Hello Hacking8!

学习安全知识的小伙伴，是不是觉得获得知识的渠道比较少？不要怕！CIS 2021 网络安全创新大会Spring·春日版盲盒“大作战”来了！

安全日报（2021.12.02）

2021年度热门挖矿木马——JavaXminer

CVE-2021-43527: Mozilla NSS 缓冲区堆溢出漏洞通告

12月1日，美国司法部公布一份起诉书，指控Ubiquiti前雇员利用其职务之便窃取了公司机密数据并以匿名身份对公司实施勒索。

We all know how it’s convenient to use tools like Sentry or Datadogs for JavaScript events monitoring. It allows to catch errors in real-time, organize and manage issues resolution process, and genuinely shift left operations to developers. But Wallarm security experts warn of dangerous patterns to use such tools integrated into UI since it can [...]
The post Invisible rat: how Sentry, Datadog, and others used by XSS and JavaScript malware appeared first on Wallarm.

Hi guys, having fun with TryHackMe CTF again. So, here is the write up and guideline to pass this Jason challenge. This CTF room is…
Continue reading on InfoSec Write-ups »

Photon is a relatively fast crawler designed for automating OSINT (Open Source Intelligence) with a simple interface and tons of customization options. It is written in Python. Photon essentially acts as a web crawler which is able to extract URLs with parameters, also able to fuzz them, secret AUTH keys, and a lot more.

Laundry Booking Management System version 1.0 suffers from a remote code execution vulnerability.

Red Hat Security Advisory 2021-4848-07 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include code execution and denial of service vulnerabilities.

Ubuntu Security Notice 5158-1 - It was discovered that ImageMagick incorrectly handled certain values when processing visual effects based image files. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. It was discovered that ImageMagick incorrectly handled certain values when performing resampling operations. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. Various other issues were also addressed.

Red Hat Security Advisory 2021-4829-04 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.22. Issues addressed include a bypass vulnerability.

Stegano is a basic Python Steganography module. Stegano implements two methods of hiding: using the red portion of a pixel to hide ASCII messages, and using the Least Significant Bit (LSB) technique. It is possible to use a more advanced LSB method based on integers sets. The sets (Sieve of Eratosthenes, Fermat, Carmichael numbers, etc.) are used to select the pixels used to hide the information.

Wapiti is a web application vulnerability scanner. It will scan the web pages of a deployed web application and will fuzz the URL parameters and forms to find common web vulnerabilities.

Red Hat Security Advisory 2021-4851-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.9.1 serves as a replacement for Red Hat AMQ Broker 7.9.0, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Online Enrollment Management System in PHP and PayPal version 1.0 suffers from a persistent cross site scripting vulnerability.

Ubuntu Security Notice 5161-1 - Ilja Van Sprundel discovered that the SCTP implementation in the Linux kernel did not properly perform size validations on incoming packets in some situations. An attacker could possibly use this to expose sensitive information. It was discovered that the AMD Cryptographic Coprocessor driver in the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could use this to cause a denial of service. Various other issues were also addressed.

Advanced Comment System version 1.0 suffers from a remote command execution vulnerability.

Ubuntu Security Notice 5162-1 - Ilja Van Sprundel discovered that the SCTP implementation in the Linux kernel did not properly perform size validations on incoming packets in some situations. An attacker could possibly use this to expose sensitive information. It was discovered that the AMD Cryptographic Coprocessor driver in the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could use this to cause a denial of service. Various other issues were also addressed.

NSS (Network Security Services), Mozilla project's cross-platform security library, suffers from a memory corruption flaw when validating ECDSA signatures.

MilleGPG5 version 5.7.2 Luglio 2021 suffers from a local privilege escalation vulnerability.

Red Hat Security Advisory 2021-4863-06 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.6.0 serves as a replacement for Red Hat JBoss Web Server 5.5.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

Red Hat Security Advisory 2021-4871-05 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2021-4875-04 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2021-4859-03 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2021-4866-02 - Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information.

Red Hat Security Advisory 2021-4861-06 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.6.0 serves as a replacement for Red Hat JBoss Web Server 5.5.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

Ransomware attacks launched against healthcare providers are on the rise as 2021 draws to a close. The HHS Office for Civil Rights’ HIPAA Breach Reporting Tool points to several high-impact ransomware attacks related to the healthcare industry.
The post Healthcare Ransomware Attacks Persist appeared first on Security Boulevard.

