2020.10.19-11.1一周知識動態

IOT漏洞相關

•Remote Command Execution in Ruckus IoT Controller (CVE-2020-26878 & CVE-2020-26879)

https://adepts.of0x.cc/ruckus-vriot-rce/Ruckus IoT Controller命令執行漏洞CVE-2020-26878 以及 CVE-2020-26879分析
•Interacting with a Serial Port
https://cybergibbons.com/hardware-hacking/interacting-with-a-serial-port/硬體串口通信
CTF相關
•Using a PIE binary as a Shared Library — HCSC-2020 CTF Writeup
HCSC-2020 CTF 逆向題Baseline test writeup
作業系統漏洞相關
•Explicit Is Always Good? Read the Story of CVE-2020-1034
https://blog.br0vvnn.io/pages/blogpost.aspx?id=2CVE-2020-1034 widows內核提權漏洞分析
•Let's talk macOS Authorization
https://theevilbit.github.io/posts/macos_authorization/macOS認證分析
•Samsung S20 - RCE via Samsung Galaxy Store App
https://labs.f-secure.com/blog/samsung-s20-rce-via-samsung-galaxy-store-app/Samsung S20  RCE漏洞分析
•Getting started in macOS security
https://theevilbit.github.io/posts/getting_started_in_macos_security/macOS 安全研究資源
•A story of three CVE's in Ubuntu Desktop
https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.htmlubuntu CVE-2020-15703、CVE-2020-16121以及CVE-2020-15238漏洞分析
•CVE-2020-16939: WINDOWS GROUP POLICY DACL OVERWRITE PRIVILEGE ESCALATION
https://www.zerodayinitiative.com/blog/2020/10/27/cve-2020-16939-windows-group-policy-dacl-overwrite-privilege-escalationCVE-2020-16939 windows組策略提權漏洞分析
•UACMe 3.5, WD and the ways of mitigation
https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.htmlUAC bypasses 技術分析
•Secure loading of libraries to prevent DLL preloading attacks
https://support.microsoft.com/en-in/help/2389418/secure-loading-of-libraries-to-prevent-dll-preloading-attacksdll 注入機制防禦機制
•Issue 2104: Windows Kernel cng.sys pool-based buffer overflow in IOCTL 0x390400
https://bugs.chromium.org/p/project-zero/issues/detail?id=2104windows內核cng.sys池溢出漏洞分析
漏洞挖掘相關
•AFLNet: A Greybox Fuzzer for Network Protocols
https://github.com/aflnet/aflnethttps://www.youtube.com/watch?v=Au3eO7mEI7E&feature=youtu.beAFLNet 網絡協議fuzz開源工具及視頻
•Fuzzing (fuzz testing) tutorial: What it is and how can it improve application security?
https://www.techrepublic.com/article/fuzzing-fuzz-testing-tutorial-what-it-is-and-how-can-it-improve-application-security/對Dr. David Brumley（a professor at Carnegie Mellon University and CEO）關於fuzz的採訪
•Let’s build a high-performance fuzzer with GPUs!
https://blog.trailofbits.com/2020/10/22/lets-build-a-high-performance-fuzzer-with-gpus/通過GPU來構建高性能fuzzer
•Basic Buffer Overflow Guide
https://catharsis.net.au/blog/basic-buffer-overflow-guide/demo伺服器棧溢出fuzz漏洞挖掘以及漏洞
•The Fuzzing Book
https://www.fuzzingbook.org/beta/fuzz理論與實踐比較好的公開電子書
•How to check code coverage on Linux with gcov, lcov and gcovr
https://www.youtube.com/watch?v=rOXsKuW5xXw&feature=youtu.belinux系統中如何檢查代碼覆蓋率
•Getting started with go-fuzz
https://adalogics.com/blog/getting-started-with-go-fuzzgo-fuzz分析
瀏覽器漏洞相關
•Firefox Vulnerability Research
https://blog.exodusintel.com/2020/10/20/firefox-vulnerability-research/firfox漏洞研究
•Introducing Microsoft Edge preview builds for Linux
https://blogs.windows.com/msedgedev/2020/10/20/microsoft-edge-dev-linux/在linux上安裝windows edge
•Exploiting a textbook use-after-free in Chrome
https://securitylab.github.com/research/CVE-2020-6449-exploit-chrome-uafhttps://github.com/github/securitylab/tree/main/SecurityExploits/Chrome/blink/CVE-2020-6449Chrome textbook use-after-free 漏洞分析及利用
虛擬化逃逸漏洞相關
•VMware ESXi SLP Use-After-Free Remote Code Execution Vulnerability
 https://www.zerodayinitiative.com/advisories/ZDI-20-1269/CVE-2020-3992 VMware ESXi SLP uaf漏洞公告
