Cybersecurity information flow

干净的信息流推送工具,偏向安全圈的点点滴滴,为安全研究人员每日发现优质内容.

了解更多 »

全部节点
时间 节点
2024年4月20日 14:32 wohin
前言
这是南大软件分析课程的第八个实验,需要在实验A6(上下文敏感的过程间指针分析)的基础上实现污点分析。详细实验说明见官方网站。涉及到的主要课程知识为:
南大软分课程笔记|13 静态分析在安全领域的应用。
实验说明中包含很多课上没有提到的细节,需要仔细阅读。大体的实现策略如下:
在原指针分析中处理invoke语句的地方添加对source和污点传播规则的实现。
借助原指针分析的工作流实现“taint作为普通对象”的常规传播。
指针分析结束后,在collectTaintFlows方法中进行sink规则的实现(生成taintflow)。
我最初实现的版本能够通过除了StringAppend.java测试用例外的所有本地测试,并找到OJ平台上所有测试用例一共29条taintflow中的23条,但是我始终不知道问题出在哪里。经过一天多的调试(中间的健身、休息、跟彭老师的诗词交流起到了重要作用!),我终于发现问题出在污点传播上,详情见后文。最终,我的代码能够通过OJ平台上所有测试用例,FP和FN均为0。当然,这并不能证明代码是完全正确的——至少,我的代码并没有主动考虑污点类型的变化(如StringBuilder到String)。
Source、Sink与污点传播规则
Source和sink的生成规则比较简单:
类型
语句
规则(上下文$c$)
Call (Source)
l: r = x.k(a1, ..., an)
Call (Sink)
l: r = x.k(a1, ..., an)
除了常规的对象传播外,污点传播还包括基于invoke语句的传播,因为目前的分析算法并不了解调用的API的语义。这部分的传播规则需要我们直接给出。对此,实验手册给出了三条传播规则,很好理解:
类型
语句
规则(上下文$c$)
Call (base-to-result)
l: r = x.k(a1, ... ,an)
Call (arg-to-base)
l: r = x.k(a1, ... ,an)
Call (arg-to-result)
l: r = x.k(a1, ... ,an)
初次实现的版本
Solver.java
StmtProcessor
在处理静态方法调用时增加对source和污点传播规则的处理:
private class StmtProcessor implements StmtVisitor<Void> { // .
2024年4月20日 03:40 Github_POC
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
[GitHub]Extract useful information from PANOS support file for CVE-2024-3400

" 全球保护功能中存在命令注入漏洞,特定版本的PAN-OS软件以及独特的功能配置可能使未经身份验证的攻击者能够在防火墙上下执行具有root权限的任意代码。PAN-OS 10.2、PAN-OS 11.0和PAN-OS 11.1的修复程序正在开发中,预计将于2024年4月14日发布。云NGFW、Panorama设备和服务器接入不受此漏洞影响。所有其他版本的PAN-OS也不会受到影响。\n\n[GitHub]从PANOS支持文件中提取有关CVE-2024-3400的有用信息。"
2024年4月19日 23:41 LABS_Tech Blog
Bishop Fox shares limited details about mitigation bypasses for PAN-OS CVE-2024-3400 in an effort to be maximally useful for defenders, while minimally useful for opportunistic attackers.

" 主教狐狸(Bishop Fox)在尽量确保对防御者最有帮助的同时,尽可能减少对机会主义攻击者的利用,分享了关于PAN-OS CVE-2024-3400缓解绕过的有限细节。"
2024年4月19日 22:01 Github_POC
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
[GitHub]Finding Palo Alto devices vulnerable to CVE-2024-3400.

" 全球保护功能中存在命令注入漏洞,特定版本的PAN-OS软件和独特的特性配置可能使未经身份验证的攻击者能够在防火墙上以root权限执行任意代码。PAN-OS 10.2、PAN-OS 11.0 和 PAN-OS 11.1 的修复方案正在开发中,预计将于2024年4月14日发布。云NGFW、Panorama设备和服务器接入不受此漏洞影响。所有其他版本的PAN-OS同样不受影响。\n\n[GitHub] 发现Palo Alto设备易受CVE-2024-3400攻击。"
2024年4月19日 21:39 Trustwave Blog
Clients often conflate Offensive Security with penetration testing, yet they serve distinct purposes within cybersecurity. Offensive Security is a broad term encompassing strategies to protect against cyber threats, while penetration testing is a specific activity where security teams test system vulnerabilities.

" 客户通常将进攻性安全与渗透测试混淆,然而它们在网络安全领域中具有不同的目的。进攻性安全是一个涵盖防范网络威胁的战略的宽泛术语,而渗透测试则是安全团队测试系统漏洞的具体活动。"
2024年4月19日 19:01 绿盟科技博客
一、前言 本报告调查了我们从2022年7月初到2023年1月底在受CUJO AI保护的消费者网络中观察到的物联
Read More
2024年4月19日 15:36 Data Breach – Security Affairs
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack and the subsequent theft of data. The United Nations Development Programme (UNDP) is investigating an alleged ransomware attack that resulted in data theft. The United Nations Development Programme (UNDP) is a United Nations agency tasked with helping countries eliminate poverty and achieve sustainable economic growth and human development. The […]

