<ol id="pzjdr"></ol>

    <b id="pzjdr"></b>

      <cite id="pzjdr"></cite>

        证券简称:天融信   证券代码:002212
        安全通告
        首页 > 技术支持 > 安全通告

        每日攻防资讯简报[May.6th]

        发布时间:2021-05-06查看次数:105
        分享到

        0x00漏洞

        1. 戴尔计算机多个BIOS驱动程序提权漏洞,影响数亿设备(CVE-2021-21551)

        https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/

        https://www.dell.com/support/kbdoc/en-uk/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability

        2. win32k的UAF漏洞可导致提权(CVE-2021-26900)

        https://www.zerodayinitiative.com/blog/2021/5/3/cve-2021-26900-privilege-escalation-via-a-use-after-free-vulnerability-in-win32k

        3. TG8防火墙预认证 RCE和密码泄露

        https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure/

        4. 思科RV34X系列vpnTimer提权漏洞的根本原因分析(CVE-2021-1520)

        https://www.iot-inspector.com/blog/advisory-cisco-rv34x-series-privilege-escalation-vpntimer/

        5. Exim邮件服务器中的多个严重漏洞

        https://www.qualys.com/2021/05/04/21nails/21nails.txt

        6. Python标准库ipaddress对八进制文字的输入验证会导致SSRF和RFI漏洞(CVE-2021-29921)

        https://sick.codes/sick-2021-014/

        7. Unity游戏开发中的依赖混淆漏洞

        https://blog.includesecurity.com/2021/04/dependency-confusion-vulnerabilities-in-unity-game-development/

        8. Wagtail XSS + LocalStorage =帐户劫持(CVE-2021-29434)

        https://www.immersivelabs.com/resources/blog/wagtail-xss-localstorage-account-hijack/

        0x01工具

        1. FOX:在Ghidra中修复Object-C的交叉引用

        https://security.humanativaspa.it/fox-fix-objectivec-xrefs-in-ghidra/

        https://github.com/federicodotta/ghidra-scripts/tree/main/FOX

        2. Jenkins攻击框架

        https://github.com/Accenture/jenkins-attack-framework

        3. baserunner:探索Firebase数据存储

        https://github.com/iosiro/baserunner

        https://iosiro.com/blog/baserunner-exploiting-firebase-datastores

        4. LibAFL:Rust编写的高级Fuzzing库

        https://github.com/AFLplusplus/LibAFL

        0x02恶意代码

        1. Sodinokibi勒索软件分析

        https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis

        2. 从Powershell Dropper提取Comrat恶意软件Dll

        https://www.youtube.com/watch?v=K8n1xv1KxNI

        3. Hermes恶意代码深度解析,Part1:脱壳

        https://www.youtube.com/watch?v=kkQAJFyoCVU

        4. 分析一次入侵事件中的Trickbot

        https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/

        0x03技术

        1. 使基本的缓冲区溢出演示更容易实现

        https://lukecraig.com/improving_bbo/

        2. 黑盒Fuzzing介绍:使用AFL++在QEMU模式下执行仅二进制文件的Fuzzing

        https://www.youtube.com/watch?v=sjLFf9q2NRc

        3. Source Engine漏洞利用,Part2:使用Ghidra实现全链客户端RCE

        https://ctf.re//source-engine/exploitation/2021/05/01/source-engine-2/

        4. 击败Bob Dishwasher的洗涤剂盒DRM,以1/60的购买新成本来重新装满它

        https://github.com/dekuNukem/bob_cassette_rewinder

        5. 解析苹果M1 GPU,Part4

        https://rosenzweig.io/blog/asahi-gpu-part-4.html

        6. 2021年第一季度DDoS攻击和BGP事件报告

        https://blog.qrator.net/en/q1-2021-report_129/

        7. 指导开发人员实现安全的Webhook发送者

        https://www.ameyalokare.com/technology/webhooks/2021/05/03/sending-webhooks-securely.html

        8. 在Google App Engine中发现漏洞并利用来突破App Engine沙箱,并在Google服务器上执行任意代码的故事

        https://blog.polybdenum.com/2021/05/05/how-i-hacked-google-app-engine-anatomy-of-a-java-bytecode-exploit.html

        9. 攻击者如何使用受损帐户创建和投递恶意OAuth应用

        https://www.proofpoint.com/us/blog/email-and-cloud-threats/how-attackers-use-compromised-accounts-create-and-distribute-malicious

        10. flatmap依赖供应链攻击的元数据分析

        https://5stars217.github.io/2021-05-03-metadata-analysis-flatmap/

        11. 对现代的Intel, AMD和ARM处理器中的微操作缓存的深入研究,以及利用微操作缓存作为定时通道传输秘密信息的攻击

        http://www.cs.virginia.edu/venkat/papers/isca2021a.pdf

        12. Android 9上的谷歌助手可以绕过Android的FLAG_SECURE提供的屏幕捕获保护

        https://pankajupadhyay.in/2020/05/01/ok-google-bypass-flag-secure/


        交换温柔,张筱雨人体艺术写真,欧美在线看欧美视频免费,欧美色美人在线视频 网站地图