Tencent Security Xuanwu Lab Daily News
• Cryptographic failures in RF encryption allow stealing robotic devices | Cossack Labs:
https://www.cossacklabs.com/blog/cryptographic-failures-in-rf-encryption/
・ 无线通信环境中的加密问题
– Jett
• Bypassing Firefox’s HTML Sanitizer API:
https://portswigger.net/research/bypassing-firefoxs-html-sanitizer-api
・ Bypassing Firefox’s HTML Sanitizer API
– Jett
• GitHub – corkami/collisions: Hash collisions:
https://github.com/corkami/collisions
・ MD5 的 Hash 碰撞以及对应的碰撞攻击方法
– Jett
• [Attack] APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor:
https://thehackernews.com/2022/06/apt-hackers-targeting-industrial.html
・ APT 黑客组织利用 ShadowPad 后门攻击工业控制系统
– lanying37
• Exploiting Intel Graphics Kernel Extensions on macOS:
https://blog.ret2.io/2022/06/29/pwn2own-2021-safari-sandbox-intel-graphics-exploit/
・ Pwn2Own 2021 比赛利用 macOS Intel 图形驱动的漏洞实现 Safari 沙箱逃逸的细节
– Jett
• BMW F Series Gear Selector, Part Two: Breakthrough:
https://www.projectgus.com/2022/06/bmw-f-series-gear-selector-part-two-breakthrough/
・ 宝马 F 系列汽车换挡装置的逆向
– Jett
• 浅谈pyd文件逆向:
https://tttang.com/archive/1641/
・ 浅谈pyd文件逆向
– lanying37
• CVE-2022-28219: Unauthenticated XXE to RCE and Domain Compromise in ManageEngine ADAudit Plus – Horizon3.ai:
https://www.horizon3.ai/red-team-blog-cve-2022-28219/
・ Zoho ManageEngine ADAudit Plus unauth RCE 漏洞分析(CVE-2022-28219)
– Jett
• Checking your browser before accessing rhinosecuritylabs.com.:
https://rhinosecuritylabs.com/cloud-security/cloudgoat-detection_evasion-walkthrough/
・ CloudGoat – 用于部署 “Vulnerable by design” AWS 研究环境的工具
– Jett
• Did You Know Your Browser’s Autofill Credentials Could Be Stolen via Cross-Site Scripting (XSS):
https://www.gosecure.net/blog/2022/06/29/did-you-know-your-browsers-autofill-credentials-could-be-stolen-via-cross-site-scripting-xss/
・ 利用 XSS 漏洞可以窃取浏览器自动填充的密码
– Jett
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab
原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(06-30)