每日安全动态推送(2-27)
2024-2-27 17:53:10 Author: mp.weixin.qq.com(查看原文) 阅读量:0 收藏

Tencent Security Xuanwu Lab Daily News

• UBfuzz: Finding Bugs in Sanitizer Implementations:
https://arxiv.org/abs/2401.04538v1

   ・ 介绍了一个新的测试框架UBfuzz,用于验证编译器中的sanitizer实现,发现了sanitizer中的31个漏洞,揭示了sanitizer存在的严重虚假负问题。 – SecTodayBot

• Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations:
https://www.youtube.com/watch?si=e9U9qoIq1AmEUKvy&v=ulktZxdN6nA&feature=youtu.be

   ・ 介绍了对抗模拟演示,是关于ATT&CK评估的关键概念 – SecTodayBot

• Continuously fuzzing Python C extensions:
https://blog.trailofbits.com/2024/02/23/continuously-fuzzing-python-c-extensions/

   ・ 使用Atheris工具对Python C扩展进行模糊测试,发现了cbor2库中的多个内存损坏漏洞。 – SecTodayBot

• Leveraging Binary Ninja IL to Reverse a Custom ISA: Cracking the “Pot of Gold” 37C3:
https://www.synacktiv.com/en/publications/leveraging-binary-ninja-il-to-reverse-a-custom-isa-cracking-the-pot-of-gold-37c3

   ・ 利用Binary Ninja中间语言(IL)来对自定义指令集架构(ISA)进行逆向工程,并利用该技术来破解37C3 CTF的Pot of Gold挑战。 – SecTodayBot

• Turla Leverages ‘Pelmeni Wrapper’ for Stealthy Kazuar Backdoor Delivery:
https://securityonline.info/turla-leverages-pelmeni-wrapper-for-stealthy-kazuar-backdoor-delivery/

   ・ 揭示了Turla利用‘Pelmeni Wrapper’交付隐秘的Kazuar后门的新战术,以及对Kazuar变种的分析。 – SecTodayBot

• Analysis of Glibc privilege escalation vulnerability "Looney Tunables" (CVE-2023-4911):
https://dev.to/tutorialboy/analysis-of-glibc-privilege-escalation-vulnerability-looney-tunables-cve-2023-4911-5e97

   ・ 介绍了Qualys公司威胁研究部门披露的Glibc权限提升漏洞。 – SecTodayBot

• Extracting PEAP Credentials from Wired Network Profiles:
https://itm4n.github.io/peap-credentials-wired-connections/

   ・ 从有线网络配置文件中提取PEAP凭据的方法。详细分析PEAP凭据存储和提取过程。 – SecTodayBot

• Exploring Windows UAC Bypasses: Techniques and Detection Strategies — Elastic Security Labs:
https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies

   ・ 绕过用户账户控制(UAC)的方法 – SecTodayBot

• Go Go XSS Gadgets: Chaining a DOM Clobbering Exploit in the Wild:
https://buer.haus/2024/02/23/go-go-xss-gadgets-chaining-a-dom-clobbering-exploit-in-the-wild/

   ・ 讨论了发现跨站脚本(XSS)链的过程,以及详细分析了XSS漏洞的根本原因和方法。 – SecTodayBot

* 查看或搜索历史推送内容请访问:
https://sec.today

* 新浪微博账号: 腾讯玄武实验室
https://weibo.com/xuanwulab


文章来源: https://mp.weixin.qq.com/s?__biz=MzA5NDYyNDI0MA==&mid=2651959535&idx=1&sn=d7e3f1e095f9b1c97a79e842429646e4&chksm=8baed070bcd95966631e86a2d72f901fa9295048900a2d868314465284608223358cbece08bc&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh