Cybersecurity information flow

有新的漏洞组件被发现啦,组件ID:F5
This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0 https://github.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0

有新的漏洞组件被发现啦,组件ID:WildFly
A vulnerability was found in Wildfly’s management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of connections.

有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered from a release tag, by setting the Java system property 'hudson.model.ParametersAction.keepUndefinedParameters'.

有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overall/Read permission to access these repositories.

有新的漏洞组件被发现啦,组件ID:Jenkins
A sandbox bypass vulnerability involving sandbox-defined classes that shadow specific non-sandbox-defined classes in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

有新的漏洞组件被发现啦,组件ID:Jenkins
A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

有新的漏洞组件被发现啦,组件ID:Django
Wagtail is an open source content management system built on Django. In affected versions if a model has been made available for editing through the `wagtail.contrib.settings` module or `ModelViewSet`, and the `permission` argument on `FieldPanel` has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific field can craft an HTTP POST request that bypasses the permission check on the individual field, allowing them to update its value. This vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, or by a user who has not been granted edit access to the model in question. The editing interfaces for pages and snippets are also unaffected. Patched versions have been released as Wagtail 6.0.3 and 6.1. Wagtail releases prior to 6.0 are unaffected. Users are advised to upgrade. Site owners who are unable to upgrade to a patched version can avoid the vulnerability as follo

有新的漏洞组件被发现啦,组件ID:Apache
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue.

有新的漏洞组件被发现啦,组件ID:Apache
有新的漏洞组件被发现啦,组件ID:ActiveMQ
In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API). To mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement: <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping"> <property name="constraint" ref="securityConstraint" /> <property name="pathSpec" value="/" /> </bean> Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.

Netfilter是一个用于Linux操作系统的网络数据包过滤框架，提供了一种灵活的方式来管理网络数据包的流动。

PCI Express DIY hacking toolkit for Xilinx SP605. This repository is also home of Hyper-V Backdoor and Boot Backdoor, check readme for links and info

IMRPOVED simple vector database made in numpy

Sophos研究人员发现一起勒索软件活动，通过修改合法的Sophos可执行文件和DLL的原始内容，覆盖入口点代码，并将解密的有效载荷作为资源...

A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755
[GitHub]kernal exploit 22600

"  net/packet/af_packet.c 中的 packet_set_ring() 函数的双重释放漏洞可以被本地用户通过精心构造的系统调用利用，以提升权限或拒绝服务。我们建议升级内核至受影响版本之后，或重建至 ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 之后。[GitHub]kernal exploit 22600"

[GitHub]kernal exploit 22600

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
[GitHub]kernal exploit 3156

" 在1.9.5p2之前的Sudo版本中存在一个off-by-one错误，可能导致堆基于缓冲区溢出，从而通过“sudoedit -s”和以单个反斜杠字符结尾的命令行参数实现权限升级至root。\n[GitHub]kernal exploit 3156"

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later
[GitHub]writeup and PoC for CVE-2024-32766 (QNAP) OS command injection and auth bypass

" 已报告称，一种操作系统命令注入漏洞影响了多个QNAP操作系统版本。如果被利用，此漏洞可能允许用户通过网络执行命令。我们已在以下版本中修复了该漏洞：QTS 5.1.3.2578 build 20231110及后续版本，QTS 4.5.4.2627 build 20231225及后续版本，QuTS hero h5.1.3.2578 build 20231110及后续版本，QuTS hero h4.5.4.2626 build 20231225及后续版本，以及QuTScloud c5.1.5.2651及后续版本。\n[GitHub] CVE-2024-32766（QNAP）操作系统命令注入和认证绕过之详尽报告与证明概念。"

afrog-pocs 是 afrog 漏洞检测工具的官方 PoCs（Proof of Concepts）库。

创新沙盒解读：Harmonic Security。

motikan2010 starred SAWARATSUKI/ServiceLogo_Archive · May 2, 2024 02:46
SAWARATSUKI/ServiceLogo_Archive
ロゴを可愛く作ろう　節度を持って利用してくださいね🫠
2 Updated May 2

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Network Security', 'Enterprise Security'] 无附件
We have all heard this story before - a critical vulnerability is discovered in a VPN server. It's exploited in the wild. Administrators rush to patch. Panic spreads across Twitter. <br><br>Attackers have long sought to exploit VPN servers - they are accessible from the internet, expose a rich attack surface, and often lack in security and monitoring. Historically, VPNs were primarily abused to achieve a single objective: gaining entry into internal victim networks. While this is evidently very valuable, control over a VPN server shouldn't solely be seen as a gateway to the network, and can certainly be abused in various other ways.<br><br>In this talk, we will explore VPN post-exploitation - a new approach that consists of different techniques attackers can employ on the compromised VPN server to further progress their intrusion. To demonstrate this concept, we will inspect two of the most common VPN s

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Reverse Engineering'] 无附件
Python has become a popular choice for creating malware due to its ease of development, wide user base, pre-built modules, and multi-platform compatibility. Python's popularity has induced demand for Python decompilers, but community efforts to maintain automatic Python decompilation tools have been hindered by Python's unstable bytecode specification. Every year, language features are added, code generation undergoes significant changes, and opcodes are added, deleted, and modified. <br><br>Our research aims to integrate Natural Language Processing (NLP) techniques with classical Programming Language (PL) theory to create a Python decompiler that adapts to new language features and changes to the bytecode specification with minimal human maintenance effort. PyLingual uses data-driven NLP components to automatically absorb superficial bytecode and compiler changes, while leveraging engineered programmatic components for ab

