CTF导航 CTF导航

每日安全动态推送(2-27)

渗透技巧 2个月前 admin
19 0 0
Tencent Security Xuanwu Lab Daily News

• UBfuzz: Finding Bugs in Sanitizer Implementations:
https://arxiv.org/abs/2401.04538v1

   ・ 介绍了一个新的测试框架UBfuzz,用于验证编译器中的sanitizer实现,发现了sanitizer中的31个漏洞,揭示了sanitizer存在的严重虚假负问题。 – SecTodayBot


• Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations:
https://www.youtube.com/watch?si=e9U9qoIq1AmEUKvy&v=ulktZxdN6nA&feature=youtu.be

   ・ 介绍了对抗模拟演示,是关于ATT&CK评估的关键概念 – SecTodayBot


• Continuously fuzzing Python C extensions:
https://blog.trailofbits.com/2024/02/23/continuously-fuzzing-python-c-extensions/

   ・ 使用Atheris工具对Python C扩展进行模糊测试,发现了cbor2库中的多个内存损坏漏洞。 – SecTodayBot


• Leveraging Binary Ninja IL to Reverse a Custom ISA: Cracking the “Pot of Gold” 37C3:
https://www.synacktiv.com/en/publications/leveraging-binary-ninja-il-to-reverse-a-custom-isa-cracking-the-pot-of-gold-37c3

   ・ 利用Binary Ninja中间语言(IL)来对自定义指令集架构(ISA)进行逆向工程,并利用该技术来破解37C3 CTF的Pot of Gold挑战。 – SecTodayBot


• Turla Leverages ‘Pelmeni Wrapper’ for Stealthy Kazuar Backdoor Delivery:
https://securityonline.info/turla-leverages-pelmeni-wrapper-for-stealthy-kazuar-backdoor-delivery/

   ・ 揭示了Turla利用‘Pelmeni Wrapper’交付隐秘的Kazuar后门的新战术,以及对Kazuar变种的分析。 – SecTodayBot


• Analysis of Glibc privilege escalation vulnerability “Looney Tunables” (CVE-2023-4911):
https://dev.to/tutorialboy/analysis-of-glibc-privilege-escalation-vulnerability-looney-tunables-cve-2023-4911-5e97

   ・ 介绍了Qualys公司威胁研究部门披露的Glibc权限提升漏洞。 – SecTodayBot


• Extracting PEAP Credentials from Wired Network Profiles:
https://itm4n.github.io/peap-credentials-wired-connections/

   ・ 从有线网络配置文件中提取PEAP凭据的方法。详细分析PEAP凭据存储和提取过程。 – SecTodayBot


• Exploring Windows UAC Bypasses: Techniques and Detection Strategies — Elastic Security Labs:
https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies

   ・ 绕过用户账户控制(UAC)的方法 – SecTodayBot


• Go Go XSS Gadgets: Chaining a DOM Clobbering Exploit in the Wild:
https://buer.haus/2024/02/23/go-go-xss-gadgets-chaining-a-dom-clobbering-exploit-in-the-wild/

   ・ 讨论了发现跨站脚本(XSS)链的过程,以及详细分析了XSS漏洞的根本原因和方法。 – SecTodayBot


* 查看或搜索历史推送内容请访问:
https://sec.today

* 新浪微博账号: 腾讯玄武实验室
https://weibo.com/xuanwulab


原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(2-27)

版权声明:admin 发表于 2024年2月27日 下午5:54。
转载请注明:每日安全动态推送(2-27) | CTF导航

相关文章

每周蓝军技术推送(2022.8.27-9.2)
admin
735
XP_CmdShell平替CLR的基础利用
admin
160
k8s中各组件和kube apiserver通信时的认证和鉴权
admin
705
每周蓝军技术推送(2021.12.11-12.17)
admin
897
每日安全动态推送(7-12)
admin
233
由defcon延伸出的一类特殊RCE
admin
780

相关文章

每日安全动态推送(4-28)
0
[代码审计] 某盗U/发卡系统 不知道是几day
0
Cookie-Monster – BOF To Steal Browser Cookies & Credentials
0
How Did I Easily Find Stored XSS at Apple And Earn $5000 ?
0
How I Discovered an RCE Vulnerability in Tesla, Securing a $10,000 Bounty
0
pgAdmin 8.3 Remote Code Execution
0
How I Prevented a Mass Data Breach – $15,000 bounty – @bxmbn
0
The Windows Registry Adventure #1: Introduction and research results
0
使用 VIM 进行代码审计
0
Progress Flowmon 任意命令执行漏洞 CVE-2024-2389
0