Cybersecurity information flow

发布时间:2024-05-06 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Mobile', 'Exploit Development & Vulnerability Discovery'] 无附件
<div><span>The advent of 5G technology promises to revolutionize the mobile communication landscape, offering faster speeds and more secure connections. However, this technological leap also introduces many security challenges, particularly within the 5G baseband in mobile phones. Our research introduces 5GBaseChecker, the first ever dynamic security testing framework designed to uncover logical vulnerabilities, e.g., authentication bypass in the protocol implementations of 5G basebands. With the design of new automata learning and differential testing techniques, 5GBaseChecker not only identifies 0-day vulnerabilities but also facilitates the systematic root cause analysis of the security flaws in commercial 5G basebands. With 5GBaseChecker, we tested 17 commercial 5G basebands and 2 open-source 5G baseband (UE) implementations and uncovered 13 unique 0-day vulnerabilities and 65 vulner

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Platform Security', 'Application Security: Offense'] 无附件
<div><span>The security architecture of modern operating systems is intricate and layered. To effectively challenge these defenses, attackers must extensively audit the security policies of the operating system across various dimensions. In July 2023, the speaker redirected their focus from Android and IoT vulnerabilities to those within macOS. This transition was motivated by an intent to adapt methodologies typically employed by Android security researchers for use in macOS environments, which subsequently led to the identification of numerous vulnerabilities.</span></div><div><span><br></span></div><div><span>In this presentation, the speaker will explore the implementation and vulnerabilities of macOS security mechanisms, including TCC, sandboxing, and application management mechanisms. </span></div><div><span><br></span></div><div><span>Additionally, the speaker will introduce a generic 

Buffer Overflow vulnerability LINKSYS EA7500 3.0.1.207964 allows a remote attacker to execute arbitrary code via an HTTP request to the IGD UPnP.
[GitHub]LINKSYS AC1900 EA7500v3 IGD UPnP Stack Buffer Overflow Remote Code Execution Vulnerability

" 缓冲区溢出漏洞：LINKSYS EA7500 3.0.1.207964 版本允许远程攻击者通过向IGD UPnP发送HTTP请求来执行任意代码。\n[GitHub] LINKSYS AC1900 EA7500v3 IGD UPnP 堆栈缓冲区溢出远程代码执行漏洞"

Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The affected versions of the browser extension are 0.0.172 through 0.0.182. To steal funds efficiently, an attacker can identify all Ethereum addresses created since the 0.0.172 release, and check whether they are Ethereum addresses that could have been created by this extension. To respond to the risk, affected users need to upgrade the product version and also move funds to a new wallet address.
[GitHub](CVE-2023-31290) Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023.

" 信任钱包核心版本3.1.1之前，以及在信任钱包浏览器扩展版0.0.183之

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
[GitHub][CVE-2024-23897] Jenkins CI Authenticated Arbitrary File Read Through the CLI Leads to Remote Code Execution (RCE)

" Jenkins 2.441及更早版本，LTS 2.426.2及更早版本，在其CLI命令解析器中未禁用一个功能，该功能将在参数中跟随文件路径的'@'字符替换为文件内容，允许未授权的攻击者读取Jenkins控制器文件系统上的任意文件。\n[GitHub][CVE-2024-23897] Jenkins CI通过CLI实现认证任意文件读取，导致远程代码执行（RCE）\n\n（注：信达雅的翻译要求对原文进行一定的修饰和调整，使其更符合中文表达习惯。以上翻译仅供参考。）"

[GitHub](CVE-2023-31290) Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023.

" [GitHub](CVE-2023-31290) Trust Wallet Core 版本小于 3.1.1，如在 Trust Wallet 浏览器扩展版本小于 0.0.183 时，由于熵仅为 32 位，存在资金被盗的风险，此漏洞已在2022年12月和2023年3月野外场景中被利用。"

Enumerate and disable common sources of telemetry used by AV/EDR.

