每日安全资讯-2020.11.18

声明:本文所有内容仅用于学习和研究目的,且不能违反《网络安全法》、《刑法》等相关要求,尤其禁止传播,或用于非善良目的。您查看本文,即视为遵守以上约定,否则责任自负。

今日导读:与日本有联系的组织长期和复杂的攻击活动、CVE-2020-26217 XStream远程代码执行漏洞分析、Apache Unomi RCE、渗透Webpack等站点从此更加优雅等。

【病毒区】
1、Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign

2、Nibiru ransomware variant decryptor

【漏洞分析区】
3、CVE-2020-26217 XStream远程代码执行漏洞分析
https://xz.aliyun.com/t/8526

4、Remote code execution (RCE) and elevation of privileges (EoP) in SmartStoreNET - CVE-2020-27996, CVE-2020-27997

5、Apache Unomi CVE-2020-13942: RCE Vulnerabilities Discovered

6、A journey into IonMonkey: root-causing CVE-2019-9810.
https://doar-e.github.io/blog/2019/06/17/a-journey-into-ionmonkey-root-causing-cve-2019-9810/

【技术分享区】
7、渗透Webpack等站点从此更加优雅

8、Modern attacks on the Chrome browser : optimizations and deoptimizations
https://doar-e.github.io/blog/2020/11/17/modern-attacks-on-the-chrome-browser-optimizations-and-deoptimizations

#工具#Packer Fuzzer:一款针对Webpack等前端打包工具所构造的网站进行快速、高效安全检测的扫描工具

#工具#RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.

#工具#REST API Fuzz Testing (RAFT): Source code for self-hosted service developed for Azure, including the API, orchestration engine, and default set of security tools (including MSR’s RESTler), that enables developers to embed security tooling into their CI/CD workflowshttps://github.com/microsoft/rest-api-fuzz-testing

#工具#Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped.

1