•DETAILING TWO VMWARE WORKSTATION TOCTOU VULNERABILITIES
https://www.zerodayinitiative.com/blog/2020/10/22/detailing-two-vmware-workstation-toctou-vulnerabilitiesVMWARE WORKSTATION TOCTOU漏洞分析
•First Steps in Hyper-V Research
https://msrc-blog.microsoft.com/2018/12/10/first-steps-in-hyper-v-researchHyper-V 虛擬化漏洞研究
•VM Forking and Hypervisor-based Fuzzing with Xen
https://www.slideshare.net/tklengyel/vm-forking-and-hypervisorbased-fuzzing-with-xenossummit上關於VM Forking以及Hypervisor-based fuzz的ppt
應用程式漏洞相關
•FRITZ!Box DNS Rebinding Protection Bypass
https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-003/-fritz-box-dns-rebinding-protection-bypassDNS Rebinding保護機制繞過
•AssaultCube RCE: Technical Analysis
https://medium.com/@elongl/assaultcube-rce-technical-analysis-e12dedf680e5AssaultCube RCE 漏洞分析
•Discord Desktop app RCE
https://mksben.l0.cm/2020/10/discord-desktop-rce.htmlCVE-2020-15174 Discord Desktop app rce漏洞分析
•GitHub - RCE via git option injection (almost) - $20,000 Bounty
https://devcraft.io/2020/10/18/github-rce-git-inject.htmlGitHub - RCE git option漏洞分析
•Insecure use of shell.openExternal
https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpmwire app desktop 代碼執行漏洞分析
•SECRET FRAGMENTS: REMOTE CODE EXECUTION ON SYMFONY BASED WEBSITES
https://www.ambionics.io/blog/symfony-secret-fragmentSymfony框架代碼執行漏洞
•CVE-2020-17365 – Hotspot Shield VPN New Privilege Escalation Vulnerability
https://cymptom.com/cve-2020-17365-hotspot-shield-vpn-new-privilege-escalation-vulnerability/2020/10/CVE-2020-17365 Hotspot Shield VPN提權漏洞分析
•Gateway2Hell – Multiple Privilege Escalation Vulnerabilities in Citrix Gateway Plug-In
https://cymptom.com/gateway2hell-multiple-privilege-escalation-vulnerabilities-in-citrix-gateway-plug-in/2020/10/Citrix Gateway Plug-In 提權漏洞分析
•GitHub Pages - Multiple RCEs via insecure Kramdown configuration - $25,000 Bounty
https://devcraft.io/2020/10/20/github-pages-multiple-rces-via-kramdown-config.html通過Kramdown configuration實現github代碼執行
•Citrix ADC (Netscaler ADC) Multi-Factor Bypass
https://vdalabs.com/2020/10/26/citrix-adc-netscaler-adc-multi-factor-bypass/Citrix ADC 多因子認證繞過
•Weblogic RCE by only one GET request — CVE-2020–14882 Analysis
https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbfCVE-2020–14882 Weblogic RCE 漏洞分析
•Reversing Pulse Secure Client Credentials Store
https://quentinkaiser.be/reversing/2020/10/27/pule-secure-credentials/Pulse Secure客戶端證書分析
•Code vulnerabilities put health records at risk
https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerabilityOpenEMR 5.0.2.1 RCE漏洞分析
工具相關
•Cloud Security Tools
https://cloudberry.engineering/tool/雲安全工具收集
其它
•NSA Warns Chinese State-Sponsored Malicious Cyber Actors Exploiting 25 CVEs
https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/NSA公布的我國網絡攻擊中常用的25個cve
•Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 1)
https://labs.bishopfox.com/industry-blog/cheating-at-online-video-games-part-1電子遊戲作弊機制分析
•How Debuggers Work: Getting and Setting x86 Registers, Part 1
https://www.moritz.systems/blog/how-debuggers-work-getting-and-setting-x86-registers-part-1/調試器的工作機制分析系列文章1
•How Debuggers Work: Getting and Setting x86 Registers, Part 2: XSAVE
https://www.moritz.systems/blog/how-debuggers-work-getting-and-setting-x86-registers-part-2/調試器的工作機制分析系列文章2
往期推薦
2020.9.21-9.27一周知識動態
2020.9.28-10.4一周知識動態
【平凡路上】是一個致力於二進位漏洞分析與利用交流與分享的圈子，做純粹的技術分享，與大家共同進步。如果大家覺得公眾號不錯的話，幫忙推薦給身邊的朋友，你的分享是我們的動力。同時歡迎掃描下方二維碼加入【平凡路上】知識星球，在星球裡面與各位師傅分享自己的經驗與心得以及提出自己的疑問，與大家共同進步。