Cybersecurity information flow

RSAC 2024创新沙盒解读：Dropzone AI

RSAC 2024创新沙盒解读：Reality Defender

[GitHub]This repository is a proof of vulnerability for CVE-2024-33339

" [GitHub] 此仓库是证明CVE-2024-33339漏洞的证据。"

A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data.
[GitHub]Tool for finding CVE-2021-42063

" 在SAP知识仓库版本7.30、7.31、7.40和7.50中，发现了一个安全漏洞。在Web浏览器中使用某个SAP KW组件，可能导致未经授权的攻击者实施跨站脚本（XSS）攻击，从而泄露敏感数据。\n[GitHub]用于查找CVE-2021-42063的工具有效。"

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
[GitHub]Exploit for GlobalProtect CVE-2024-3400

" 全球保护（GlobalProtect）功能中存在一个命令注入漏洞，特定版本的PAN-OS软件及独特功能配置可能使未经身份验证的攻击者能够在防火墙上以root权限执行任意代码。针对PAN-OS 10.2、PAN-OS 11.0和PAN-OS 11.1的修复措施正在开发中，预计将于2024年4月14日发布。云NGFW、Panorama设备和服务器版Prisma Access不受此漏洞影响。所有其他版本的PAN-OS同样不受影响。\n\n[GitHub] 全球保护（CVE-2024-3400）利用代码"

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
[GitHub]This repository contains a proof of concept about the exploitation of the aiohttp library for the reported vulnerability CVE-2024-23334.

" aiohttp是一个用于asyncio和Python的非同步HTTP客户端/服务器框架。当使用aiohttp作为Web服务器并配置静态路由时，需要指定静态文件的根路径。此外，可以使用'follow_symlinks'选项来确定是否跟随静态根目录外的符号链接。当'follow_symlinks'

Topic: fvgfl - SQL Injection vulnerability Risk: Medium Text:********************************************************* #Exploit Title: fvgfl - SQL Injection vulnerability #Date: 2024-04-...

Topic: GitLens Git Local Configuration Execution Risk: High Text:## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-...

" 主题：GitLens Git 本地配置执行风险：高\n\n文本：## # 此模块需要 Metasploit：https://metasploit.com/download\n# 当前来源：https://github.com/rapid7/metasploit-framework\n\n话题：GitLens\n风险等级：高\n\n原文：## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework\n\n翻译：\n## # 此模块需要 Metasploit 支持：https://metasploit.com/download\n# 当前源代码：https://github.com/rapid7/metasploit-framework\n\n话题：GitLens\n风险等级：高"

Topic: Positron Broadcast Signal Processor TRA7005 v1.20 Authentication Bypass Risk: High Text:# Exploit Title: Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass # Author: LiquidWorm # Vendor: Pos...

" 主题：Positron广播信号处理器TRA7005 v1.20绕过认证风险：高\n\n文本：# 漏洞名称：Positron广播信号处理器TRA7005 v1.20 - 绕过认证\n# 作者：LiquidWorm\n# 供应商：Pos...\n\n翻译：\n主题：Positron广播信号处理器TRA7005 v1.20绕过认证风险较高\n\n内容：# 漏洞名称：Positron广播信号处理器TRA7005 v1.20 - 绕过认证\n# 作者：LiquidWorm\n# 供应商：Positron..."

Threat actors accessed more than 19,000 online accounts on a California state platform for welfare programs. Threat actors breached over 19,000 online accounts on a California state platform dedicated to welfare programs. Officials reported that the security breach occurred on February 9, when someone logged into some BenefitsCal users’ accounts. Threat actors exploited reused passwords […]

" 威胁参与者访问了加利福尼亚州福利计划平台上的超过19,000个在线账户。威胁参与者侵入了加利福尼亚州专门用于福利计划的平台上超过19,000个在线账户。官员们报告称，安全漏洞发生在2月9日，当时有人登录了部分福利加州（BenefitsCal）用户的账户。威胁参与者利用了重复使用的密码 […]"