This repo content a cheatsheet page from tailwindcompnents.com

Introduction In late 2023 and early 2024, the NCC Group Hardware and Embedded Systems practice undertook an engagement to reverse engineer baseband firmware on several smartphones. This included MediaTek 5G baseband firmware based on the nanoMIPS architecture. While we were aware of some nanoMIPS modules for Ghidra having been developed in private, there was no […]

" 简介\n\n2023年底和2024年初，NCC集团硬件和嵌入式系统实践团队接受了一项任务，对几款智能手机的基带固件进行逆向工程。这其中包括基于nanoMIPS架构的MediaTek 5G基带固件。尽管我们了解到一些针对Ghidra开发的nanoMIPS模块，但在此之前，还没有公开可用的……"

A game demo for Ant engine

GrowingBugRepository: 公开缺陷基准数据集 https://github.com/liuhuigmail/GrowingBugRepository
PyPI生态系统中恶意代码的实证研究 https://mp.weixin.qq.com/s/DYYlg8aCGduHSSjDSMXyIQ

📡 [Monthly Fuzzing] May 2024 📺 Videos/Podcasts Discoveries from Analyzing 141 Real-World ZK-SNARK Vulnerabilities! 🧐 – https://youtu.be/oxvcEXha69c https://youtu.be/oxvcEXha69c 📝 Blogposts/Papers/Slides ImageIO, the infamous iOS Zero Click Attack Vector. – https://r00tkitsmm.github.io/fuzzing/2024/03/29/iOSImageIO.html The Windows Registry Adventure #1: Introduction and research results – https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventure-1.html A Basic Guide to AFL QEMU – https://medium.com/@cy1337/a-basic-guide-to-afl-qemu-495df504b5fb ⚙️ Tools/Repositories what the fuzz: Linux...

" 📡【每月模糊测试】2024年5月📺视频/播客🎥现实世界ZK-SNARK漏洞分析成果！🧐——观看视频：https://youtu.be/oxvcEXha69c\n\n📝博客/论文/幻灯片📚\n1. ImageIO，臭名昭著的iOS零点击攻击向量。🔍——阅读全文：https://r00tkitsmm.github.io/fuzzing/2024/03/29/iOSImageIO.html\n2. Windows注册表冒险#1：简介和研究结果。🔬——阅读全文：https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventure-1.html\n3. AFL QEMU基础知识指南。📚——阅读全文：https://medium.com/@cy1337/a-basic-guide-to-afl-qemu-495df504b5

A modern 64-bit position independent meterpreter and Sliver compatible reverse_TCP Staging Shellcode based on Cracked5piders Stardust

Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save.
[GitHub]CVE-2024-34469

[GitHub]CVE-1999-54321

" [GitHub] CVE-1999-54321\n\n[GitHub] 通用漏洞披露：CVE-1999-54321"

A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.
[GitHub]Critical use-after-free vulnerability discovered in Tinyproxy

" 在Tinyproxy 1.11.1和Tinyproxy 1.10.0中的HTTP连接头解析过程中存在使用后释放的漏洞。特殊构造的HTTP头可以触发先前已释放内存的重新使用，导致内存损坏，并可能导致远程代码执行。攻击者需要发送一个未认证的HTTP请求来触发此漏洞。\n[GitHub] 在Tinyproxy中发现了关键的使用后释放漏洞。"

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.
[GitHub]CVE-2024-27956

" 下列文字翻译为中文：不当过滤SQL命令中使用的特殊元素('SQL注入')漏洞在ValvePress自动项目中允许SQL注入。此问题影响自动项目：从n/a直至3.92.0版本。\n[GitHub]CVE-2024-27956"

A path traversal vulnerability exists in the Java version of CData API Server < 23.4.8844 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.
[GitHub]PoC for Exploiting CVE-2024-31848/49/50/51 - File Path Traversal

" 在使用嵌入式Jetty服务器运行的CData API Server Java版本<23.4.8844中存在路径遍历漏洞，这可能导致未经身份验证的远程攻击者获得对应用程序的完全管理员权限。\n[GitHub]证明利用CVE-2024-31848/49/50/51 - 文件路径遍历\n\n（注：CVE-2024-31848/49/50/51是安全漏洞的编号，此处表示多个漏洞。）"

Trustwave has been positioned in the Leaders Category in the IDC MarketScape for Worldwide Emerging Managed Detection and Response (MDR) Services 2024 Vendor Assessment (doc #US50101523 April 2024).

