工具，基于 ChatGPT 的 GPT-4 模型进行高质量推理 – SecTodayBot

• Ubuntu Security Notice USN-6110-1:
https://packetstormsecurity.com/files/172602

   ・ Jhead，佳能图像处理工具，打开特制文件会崩溃。  – SecTodayBot

• GitHub – p0dalirius/GeoWordlists: GeoWordlists is a tool to generate wordlists of passwords containing cities at a defined distance around the client city.:
https://github.com/p0dalirius/GeoWordlists

   ・ 一个 Python 脚本，用于根据客户城市半径的半径生成可能的密码列表 – SecTodayBot

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab

原文始发于微信公众号（腾讯玄武实验室）：每日安全动态推送(5-31)