Ubuntu Security Notice 5163-1 - Ilja Van Sprundel discovered that the SCTP implementation in the Linux kernel did not properly perform size validations on incoming packets in some situations. An attacker could possibly use this to expose sensitive information. It was discovered that the Option USB High Speed Mobile device driver in the Linux kernel did not properly handle error conditions. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. Various other issues were also addressed.

The Moderna booster level drained me all day on Dec 1 and did what jab two did during the overnight period (achy enough to wake me up and not get back to slumber easily). To try to wear myself down, I decided to practice a bit of R with the 2021 Advent of Code. There... Continue reading →
The post 2021 Advent of Code Day 02 “Don’t Try This At Home” Edition appeared first on Security Boulevard.

Ubuntu Security Notice 5165-1 - It was discovered that the NFC subsystem in the Linux kernel contained a use-after-free vulnerability in its NFC Controller Interface implementation. A local attacker could possibly use this to cause a denial of service or execute arbitrary code. It was discovered that the SCTP protocol implementation in the Linux kernel did not properly verify VTAGs in some situations. A remote attacker could possibly use this to cause a denial of service. Various other issues were also addressed.

Ubuntu Security Notice 5164-1 - It was discovered that the Option USB High Speed Mobile device driver in the Linux kernel did not properly handle error conditions. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the AMD Cryptographic Coprocessor driver in the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could use this to cause a denial of service. Various other issues were also addressed.

Red Hat Security Advisory 2021-4801-06 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.38. Issues addressed include a bypass vulnerability.

This archive contains all of the 137 exploits added to Packet Storm in November, 2021.

TL;DR – In this blogpost, we will give you an introduction to the key requirements associated with the Risk Management Framework introduced by DORA (Digital Operational Resilience Act);  More specifically, throughout this blogpost we will try to formulate an answer to following questions: What are the key requirements associated with the Risk Management Framework of DORA? … Continue reading DORA and ICT Risk Management: how to self-assess your compliance →

随着近十年来加密货币的兴起和相应数字货币价值的持续走高，这个新领域逐渐地吸引了各方关注，这其中自然也包括黑产行业，一个新的恶意软件类型——挖矿木马应运而生。一旦机器被入侵并被植入了挖矿木马，那只要木马还在运行，便可以为黑客带来源源不断的收益。也因此在短短几年内就催生出一大批的挖矿木马家族，与之一起增加的还有对各个平台机器的大量攻击。

背景
Hacking Team 是为数不多在全球范围内出售网络武器的公司之一，从 2003 年成立以来便因向政府机构出售监视工具而臭名昭著。
2015年7月，Hacking Team 遭受黑客攻击，其 400GB 的内部数据，包括曾经保密的客户列表，内部邮件以及工程化的漏洞和后门代码被全部公开。随后，有关 hacking team 的活动突然销声匿迹。
2018年3月
ESET
的报告指出：Hacking Team 一直处于活跃状态，其后门版本也一直保持着稳定的更新。
2018年12月
360高级威胁应对团队
的报告披露了 Hacking Team 使用 Flash 0day 的”毒针”行动。
2019年11月
360高级威胁应对团队
的报告披露了 APT-C-34 组织使用 Hacking Team 网络武器进行攻击。
2020年4月
360诺亚实验室
的报告披露出

概述
近日，有reddit用户反映，拥有100k+安装的Google Chrome扩展程序 User-Agent Switcher存在恶意点赞facebook/instagram照片的行为。
除User-Agent Switcher以外，还有另外两个扩展程序也被标记为恶意的，并从Chrome商店中下架。
目前已知受影响的扩展程序以及版本：
User-Agent Switcher
2.0.0.9
2.0.1.0
Nano Defender
15.0.0.206
Nano Adblocker
疑为 1.0.0.154
目前，Google已将相关扩展程序从 Web Store 中删除。Firefox插件则不受影响。
影响范围
Chrome Webstore显示的各扩展程序的安装量如下：
User-Agent Switcher: 100

0x01. 漏洞简介
vSphere 是 VMware 推出的虚拟化平台套件，包含 ESXi、vCenter Server 等一系列的软件。其中 vCenter Server 为 ESXi 的控制中心，可从单一控制点统一管理数据中心的所有 vSphere 主机和虚拟机，使得 IT 管理员能够提高控制能力，简化入场任务，并降低 IT 环境的管理复杂性与成本。
vSphere Client（HTML5）在 vCenter Server 插件中存在一个远程执行代码漏洞。未授权的攻击者可以通过开放 443 端口的服务器向 vCenter Server 发送精心构造的请求，从而在服务器上写入 webshell，最终造成远程任意代码执行。
0x02. 影响范围
vmware:vcenter_server 7.0

