Cybersecurity information flow

该文章重点讨论了24年来被遗忘的Null Session漏洞和MS-RPC接口，说明了Microsoft对Null Session能力的限制以及如何绕过策略和限制，以及其对安全研究人员和渗透测试人员的价值。

介绍了macOS Malware 如何利用CVE-2023-40424漏洞

介绍了一种新的工具Frida-JIT-unPacker，它是为了克服特定恶意软件.NET保护而开发的。

记录一次与学校深入交流校园文化和校园精神的测试过程。

为了恢复数据访问，MorLock攻击者要求支付相当高的赎金，赎金数额可达数千万或数亿卢布。

为防范此类威胁，Enea 建议监控流量行为、检查 URL 并警惕包含链接的意外消息。

An In-memory Embedding of CPython

An In-memory Embedding of CPython

Tomcat常见漏洞GUI利用工具。CVE-2017-12615 PUT文件上传漏洞、tomcat-pass-getshell 弱认证部署war包、弱口令爆破、CVE-2020-1938 Tomcat AJP文件读取/包含

The replication package of paper "Pre-training by Predicting Program Dependencies for Vulnerability Analysis Tasks"

为防范此类威胁，Enea 建议监控流量行为、检查 URL 并警惕包含链接的意外消息。

网络化的时代，人工智能技术正以惊人的速度融入到社会的方方面面，带来了许多便利和机遇，但同时也引发了新的安全隐患和挑战。

有新的漏洞组件被发现啦,组件ID:ECShop
Ecshop 3.6 is vulnerable to Cross Site Scripting (XSS) via ecshop/article_cat.php.

本文主要介绍了AJP走私漏洞在实际项目中的应用，以及CVE-2023-46747的分析。

我们在这篇本章中来学习一下如何对多模态大语言模型进行越狱攻击。

新疆喀什的阿图什天门景区，爬山路线都是在悬崖上架设的栈道，非常壮观。（via）
OpenAI 的图书馆工位
OpenAI 是眼下最炙手可热、排名第一的 AI 公司。
大家大概没见过，这家公司的总部。
它的总部是旧金山市区的一栋三层小楼，原来是一家食品厂，后来改建为办公楼。
这栋小楼很不起眼，外面也没有大幅的标识，你根本想不到，里面正在开发人类最先进的人工智能模型。
那么，楼里什么样？
《纽约时报》

这次还是OSS存储桶的利用, 只不过切入点是STS的泄露造成桶内任意文件覆盖, 加上桶中的js文件又在官网首页中引用所以造成的危害比较严重 ...

密码学是为了达到机密信息不被非授权地获知的目的而采取的某种手段或方式，主要基于数学或物理的某种变换来实现加密/ 解密。

最近浮出水面的 Dispossessor 勒索软件，其与臭名昭著的 LockBit 勒索软件团伙存在许多相似之处。

发布时间:2024-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Enterprise Security', 'Network Security'] 无附件
In the current era where many network appliances are built on Linux operating systems, strong and robust firmware security is a must. Historically, network devices struggled to implement everything securely. As a result, there is a big push to use both memory-safe languages, as well as achieve process isolation similar to that of hardened operating systems. Technologies like docker, k8s, and languages like golang are gaining adoption in the device firmware industry. But, they are not a cure-all.<br><br>In this talk, we will give an overview of network devices supply chain and how the firmware security looked before, and show the latest version of F5 BIG-IP platform, BIG-IP Next, which uses modern technology to be more secure. We will show how this approach did improve the security of the platform, compared to the previous versions. We will also show how it still managed to fall short on basic security h

发布时间:2024-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cloud Security', 'Application Security: Offense'] 无附件
Integration Platforms for Workflow Automation (e.g., Microsoft Power Automate), Virtual Voice Assistants (e.g., Amazon Alexa), Smart Homes (e.g., Google Home), and Large Language Model (LLM) platforms supporting Plugins (e.g. OpenAI ChatGPT), are becoming essential in our personal and professional lives. However, we find many of these platforms vulnerable to a new class of authorization attacks.<br><br>As one of their core functions, integration platforms support "Account Linking" to connect end-users' accounts at third-party services/apps (e.g., Gmail, Dropbox) to their platform account. This enables the platform to utilize and orchestrate a wide range of external services on behalf of the end-user. For example, users can configure Microsoft Power Automate to automatically send an email whenever a new GitHub issue is filed. Multi-party authorizations are known to be error-prone and should have 

发布时间:2024-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Exploit Development & Vulnerability Discovery', 'Mobile'] 无附件
WebAssembly (WASM) is a high-performance compiled language that is assembly-like and executes at high speeds in the browser. It can also be extended to Cloud Native, Mobile, IoT, blockchain and other fields. WASM bytecode is first compiled into machine code by the compiler and then executed in the WASM virtual machine.<br><br>In our previous research [1], we discovered a number of security issues in the WASM compilation phase of the Safari browser. However, through analysis of these vulnerabilities, we found that most of them are difficult to exploit. The reason is that although they caused serious memory corruption during the compilation phase, it was limited by the "predefined code path", which restricted the method of using the bug to hijack the control flow. Fortunately, we found that the execution phase has a more flexible operating space than the compilation phase. Wrong compilatio