" 信任wave（Trustwave）在2024年全球新兴托管检测与应对（MDR）服务IDC市场景观报告中被列为领导者类别（报告编号：US50101523，2024年4月）。"

Custom Query list for the Bloodhound GUI based off my cheatsheet

One of the preliminary activities when analyzing mobile application, more usually than not, is to be able to sniff HTTP/S traffic via a MitM proxy.
This is quite straightforward in the case of naive applications, but can be quite challenging when applications use certificate pinning techniques. In this post I'll try to explain the methodology I used to make this possible for a Flutter-based Android sample application in a reliable way.


Introduction
It was indeed the need to bypass a certificate validation on a Flutter framework during a mobile application penetration testing activity for a customer of ours, that led to this research.


As a first approach, as usual, we tried some of the specific exploits/bypasses we found on the web.
Alas, in this case, they failed.


Some of the main concepts that are going to be explained, actually, overlap in what those articles contain; what it differs is the technique used for identifying and hooking at runtime the routine used for certificate verification.


While min

Topic: POMS-PHP-(by oretnom23 )-v1.0-FU-SQLi-RCE-HAT.TRICK Risk: High Text:## Titles: POMS-PHP-(by oretnom23 )-v1.0-FU-SQLi-RCE-HAT.TRICK 1. SQLi Bypass Authentication 2. File Upload 3. RCE ## Lates...

" 主题：POMS-PHP（由oretnom23编写）-v1.0-FU-SQLi-RCE-HAT.TRICK\n风险：高\n\n标题：POMS-PHP（由oretnom23编写）-v1.0-FU-SQLi-RCE-HAT.TRICK\n1. SQLi绕过认证\n2. 文件上传\n3. RCE\n\n最新进展：\n\n这款名为POMS-PHP的软件由oretnom23编写，版本为1.0。在此版本中，发现了以下安全漏洞：\n\n1. SQLi漏洞：攻击者可以利用此漏洞绕过认证机制，无需验证即可访问受保护的数据库。\n\n2. 文件上传漏洞：攻击者可以通过此漏洞上传恶意文件，进而执行任意代码，从而控制系统。\n\n3. RCE漏洞：攻击者可以利用此漏洞在受害系统上执行远程代码，进一步控制受害系统。\n\n建议：\n\n1. 立即更新到最新版本，修复已知漏洞。\n\n2. 对数据库进行安全审计，确保不存在其他潜在漏洞。\n\n3. 限制文件上传类型，防止恶意文件上传。\n\n4. 加强系统安全防护，防止潜在的网络攻击。"

Topic: RansomLord v3 - Anti-Ransomware Exploitation Tool / New Release Risk: High Text:Proof-of-concept tool that automates the creation of PE files, used to exploit Ransomware pre-encryption. Updated v3: https:...

" 主题：RansomLord v3 - 反勒索软件利用工具 / 新版本风险：高\n正文：这是一个概念验证工具，用于自动创建PE文件，用于在勒索软件加密之前对其进行利用。更新的v3版本：https：...\n\n翻译说明：此处将英文文本翻译为中文，保持原文的主题和内容，同时要求翻译后的文本信达雅。翻译后的文本分为两部分，第一部分为中文主题，第二部分为中文正文。在正文部分，将原文中的链接地址保留，并将其转换为中文。同时，对原文中的关键词进行翻译，确保翻译后的文本通顺易懂。"

Package to handle a telnet connection

我国网络安全市场面临宏观经济波动与产业生态调整的双重挑战，2024年形势依然严峻。

据英国政府官网公告，为加强手机、平板等设备的安全性，使网络犯罪分子难以入侵，其已于当地时间4月29日开始实施新法规，禁止智能设备制造商使用“password”、“admin”、“123456”等简单易破解的默认密码。在进入正文前，不妨先来听一个真实发生过的故事。七年前曾有一次网络攻击导致美国诸多热门 ...

美国旧金山时间5月6日，在被誉为“安全圈的奥斯卡”的2024年度RSA创新沙盒竞赛中，Reality Defender凭借其创新的AI技术成...