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Network Security', 'Application Security: Offense'] 无附件
The Internet routing protocol BGP is vulnerable to routing attacks, like prefix hijacks. The vulnerability of BGP enables a range of attacks, from stealing TLS certificates to crypto-stealing or DoS. RPKI prevents BGP hijacks through cryptographic attestations, which routers can use to detect if a given BGP origin claim is authorized. Over half of all Internet resources are already protected with RPKI. This protection rests on a software component that networks install to interact with the RPKI called a Relying Party (RP) client. RPs download information from RPKI servers, validate the objects cryptographically and provide routers with compiled RPKI information they use to protect against hijacks.<br><br>This talk shows that RPs can be a prime target for hackers attacking supposedly protected systems. We present new critical vulnerabilities in RP clients, allowing a small-scale attacker to dis

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Mobile', 'Exploit Development & Vulnerability Discovery'] 无附件
GPU security is a vital area of mobile security highlighted both by public security research as well as by in-the-wild attacks. Due to the high complexity of the GPU software/firmware along with a widely available attack surface, issues in GPU provide strong exploitation primitives for local privilege escalation attacks by the code running in unprivileged context.<br><br>In this talk, we will focus our research on the Qualcomm Adreno GPU, which is a very popular GPU implementation in mobile devices. We will do a deep dive into Adreno GPU kernel module implementation focusing on the most recent GPU versions, reveal its complex and new attack surfaces, and discuss vulnerabilities we discovered in this component.<br><br>In total we identified 9+ exploitable vulnerabilities in Adreno GPU driver leading to kernel code execution and affecting Qualcomm-based devices using the latest GPU models.

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cryptography', 'Application Security: Offense'] 无附件
The SSH protocol provides secure access to network services, particularly remote terminal login and file transfer within organizational networks and to over 15 million servers on the open internet. SSH uses an authenticated key exchange to establish a secure channel between a client and a server, which protects the confidentiality and integrity of messages sent in either direction. The secure channel prevents message manipulation, replay, insertion, deletion, and reordering. At the network level, SSH uses the Binary Packet Protocol over TCP.<br><br>We show that as new encryption algorithms and mitigations were added to SSH, the SSH Binary Packet Protocol is no longer a secure channel: SSH channel integrity is broken for three widely used encryption modes. This allows prefix truncation attacks where encrypted packets at the beginning of the SSH channel can be deleted without the client or server no

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Platform Security', 'Hardware / Embedded'] 无附件
Modern TEEs depend on highly privileged firmware to securely implement complex features, coordinate between different hardware components, and provide a root of trust. Parts of AMD's SEV-SNP technology are implemented in firmware running on the Platform Security Processor. <br><br>This talk details two vulnerabilities in this firmware and presents novel techniques to exploit such vulnerabilities. This results in a complete loss of confidentiality, as an attacker can decrypt arbitrary guest memory on affected systems. In some cases, an attacker can arbitrarily change the contents of encrypted memory leading to a complete loss of integrity of a running guest.

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Platform Security', 'Application Security: Offense'] 无附件
The security architecture of modern operating systems is complex, If attackers want to breach these security protections, they must audit the OS security policies across multiple dimensions. In July 2023, the speaker shifted their focus from Android and IoT vulnerabilities to macOS vulnerabilities. This shift was driven by an effort to apply the methodologies typical of an Android security researcher to macOS, which led to the discovery of multiple vulnerabilities.<br />
<br />
In this presentation, the speaker will delve into the implementation and vulnerabilities of macOS's security mechanisms, including TCC, sandboxing, and app management systems. They will offer a detailed look at how these systems work and where their weaknesses lie, providing insights into the discovery and exploitation of vulnerabilities within these areas.By unveiling 16 vulnerabilities, some of which have not been 

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Exploit Development & Vulnerability Discovery', 'Reverse Engineering'] 无附件
VMware stands out as one of the most widely used hypervisors, making it a prime target for guest-to-host escape exploits. SVGA is VMware's virtual graphics device that can be used from the guest environment to draw graphics into the monitor. Given its complex nature, SVGA represents a fertile ground for discovering vulnerabilities that facilitate guest-to-host escape exploits.<br><br>This presentation offers a personal account of the speaker's journey in tackling the VMware hypervisor. Beginning with a modest background in hypervisors, the speaker recounts their initial foray into this complex target. He shares insights into his process of uncovering bugs, which were previously undisclosed (now patched), and details the journey towards identifying robust primitives essential for crafting guest-to-host escape exploits. Throughout the presentation, the audience will be treated

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cryptography', 'Network Security'] 无附件
This presentation introduces novel attacks against control protocols of commercial off-the-shelf wireless mesh networks (WMNs). WMNs extend the network coverage of a single gateway node by using extender nodes. The decentralized architecture of mesh networks enables each extender node to independently authenticate wireless clients. Thus, extender nodes need to synchronize access control policies (e.g., Wi-Fi passwords) from the gateway node. Interestingly, different vendors developed their own cryptographic protocols to synchronize these access policies.<br><br>Unfortunately, these heterogeneous cryptographic control protocols have become a novel attack surface. We identify 0-day vulnerabilities by analyzing the binaries that use the cryptographic protocols to carry out network access policy synchronization (NAPS). In-network attackers can exploit these vulnerabilities to wiretap fresh Wi-Fi passwords, evading