每日安全动态推送(1-22)
2024-1-22 14:40:22 Author: mp.weixin.qq.com(查看原文) 阅读量:3 收藏

Tencent Security Xuanwu Lab Daily News

• Added ommited set of Uncore MSRs (their descriptors are available … · chip-red-pill/uCodeDisasm@ffc9070:
https://github.com/chip-red-pill/uCodeDisasm/commit/ffc9070233a6e7a26dbabe723289259f087ee20b

   ・ 深入讨论了CPU架构的细节,介绍了如何访问低级CPU安全特性,对于低级系统分析和Fuzz测试具有重要意义。  – SecTodayBot

• How to Install TrollStore using TrollMisaka (Full Guide):
https://idevicecentral.com/ios-guide/how-to-install-trollstore-using-trollmisaka-full-guide/

   ・ iOS存在一个新的漏洞CoreTrust bug,使得TrollStore 2能够在iOS 16.0 – 17.0上安装未经授权的应用程序。文章介绍了TrollMisaka工具的使用方法,该工具可以绕过应用程序安装限制,安装具有增强功能的未经授权应用程序。  – SecTodayBot

• oss-security - GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow vulnerability:
https://www.openwall.com/lists/oss-security/2024/01/18/2

   ・ GNU coreutils 'split' program存在堆缓冲区溢出漏洞,文章披露了漏洞细节和根本原因分析,并提供了触发崩溃和利用漏洞的POC文件。  – SecTodayBot

• How I passed the Intigriti 0124 Challenge:
https://bit.ly/48R3N9E

   ・ 该文章主要介绍了作者如何通过DOM Clobbering和Prototype Pollution等技术成功绕过Intigriti 0124 XSS挑战。文章详细分析了漏洞的根本原因,并提供了利用漏洞所需的Exploit和POC – SecTodayBot

• Delta Electronics Delta Industrial Automation DOPSoft DPS File wLogTitlesPrevValueLen Buffer Overflow Remote Code Execution:
https://blog.exodusintel.com/2024/01/18/delta-electronics-delta-industrial-automation-dopsoft-dps-file-wlogtitlesprevvaluelen-buffer-overflow-remote-code-execution/

   ・ 该文章披露了Delta Electronics Delta Industrial Automation DOPSoft中存在的堆栈缓冲区溢出漏洞,攻击者可以利用该漏洞实现远程代码执行 – SecTodayBot

• .NET 反序列化小工具应用分析:
https://paper.seebug.org/3106/

   ・ 详细分析了与.NET反序列化漏洞相关的问题 – SecTodayBot

• Rotating credentials for GitHub.com and new GHES patches:
https://github.blog/2024-01-16-rotating-credentials-for-github-com-and-new-ghes-patches/

   ・ GitHub与Ekoparty合作,披露了一起生产容器环境变量漏洞的新漏洞,以及相关的修复和凭证轮换过程。  – SecTodayBot

• TensorFlow Supply Chain Compromise via Self-Hosted Runner Attack:
https://www.praetorian.com/blog/tensorflow-supply-chain-compromise-via-self-hosted-runner-attack/

   ・ 介绍了围绕TensorFlow开源框架的新漏洞披露,包括对漏洞根本原因的详细分析和潜在的攻击手法。作者还介绍了一个名为Gato的开源工具,用于GitHub Actions管道枚举和攻击。 – SecTodayBot

* 查看或搜索历史推送内容请访问:
https://sec.today

* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab


文章来源: https://mp.weixin.qq.com/s?__biz=MzA5NDYyNDI0MA==&mid=2651959509&idx=1&sn=5b52ee1ef67adcfca667e49cc41339b3&chksm=8baed04abcd9595ce2b29aa9f8e19909ce9cb47021ef586e12363d03e31a874732c888826005&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh