每日安全动态推送(7-10)

Tencent Security Xuanwu Lab Daily News

• Two-thirds of internet-facing SolarView systems still vulnerable to critical bug:
https://www.scmagazine.com/news/vulnerability-management/solarview-systems-vulnerable-critical-bug

   ・ 太阳能发电厂工业控制系统 (ICS) 控制系统的安全研究人员报告，基于加州大学圣地亚哥分校安全研究中心 (CSIS) 的研究团队发表的论文  – SecTodayBot

• Common Nginx misconfigurations that leave your web server open to attack:
https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/

   ・ 一些常见的 Nginx 错误配置，如果不加以检查，您的网站将容易受到攻击。以下是如何在攻击者利用之前找到一些最常见的错误信息 – SecTodayBot

• How Cybercriminals Can Perform Virtual Kidnapping Scams Using AI Voice Cloning Tools and ChatGPT:
https://research.trendmicro.com/virtualkidnapping

   ・ 网络犯罪分子如何利用 AI 语音克隆工具和 ChatGPT 实施虚拟绑架诈骗，利用 Deepfake 技术和 DeepFake 音频技术发起攻击：虚拟绑架的真实案例  – SecTodayBot

• Breaking GPT-4 Bad: Check Point Research Exposes How Security Boundaries Can Be Breached as Machines Wrestle with Inner Conflicts – Check Point Blog:
https://blog-checkpoint-com.cdn.ampproject.org/c/s/blog.checkpoint.com/artificial-intelligence/breaking-gpt-4-bad-check-point-research-exposes-how-security-boundaries-can-be-breached-as-machines-wrestle-with-inner-conflicts/amp/

   ・ Check Point Research 检查了 ChatGPT-4 的安全性，并揭示了如何绕过限制 – 研究人员提出了一种称为双绑定旁路的新机制，将 GPT-4 的内部动机与其自身相冲突  – SecTodayBot

• [kubernetes] CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin Rita Zhang <rita.z.zhang () gmail com>:
https://seclists.org/oss-sec/2023/q3/9

   ・ CVE-2023-2728：使用临时容器时，绕过 ServiceAccount 准入插件强制执行的可安装机密策略 – Kubernetes 受此漏洞影响  – SecTodayBot

• ScrapPY – A Python Utility For Scraping Manuals, Documents, And Other Sensitive PDFs To Generate Wordlists That Can Be Utilized By Offensive Security Tools:
http://www.kitploit.com/2023/07/scrappy-python-utility-for-scraping.html

   ・ ScrapPY 是一个 Python 实用程序，用于抓取手册、文档和其他敏感 PDF 以生成目标单词列表，攻击性安全工具可以利用该单词列表执行暴力破解、强制浏览和字典攻击。该工具深入挖掘导致潜在密码或隐藏目录的关键字和短语，输出到可由 Hydra、Dirb 和 Nma 等工具读取的文本文件  – SecTodayBot

• Two Stories for “What is CHERI?”:
https://tratt.net/laurie/blog/2023/two_stories_for_what_is_cheri.html

   ・ CHERI 是一种工具，可以帮助捕获缓冲区溢出等缺陷，避免它们成为安全问题。 – SecTodayBot

• Flutter Restrictions Bypass:
https://blog.cybercx.co.nz/flutter-restrictions-bypass

   ・ 使用动态检测框架 Frida 绕过绕过 Flutter 框架的防篡改和防 root 检测  – SecTodayBot

• rax30 patch diff analysis & nday exploit for zdi-23-496:
http://blog.coffinsec.com/nday/2023/05/12/rax30-patchdiff-nday-analysis.html

   ・ ZDI-23-499：soap_serverd 基于堆栈的缓冲区溢出：sscanf() – 堆栈溢出漏洞 – SecTodayBot

• Ghidralligator: Emulate and Fuzz the Embedded World – Airbus Defence and Space Cyber:
https://www.cyber.airbus.com/ghidralligator_emulate_and_fuzz_the_embedded_world/

   ・ Ghidralligator – 一个基于 Ghidra 构建的模拟器，能够模拟各种 CPU 架构。此外，它可以与 AFL 集成，以启用具有代码覆盖功能的快照模糊测试  – SecTodayBot

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab

原文始发于微信公众号（腾讯玄武实验室）：每日安全动态推送(7-10)