每日安全动态推送(8-8)

Tencent Security Xuanwu Lab Daily News

• Elixir Capital:
https://www.elixircapital.xyz/research/dive-into-the-filecoin-virtual-machine

   ・ 深入探讨 Filecoin 虚拟机 – SecTodayBot

• Reptile Rootkit employed in attacks against Linux systems in South Korea:
https://securityaffairs.com/149203/malware/reptile-rootkit-south-korea.html

   ・ Reptile Rootkit 被用于攻击韩国的 Linux 系统 – SecTodayBot

• GitHub – scipag/websocket_fuzzer: Simple WebSocket fuzzer:
https://github.com/scipag/websocket_fuzzer

   ・ 使用 JSON 模糊测试 websocket – SecTodayBot

• Objective-C Internals:
https://alwaysprocessing.blog/series/objc-internals

   ・ 介绍 Objective-C 内部原理 – SecTodayBot

• CVE-2023-39143: PaperCut Path Traversal/File Upload RCE Vulnerability:
https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/

   ・ PaperCut路径遍历/文件上传RCE漏洞 – SecTodayBot

• CVE-2023-39508: Apache Airflow: Airflow “Run task” feature allows execution with unnecessary priviledges:
https://seclists.org/oss-sec/2023/q3/91

   ・ Apache Airflow – 利用不必要的特权：将敏感信息暴露给未经授权的参与者漏洞 – SecTodayBot

• Interrupt Labs:
https://www.interruptlabs.co.uk/articles/newly-unreachable-story-of-a-tp-link

   ・ Pwn2Own 东京比赛中关于 TP-Link 漏洞的悲惨故事，TPLink OneMesh WAN 命令注入漏洞 – SecTodayBot

• Checkmk: Remote Code Execution by Chaining Multiple Bugs (1/3):
https://www.sonarsource.com/blog/checkmk-rce-chain-1/

   ・ Checkmk RCE，通过链接多个错误来远程执行代码 – SecTodayBot

• The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022:
https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in.html?m=1

   ・ Google 对野外利用的 0day 进行的第四次年度回顾 – SecTodayBot

• Azure Command Line Forensics – Host Based Artifacts:
https://www.inversecos.com/2023/03/azure-command-line-forensics-host-based.html

   ・ Azure 命令行取证 – SecTodayBot

• CVE-2023-37581: Apache Roller: XSS vulnerability for site with untrusted users:
https://seclists.org/oss-sec/2023/q3/92

   ・ Apache Roller：具有不受信任用户的站点的 XSS 漏洞 – SecTodayBot

• Researchers Jailbreak Tesla Vehicles, Gain Control Over Paid Features:
https://www.hackread.com/jailbreak-tesla-vehicles-access-paid-features/

   ・ 越狱绕过 Tesla 的 AMD 安全处理器（可信平台模块），并无需付费即可启用某些功能。特斯拉电动汽车的车内付费功能可被破解，无需付费即可激活某些功能 – SecTodayBot

• The Ultimate Merkle Tree Guide in Solidity:
https://soliditydeveloper.com/merkle-tree

   ・ Solidity 中的 Merkle 树终极指南 – SecTodayBot

• New ‘Deep Learning Attack’ Deciphers Laptop Keystrokes with 95% Accuracy:
https://thehackernews.com/2023/08/new-deep-learning-attack-deciphers.html

   ・ 研究人员近期设计出新的深度学习攻击模型，能通过对笔记本与手机捕捉和解码键盘敲击声来窃取用户数据信息。 – lanying37

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab

原文始发于微信公众号（腾讯玄武实验室）：每日安全动态推送(8-8)