作为一个安服仔，代码审计是一项必备的技能。说好听点是 code review，说直白点就是看代码。说起代码审计这件事，大家都比较关注 source、sink、漏洞模式，而对于代码审计的工具却谈及甚少。因此，本文就来抛砖引玉，谈谈笔者自己的经验。
写在前面
看代码和写代码有很大的一点不同，后者通常对于准确的代码补全是刚需，而看代码往往只需要跳转定义、交叉引用等一些基本功能。对于大部分人而言，看代码和写代码的一个相同之处就是使用 IDE 来看。
具体代码审计的习惯往往是因人而异的。有的人喜欢用 JetBrains 看，有的人喜欢用 VSCode 看，有的人喜欢用 SourceInsight 看，还有的人喜欢用 Notepad++ 来看。
此外，有一些通过本地构建代码索引并从浏览器阅读代码的方案，比如：
https://github.com/oracle/opengrok
https://github.com/livegrep/livegrep
而对于一些大型的代码工程，通常官方或者社区也构建了一些在线的代码阅读网站，比如：
https://cs.android.com/ - Google Android 源码
https://source.chromium.org/chromium - Google Chrome 源码
http://aospxref.com/ - Android 源码，基于 opengrok
https://elixir.bootlin.com/linux/latest/source - Linux 源码
各种阅读代码的方法都有它们的优点，笔者大部分也都尝试过，但大部分时间还是喜欢用 VIM 来看。即便切换到其他 IDE，也习惯性先装个 VIM Binding 插件，总感觉不用 HJKL 移动就难受。
虽然笔者是 VIM 爱好者，但并不排斥其他的 IDE。对于一些依赖完整的项目，比如 Java Maven 工程，也会优先使用 IDEA 去进行阅读，充分利用现代 IDE 的语言支持。
示例
VIM 的好处在于其本身只是一个文本编辑器，而不是完整的 IDE。很多时候我们审计的代码只是一些零散的 Broken Code，比如泄露的 iBoot 源码、某些 Jar 包反编译出来的代码等，面对这些代码很多 IDE 都无法做到完整的语言支持，进而也退化成了一个只能依赖 Ctrl+F 的文本编辑器，既然如此还不如

Disk Group Privilege Escalation is a complex attack method targeting vulnerabilities or misconfigurations within the disk group management system of Linux environments. Attackers might focus
The post Disk Group Privilege Escalation appeared first on Hacking Articles.

" 磁盘组权限提升是一种复杂的攻击方法，针对的是Linux环境中的磁盘组管理系统中的漏洞或配置错误。攻击者可能会集中精力利用这种漏洞，通过执行特定操作来提升自己在磁盘组中的权限，从而进一步控制系统。该篇论文首次出现在Hacking Articles网站上。"

A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php
[GitHub]The sqlmap payload to exploit CVE-2023-40931

" Nagios XI从版本5.11.0一直到包括5.11.1版本存在SQL注入漏洞， authenticated攻击者可以通过POST请求中ID参数执行任意SQL命令，请求路径为/nagiosxi/admin/banner_message-ajaxhelper.php。\n[GitHub]针对CVE-2023-40931的sqlmap载荷利用示例"

A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function.
[GitHub]The sqlmap payload to exploit CVE-2023-40933

" Nagios XI v5.11.1及以下版本中存在SQL注入漏洞，具有公告横幅配置权限的认证攻击者可以通过发送给update_banner_message()函数的ID参数执行任意SQL命令。\n[GitHub]利用CVE-2023-40933的sqlmap载荷"

tl;dr Clang 19 will remove the -mrelax-all default at-O0, significantly decreasing the text section size forx86.
Span-dependent instructions
In assembly languages, some instructions with an immediate operandcan be encoded in two (or more) forms with different sizes. On x86-64, adirect JMP/JCC can be encoded either in 2 bytes with a 8-bit relativeoffset or 6 bytes with a 32-bit relative offset. A short jump ispreferred because it takes less space. However, when the target of thejump is too far away (out of range for a 8-bit relative offset), a nearjump must be used.
1
2
3
4

ja foo # jump short if above, 77 <rel8>
ja foo # jump near if above, 0f 87 <rel32>
.nops 126
foo: ret

A 1978 paper by Thomas G. Szymanski ("Assembling Code forMachines with Span-Dependent Instructions") used the term"span-dependent instructions" to refer to such instructions with shortand long forms. Assemblers grapple with the challenge of choosing theoptimal size for these instructions, often referred to as the "branchdisplacement probl

