每日安全资讯-2019.12.23

声明:本文所有内容仅用于学习和研究目的,且不能违反《网络安全法》、《刑法》等相关要求,尤其禁止传播,或用于非善良目的。您查看本文,即视为遵守以上约定,否则责任自负。

今日导读:蔓灵花(APT-C-08)移动平台攻击活动揭露、ZDI 2019 Top 5漏洞、WordPress DoS漏洞、多种姿势openrasp命令执行绕过、PHP动态特性的捕捉与逃逸等。

【病毒区】
1、蔓灵花(APT-C-08)移动平台攻击活动揭露
2、行走的漏洞利用机器人:僵尸网络病毒携71个EXP占领高地
3、Nemty勒索病毒结盟僵尸网络,黑产合作已成趋势威胁倍增

【漏洞分析区】
4、FaceTime: Out of bounds read in _RSU_DecodeByteBuffer(CVE-2019-8830)
5、ZDI’s Top 5 bugs of 2019:Privilege Escalation Via the Core Shell COM Registrar Object(CVE-2019-1184)
6、ZDI’s Top 5 bugs of 2019:Regular Exploitation of a Tesla Model 3 through Chromium RegExp(CVE-2019-13698)
7、ZDI’s Top 5 bugs of 2019:Looking Back at the Impact of CVE-2019-0604: A SharePoint RCE
8、ZDI’s Top 5 bugs of 2019:Local Privilege Escalation in Win32k.sys Through Indexed Color Palettes(CVE-2019-1362)
9、ZDI’s Top 5 bugs of 2019:Syncing out of the Firefox sandbox(CVE-2019-9812)
10、WordPress DoS: Rediscovering an Unpatched 0-Day
11、AirDoS: Remotely render any nearby iPhone or iPad unusable

【技术分享区】
12、QuickJS uaf 漏洞分析
13、Pwning an outdated Kibana with not so sad vulnerabilities(CVE-2018-17246+CVE-2019-7609)
14、Mass Surveillance, is an (un)Complicated Business - triaging a massively popular iOS application, with a dark side
15、Investigating Google Cast: Disabling device authentication on Android with Xposed
16、Exploding the DanBot code to hunt for Hexane’s cyber weapon
17、多种姿势openrasp命令执行绕过
18、Pwning VMWare, Part 1: RWCTF 2018 Station-Escape
19、PHP动态特性的捕捉与逃逸
20、A nice write-up on WinAFL setup for fuzzing popular image viewers resulting in quite a few bugs.
21、The top 10 best pentesting tools and extensions in Burp Suite
22、对乌云漏洞库payload的整理以及Burp辅助插件
23、SecWiki周刊(2019/12/16-2019/12/22)
24、Exploiting Null Byte Buffer Overflow for a $40,000 bounty
25、SSRF in Google Cloud Platform StackDriver
工具-ESET BlueKeep (CVE-2019-0708) Detection Tool
工具-Token-Hunter:Gather OSINT from GitLab groups and group members.