发布时间:2024-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['AI, ML, & Data Science', 'Platform Security'] 无附件
Following the widespread adoption of AI, ML and LLMs, organizations are required to facilitate MLOps. The easiest way to streamline these processes is to deploy an open-source ML platform in the organization, such as MLflow, Kubeflow or Metaflow, which supports actions such as model building, training, evaluation, sharing, publishing and more.<br><br>Our talk will explain how MLOps platforms can become a gold mine for attackers seeking to penetrate the organization and move laterally within it - we will present an analysis of the six most popular OSS MLOps platforms, showing how each MLOps feature can be directly mapped to a real-world attack. We will demonstrate how server-side and client-side CVEs we discovered in multiple platforms can be used for infecting both the MLOps platform servers and their clients (data scientists and MLOps CI/CD machines).<br><br>Most importantly - we will illustrate ho

发布时间:2024-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Enterprise Security', 'Cloud Security'] 无附件
In my presentation, I will share a method to phish the phishing-resistant authentication mechanism, Windows Hello for Business (WHfB). Despite WHfB's design to provide secure authentication through cryptographic keys, my research uncovers a method that allows attackers to downgrade this secure method to a more vulnerable, phishable one.<br><br>My research reveals how attackers can intercept and modify POST requests to Microsoft's authentication services and manipulate the system into defaulting to a less secure authentication method. This is achieved by altering parameters such as User-Agent or isFidoSupported in the authentication request. <br><br>I will detail the exploitation process, showing how I have modified the EvilGinx framework to automate the attack, making it scalable. Furthermore, I will discuss mitigation strategies, specifically focusing on the implementation of conditional access policies 

发布时间:2024-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['AI, ML, & Data Science'] 无附件
As LLMs are being integrated into more and more applications, security standards for these integrations have lagged behind. Most security research either focuses 1) on social harms, biases exhibited by LLMs, and other content moderation tasks, or 2) zooms in on the LLM itself and ignores the applications that are built around them. Investigating traditional security properties such as confidentiality, integrity, or availability for the entire integrated application has received less attention, yet in practice, we find that this is where the majority of non-transferable risk lies with LLM applications. <br><br>NVIDIA has implemented dozens of LLM powered applications, and the NVIDIA AI Red Team has helped secure all of them. We will present our practical findings around LLM security: what kinds of attacks are most common and most impactful, how to assess LLM integrations most effectively from a security perspective, and 

影响厂商:HackerOne 奖励: 危险等级:critical
" 不安全直接对象引用（IDOR）允许通过/bugs.json端点查看私密报告细节"

影响厂商:b'HackerOne'(https://hackerone.com/security) 
" 不安全的直接对象引用（IDOR）允许通过“/bugs.json”端点查看私密报告细节。"

Secure Boot Security Feature Bypass Vulnerability
[GitHub]scripted CVE-2023-24932 mitigation guide

" 安全启动安全特性绕过漏洞\n[GitHub] 自动化 CVE-2023-24932 缓解指南"

Recently, I discovered a few interesting SQL injections. I came across this while testing an ASP.NET application with an MS SQL Server database at the backend. This combination of technologies often produces a lot of interesting bugs. I don’t know if this is because of the complexity and lack of knowledge of the developer or the nature of these technologies. But perhaps both of them.
Discovering
But before I start to dig into the discovered SQL injections, I would like to show the process of discovering these bugs because I think it’s quite simple and interesting.
So while testing an ASP.NET application, I came across a JS file with a list of available API endpoints. It has more than five hundred different routes. Most of them accept POST requests with JSON payload. The application validates only expected fields from JSON data and ignores all others. So you can pass as many parameters as you wish.
I opened my BurpSuite and started proxying all requests. I visited each page and clicked all the buttons which I 

Web application firewalls are the most annoying when you know that there is vulnerability out there! Usually, it’s old, not really well-maintained websites, so in most cases, it’s just easier to put WAF on top of them. What if I told you that there is a way to bypass this layer of protection — I’m talking about finding origin IP address as a method. We will explore multiple ways how you can do it.
https://medium.com/media/51c1d4202972fae076bb8387dac9e1c9/href
Firewall Basics
This is a basic diagram of how a firewall works:
The regular user sends requests through the firewall, firewall checks the request if it’s legit, and passes that request to the server. Then the server processes that request, sends it back to the firewall and the firewall sends it to the client. It’s doing that because the origin server doesn’t want to disclose its own IP to the clients. On the other hand, a hacker (marked with a skull icon) doesn’t want to go through the middleman and wants to go to the server directly. If for example, yo