Windows Kernel Elevation of Privilege Vulnerability
[GitHub]Proof-of-Concept for CVE-2024-21345

" Windows内核权限提升漏洞\n[GitHub] CVE-2024-21345概念验证"

Windows Kernel Elevation of Privilege Vulnerability
[GitHub]Proof-of-Concept for CVE-2024-26218

" Windows内核权限提升漏洞\n[GitHub] CVE-2024-26218概念验证"

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
[GitHub]Explore CVE-2022-41741 with the Evil MP4 repository. It offers educational PoCs, mitigation strategies, and detailed documentation on securing nginx against MP4 file vulnerabilities. For legal, ethical security testing only.

" NGINX 开源版本 1.23.2 之前和 1.22.1 之前，NGINX 开源订阅版本 R2 P1 之前和 R1 P1 之前，以及 NGINX Plus 版本 R27 P1 之前和 R26 P1 之前，模

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. For more details, please review the linked advisory on this CVE.
[GitHub]NSE script for checking the presence of CVE-2023-22515

" Atlassian已经注意到一些客户报告的一个问题，即外部攻击者可能利用了公开可访问的Confluence数据中心和服务器实例中 previously unknown 的一个漏洞，创建了未经授权的Confluence管理员账户并访问了Confluence实例。Atlassian Cloud站点不受此漏洞的影响。如果您的Confluence站点通过atlassian.net域名访问，那么它由Atlassian托管，不会受到此问题的影响。更多关于此漏洞的详细信息，请查看与此CVE链接的咨询文件。\n[GitHub]用于检查CVE-2023-22515存在的NSE脚本"

Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.  Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
[GitHub]activemq-rce-cve-2023-46604

" Apache ActiveMQ存在远程代码执行漏洞。该漏洞可能允许具有网络访问权的远程攻击者通过操纵OpenWire协议中的序列化类类型来运行任意shell命令，从而导致代理 instantiate 类路径上的任何类。建议用户升级到版本5.15.16、5.16.7、5.17.6或5.18.3，以修复此问题。\n[GitHub]activemq-rce-cve-2023-46604"

Red Hat Security Advisory 2024-1887-03 - Red Hat OpenShift Container Platform release 4.15.10 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

" 红帽安全公告2024-1887-03：红帽OpenShift容器平台4.15.10版本已发布，此版本包含 packages 和 images 的更新，修复了多个 bug 并添加了功能增强。解决的问题包括服务拒绝漏洞。"

Red Hat Security Advisory 2024-1892-03 - Red Hat OpenShift Container Platform release 4.15.10 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

" 红帽安全公告2024-1892-03：红帽OpenShift容器平台4.15.10版本已发布，此版本包含 packages 和 images 的更新，修复了多个 bug 并添加了功能增强。解决的问题包括服务拒绝漏洞。"

Red Hat Security Advisory 2024-1896-03 - Red Hat OpenShift Container Platform release 4.12.56 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

" 红帽安全公告2024-1896-03：红帽OpenShift容器平台4.12.56版本已发布，此版本包含 packages 和 images 的更新，修复了多个 bug 并添加了功能增强。解决的问题包括服务拒绝和遍历漏洞。"

Red Hat Security Advisory 2024-1899-03 - Red Hat OpenShift Container Platform release 4.12.56 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

" 红帽安全公告2024-1899-03：红帽OpenShift容器平台4.12.56版本已发布，此版本包含 packages 和 images 的更新，修复了多个 bug 并添加了功能增强。解决的问题包括服务拒绝漏洞。"

Red Hat Security Advisory 2024-2062-03 - An update is now available for Service Telemetry Framework 1.5.4 for RHEL 9. Issues addressed include a denial of service vulnerability.

" 红帽安全公告2024-2062-03 - 现已为RHEL 9的Service Telemetry Framework 1.5.4提供更新。解决的问题包括服务拒绝漏洞。"

Red Hat Security Advisory 2024-2063-03 - An update for yajl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.

" 红帽安全公告2024-2063-03 - 现已为红帽企业Linux 8.6扩展更新支持提供yajl更新。解决的问题包括缓冲区溢出、整数溢出和内存泄漏漏洞。"