分析背景
cve-2019-0708是2019年一个rdp协议漏洞，虽然此漏洞只存在于较低版本的windows系统上，但仍有一部分用户使用较早版本的系统部署服务器（如Win Server 2008等），该漏洞仍有较大隐患。在此漏洞发布补丁之后不久，msf上即出现公开的可利用代码；但msf的利用代码似乎只针对win7，如果想要在Win Server 2008 R2上利用成功的话，则需要事先在目标机上手动设置注册表项。
在我们实际的渗透测试过程中，发现有部分Win Server 2008服务器只更新了永恒之蓝补丁，而没有修复cve-2019-0708。因此，我们尝试是否可以在修补过永恒之蓝的Win Server 2008 R2上实现一个更具有可行性的cve-2019-0708 EXP。
由于该漏洞已有大量的详细分析和利用代码，因此本文对漏洞原理和公开利用不做赘述。
分析过程
我们分析了msf的exp代码，发现公开的exp主要是利用大量Client Name内核对象布局内核池。这主要有两个目的，一是覆盖漏洞触发导致MS_T120Channel对象释放后的内存，构造伪造的Channel对象；二是直接将最终的的shellcode布局到内核池。然后通过触发IcaChannelInputInternal中Channel对象在其0x100偏移处的虚函数指针引用来达到代码执行的目的。如图1：
图1
而这种利用方式并不适用于server2008r2。我们分析了server2008r2的崩溃情况，发现引起崩溃的原因是第一步，即无法使用Client

vSphere vCenter Server 的 vsphere-ui 基于 OSGi 框架，包含上百个 bundle。前几日爆出的任意文件写入漏洞即为 vrops 相关的 bundle 出现的问题。在针对其他 bundle 审计的过程中，发现 h5-vsan 相关的 bundle 提供了一些 API 端点，并且未经过授权即可访问。通过进一步的利用，发现其中某个端点存在安全问题，可以执行任意 Spring Bean 的方法，从而导致命令执行。
漏洞时间线：
2021/04/13 - 发现漏洞并实现 RCE；
2021/04/16 - 提交漏洞至 VMware 官方并获得回复；
2021/05/26

背景
本月的微软更新包含一个spool的打印机服务本地提权漏洞，自从去年cve-2020-1048被公开以来，似乎许多人开始关注到这一模块的漏洞。鉴于此这个漏洞刚公布出来时，并没有太仔细关注。直到后面关注到绿盟的微信公众号的演示视频，显示这个漏洞可能在域环境特定情况下执行任意代码。所以认为有必要对其原理以及适用范围情况进行分析。
补丁分析
通过补丁对比，可以确定该漏洞触发原理应该是一个在添加打印机驱动的过程中RpcAddPrinterDriverEx()绕过某些检查的漏洞。
根据API文档，RpcAddPrinterDriverEx API用于在打印机服务器上安装打印机驱动；第三个参数为dwFileCopyFlags，指定了服务器在拷贝驱动文件时的行为。文档给出了标志的可能值，结合补丁，我们发现了这样一个标志：APD_INSTALL_WARNED_DRIVER（0x8000），此标志允许服务器安装警告的打印机驱动，也就是说，如果在flag中设置了APD_INSTALL_WARNED_DRIVER，那么我们可以无视警告安装打印机驱动。这刚好是微软补丁试图限制的标志位。
本地提权
我们分析了添加驱动的内部实现（位于localspl.dll的InternalAddPrinterDriver函数），添加驱动的过程如下：
1. 检查驱动签名
2. 建立驱动文件列表
3. 检查驱动兼容性
4. 拷贝驱动文件
如果能够绕过其中的限制，将自己编写的dll复制到驱动目录并加载，就可以完成本地提权。

FastJson反序列化0day及在区块链应用中的后渗透利用
链接：https://www.blackhat.com/us-21/briefings/schedule/#how-i-used-a-json-deserialization-day-to-steal-your-money-on-the-blockchain-22815
PPT链接：http://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Xing-How-I-Use-A-JSON-Deserialization.pdf
一、Fastjson反序列化原理
这个图其实已经能让人大致理解了，更详细的分析移步
Fastjson反序列化原理
二、byPass checkAutotype
关于CheckAutoType相关安全机制简单理解移步
https://kumamon.fun/FastJson-checkAutoType/
以及 https://mp.weixin.qq.com/s/OvRyrWFZLGu3bAYhOPR4KA
https://www.anquanke.com/post/id/225439
https://mp.weixin.

