每日安全动态推送(1-11)

Tencent Security Xuanwu Lab Daily News

• [CTF] 2022 年 CTF Web 前端與 JS 題總結:
https://blog.huli.tw/2022/12/26/ctf-2022-web-js-summary/

   ・ 2022年CTF Web前端与JS题目总结 – crazyman


• [Reverse Engineering] Reverse Engineering TikTok's VM Obfuscation (Part 2) : ReverseEngineering:
https://www.reddit.com/r/ReverseEngineering/comments/107fqih/reverse_engineering_tiktoks_vm_obfuscation_part_2/

   ・ TikTok的VMP保护分析 – Atum


• RealWorld CTF 5th - realwrap:
https://github.com/iczc/rwctf-5th-realwrap

   ・ RealWorld CTF 5th 区块链挑战- realwrap Writeup – crazyman


• [Fuzzing, Tools] fuzztruction: an academic prototype of a fuzzer:
https://securityonline.info/fuzztruction-an-academic-prototype-of-a-fuzzer/

   ・ 一种新的fuzzer设计,相比于常见的对数据进行变异思路,本文提出一种对生成器的行为进行变异(错误注入)的思路。这样生成的数据可在结构上保持大部分合法性。 – WireFish


• CVE-2022-43473 ZOHO ManageEngine OpManager XXE注入:
https://da22le.github.io/cve-2022-43473-zoho-manageengine-opmanager-xxe%E6%B3%A8%E5%85%A5/

   ・ CVE-2022-43473 ZOHO ManageEngine OpManager XXE注入 – crazyman


• [Tools] How I fuzz and hack APIs?:
https://rashahacks.com/how-i-fuzz-and-hack-api/

   ・ 关于如何fuzz http api的思考 – ArisXu


• [Android, Malware] StrongPity espionage campaign targeting Android users | WeLiveSecurity:
https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/

   ・ StrongPity APT组织使用木马化的telegram软件模仿Shagle 应用程序进行水坑攻击 – crazyman


• CVE-2022-31705:
https://github.com/s0duku/cve-2022-31705

   ・ VMware Workstation Heap OOB 漏洞POC。 – Atum


• [Linux] 2391 - Linux >=4.10: UAF in __do_semtimedop() due to lockless check outside RCU section - project-zero:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2391

   ・ Linux Kernel UAF漏洞细节,该漏洞是由于加锁逻辑实现问题,导致可以通过条件竞争造成UAF漏洞。 – P4nda


• [Real World CTF 2023] The cult of 8 bit:
https://sh1yo.art/ctf/thecultof8bit/

   ・ [Real World CTF 2023] The cult of 8 bit 利用xsleak的一个非预期解法的writeup – crazyman


• RWCTF 2023 NonHeavyFTP writeup:
https://f0cus77.github.io/RWCTF-2023-NonHeavyFTP-writeup/

   ・ RWCTF2023 NonHeavyFTP的writeup,本题令选手尝试在比赛过程中挖掘开源FTPServer lightftp的race codition 0day漏洞并加以利用。 – Atum


• Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions:
https://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html

   ・ VSCode扩展可以被用作攻击向量RCE开发者的电脑。 – Atum


* 查看或搜索历史推送内容请访问:
https://sec.today

* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab


原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(1-11)

版权声明:admin 发表于 2023年1月11日 上午10:31。
转载请注明:每日安全动态推送(1-11) | CTF导航

相关文章

暂无评论

暂无评论...