每日安全资讯-2020.2.3

声明:本文所有内容仅用于学习和研究目的,且不能违反《网络安全法》、《刑法》等相关要求,尤其禁止传播,或用于非善良目的。您查看本文,即视为遵守以上约定,否则责任自负。

今日导读:OpenSMTPD LPE&RCE分析、SharePoint RCE分析、远程云执行– Azure云基础结构中的关键漏洞、Weblogic IIOP反序列化漏洞分析、PHP 7.0-7.4 disable_functions bypass、ATTCK-PenTester-Book:根据ATT&CK知识体系编制出长达400页的渗透手册等。

【漏洞分析区】
1、LPE and RCE in OpenSMTPD (CVE-2020-7247)
2、Code injection in Workflows leading to SharePoint RCE (Analysis of CVE-2020-0646)
3、Zoom-Zoom: We Are Watching You
4、Remote Cloud Execution – Critical Vulnerabilities in Azure Cloud Infrastructure (Part I)
5、Remote Cloud Execution – Critical Vulnerabilities in Azure Cloud Infrastructure (Part II)
6、CVE-2020-7799 – FusionAuth “Apache Freemarker” Code Execution
7、Weblogic IIOP反序列化漏洞(CVE-2020-2551) 漏洞分析

【技术分享区】
8、PHP 7.0-7.4 disable_functions bypass
9、蚁剑改造计划之增加垃圾数据
10、Part II: Returning to Adobe Reader symbols on macOS
11、Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D
12、Fugu is the first open source jailbreak based on the checkm8 exploit(Jailbreak for the iPad Pro 2017)
13、Can your EDR detect symbolic link callback rootkits?
14、Pointer Compression in V8 and what it means for browser exploitation
15、OK Google: bypass the authentication!
16、Expanding the Attack Surface: React Native Android Applications
17、Actual XSS cheat sheets in 2020
18、调度系统设计精要:深入调度器的设计与实现,源码级分析 Linux、Go 和 Kubernetes 调度器从无到有,从简单到复杂的演变过程
19、Google introduces OpenSk, an Open Source security key implementation
20、收集到的一些src挖掘奇技淫巧
21、SecWiki周刊(2020/01/27-2020/02/02)

【工具区】
工具-continuity:An Apple Continuity Protocol Reverse Engineering Project
工具-CollaboratorPlusPlus acts as a proxy between Burp and the configured Collaborator server, allowing the capture of Collaborator contexts being used by the client.
工具-DeStroid - Fighting String Encryption in Android Malware
工具-ATTCK-PenTester-Book:根据ATT&CK知识体系编制出长达400页的渗透手册

3 2 1