一、简介
Zabbix是一个支持实时监控数千台服务器、虚拟机和网络设备的企业级解决方案，客户覆盖许多大型企业。本议题介绍了Zabbix基础架构、Zabbix Server攻击面以及权限后利用，如何在复杂内网环境中从Agent控制Server权限、再基于Server拿下所有内网Agent。
二、Zabbix监控组件
Zabbix监控系统由以下几个组件部分构成：
1. Zabbix Server
Zabbix Server是所有配置、统计和操作数据的中央存储中心，也是Zabbix监控系统的告警中心。在监控的系统中出现任何异常，将被发出通知给管理员。
Zabbix Server的功能可分解成为三个不同的组件，分别为Zabbix Server服务、Web后台及数据库。
2. Zabbix Proxy
Zabbix Proxy是在大规模分布式监控场景中采用一种分担Zabbix Server压力的分层结构，其多用在跨机房、跨网络的环境中，Zabbix Proxy可以代替Zabbix Server收集性能和可用性数据，然后把数据汇报给Zabbix Server，并且在一定程度上分担了Zabbix Server的压力。
3. Zabbix Agent
Zabbix Agent部署在被监控的目标机器上，以主动监控本地资源和应用程序（硬盘、内存、

一、前言
Headless Chrome是谷歌Chrome浏览器的无界面模式，通过命令行方式打开网页并渲染，常用于自动化测试、网站爬虫、网站截图、XSS检测等场景。
近几年许多桌面客户端应用中，基本都内嵌了Chromium用于业务场景使用，但由于开发不当、CEF版本不升级维护等诸多问题，攻击者可以利用这些缺陷攻击客户端应用以达到命令执行效果。
本文以知名渗透软件Burp Suite举例，从软件分析、漏洞挖掘、攻击面扩展等方面进行深入探讨。
二、软件分析
以Burp Suite Pro v2.0beta版本为例，要做漏洞挖掘首先要了解软件架构及功能点。
将burpsuite_pro_v2.0.11beta.jar进行解包，可以发现Burp Suite打包了Windows、Linux、Mac的Chromium，可以兼容在不同系统下运行内置Chromium浏览器。
在Windows系统中，Burp Suite v2.0运行时会将chromium-win64.7z解压至C:\Users\

关于我渗透mercury靶机这回事.纯纯的通关小攻略,欢迎有大佬指出小弟不足的地方
特别是本文的提权方式,我自己提权的时候有时候可以成功,有时候又不可以,这一点有点奇怪,想问问有没有知道其他提权方式的

由CCF语音对话与听觉专委会、中国人工智能产业发展联盟（AIIA）评估组、网易易盾、语音之家、北京希尔贝壳科技有限公司共同举办的【语音之家】AI产业沙龙--网易语音AI技术：从内容安全到内容品质，将于2021年12月8日19:00-21:30通过语音之家微信视...

看雪论坛作者ID：有毒

#漏洞武器库 Nuclei的生态也太好了，开源的力量!!! CVE-2021-22049 POC n...

Cloudflare WAF 的引擎还是 backtraking，所以导致错误的正则写法产生回溯问题，最终 ReDos（正则表达式拒绝服务攻击）。它会导致计算量急剧的放大，使大量网站访问出现了 502。

使用BEACON 是勒索软件入侵的常见做法。虽然这一做法给溯源工作构成了挑战，但同时也为进一步检测提供了线索。

POCs to test Vlang in cybersecurity aspects.

timwhitez starred A-D-Team/SharpMemshell
Dec 2, 2021
A-D-Team/SharpMemshell
HttpListener shell in csharp.
C#
39 Updated Dec 2

timwhitez starred Ghost2097221/selfMimikatz
Dec 2, 2021
Ghost2097221/selfMimikatz
自不量力的mimikatz分离计划
C++
36 Updated Nov 28

timwhitez starred alexfrancow/offensive-vlang
Dec 2, 2021
alexfrancow/offensive-vlang
POCs to test Vlang in cybersecurity aspects.
V
9 Updated Aug 25

## 前言 如今，网络游戏用户需使用有效身份证件进行实名认证，才可保证流畅体验游戏。本文对去除实名认证弹窗进行研究，仅供学习使用。 ## 实名认证弹窗 进入某手游，首先需要注册一个账号...