" 联合国开发计划署(UNDP)已对一起涉嫌勒索软件攻击及随后数据被盗事件展开调查。联合国开发计划署(UNDP)正在对导致数据被盗的涉嫌勒索软件攻击事件进行调查。联合国开发计划署(UNDP)是联合国的一个机构,负责协助各国消除贫困、实现可持续的经济增长和人类发展。 […]"
2024年4月19日 14:01 绿盟科技博客
5月6日 RSA Conference 2024 将正式启幕 作为“安全圈的奥斯卡” RSAC 创新沙盒(In
Read More
2024年4月19日 13:40 绿盟科技博客
检查当前CPU是否支持Intel PT
2024年4月19日 13:40 绿盟科技博客
近日,绿盟科技CERT监测到Palo Alto Networks发布安全公告,修复了PAN-OS中存在的命令注入漏洞(CVE-2024-3400)。
2024年4月19日 13:40 绿盟科技博客
近日,绿盟科技CERT监测到Oracle发布安全公告,修复了Oracle WebLogic Server中存在的两个信息泄露漏洞(CVE-2024-21006/CVE-2024-21007)。
2024年4月19日 12:31 Github_POC
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
[GitHub]Script that exploits the vulnerability that allows remote code execution in Ruby 2.3.8 with CVE-2016-2098

" 在 Ruby on Rails 3.2.22.2 之前,4.x 版本在 4.1.14.2 之前,以及 4.2.x 在 4.2.5.2 之前,通过利用应用程序不受限制地使用 render 方法,允许远程攻击者执行任意 Ruby 代码。\n[GitHub] 一个利用 Ruby 2.3.8 中 CVE-2016-2098 漏洞执行远程代码的脚本。"
2024年4月19日 12:31 Github_POC
UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse) in the DEBUG3_DOLOG_SYSTEM macro, which allows remote attackers to execute arbitrary commands.
[GitHub]Script that exploits the vulnerability that allows establishing a backdoor in the UnrealIRCd service with CVE-2010-2075

" UnrealIRCd 3.2.8.1,如2009年11月至2010年6月期间在某些镜像站点上分发的那样,包含了外部引入的修改(特洛伊木马)在DEBUG3_DOLOG_SYSTEM宏中,允许远程攻击者执行任意命令。\n[GitHub]一个脚本,利用该漏洞在UnrealIRCd服务中建立后门,对应CVE-2010-2075。"
2024年4月19日 12:31 Github_POC
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
[GitHub]CVE-2024-3400 POC written in Rust and Python

" 全球保护功能中存在命令注入漏洞,特定版本的PAN-OS软件以及独特的功能配置可能使未经身份验证的攻击者能够在防火墙上下执行具有root权限的任意代码。PAN-OS 10.2、PAN-OS 11.0 和 PAN-OS 11.1 的修复程序正在开发中,预计将于2024年4月14日发布。云NGFW、Panorama设备和服务器接入不受此漏洞影响。所有其他版本的PAN-OS同样不受影响。\n\n[GitHub] CVE-2024-3400 使用Rust和Python编写的POC。"
2024年4月19日 11:35 Microsoft Security Blog
We are excited to announce new Zero Trust activity-level guidance for implementing the Department of Defense Zero Trust Strategy with Microsoft cloud services.
The post New Microsoft guidance for the DoD Zero Trust Strategy appeared first on Microsoft Security Blog.

" 我们很高兴地宣布,针对实施国防部零信任战略的全新活动级指南,该指南涉及微软云服务。\n本文首发于微软安全博客,题为“全新微软指南助力国防部零信任战略”。"
2024年4月19日 11:35 Microsoft Security Blog
Microsoft recently uncovered an attack that exploits new critical vulnerabilities in OpenMetadata to gain access to Kubernetes workloads and leverage them for cryptomining activity.
The post Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters appeared first on Microsoft Security Blog.

" 微软最近发现了一种利用OpenMetadata全新关键漏洞攻击Kubernetes集群的行为,以此获取Kubernetes工作负载的访问权限,并利用它们进行加密货币挖矿活动。\n的文章《攻击者利用Kubernetes集群上的全新OpenMetadata漏洞》首次出现在微软安全博客上。"
2024年4月19日 04:02 Github_POC
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions.
[GitHub]XZ Utils CVE-2024-3094 POC for Kubernetes

" 恶意代码在xz的上游tarball中被发现,从5.6.0版本开始。这些tarball包含了额外的.m4文件,其中包含了一组 automake构建指令,这些指令在仓库中并不存在。通过一系列复杂的混淆,这些指令从测试归档文件中提取一个预先构建的目标文件,然后将其用于在构建lzma库时修改特定函数。这个问题导致lzma被其他软件(如sshd)使用,以提供由修改后的函数解释的功能。\n\n[GitHub] XZ Utils CVE-2023-3094 Kubernetes的证明概念"
2024年4月19日 04:02 Github_POC
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
[GitHub]EDL for IPs attacking customers with CVE-2024-3400

" 全球保护功能中存在命令注入漏洞,特定版本的PAN-OS软件和独特的特性配置可能使未经身份验证的攻击者能够在防火墙上以root权限执行任意代码。针对PAN-OS 10.2、PAN-OS 11.0和PAN-OS 11.1的修复程序正在开发中,预计将于2024年4月14日发布。云NGFW、Panorama设备和服务器接入不受此漏洞影响。所有其他版本的PAN-OS同样不受影响。\n\n[GitHub]针对使用CVE-2024-3400攻击客户的IP的EDL"
2024年4月19日 04:02 Github_POC
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
[GitHub]Python3 RCE PoC for CVE-2021-26084

" 在受影响的 Confluence Server 和 Data Center 版本中,存在一个 OGNL 注入漏洞,未经身份验证的攻击者可以利用此漏洞在 Confluence Server 或 Data Center 实例上执行任意代码。受影响的版本包括 6.13.23 之前,6.14.0 之前至 7.4.11,7.5.0 之前至 7.11.6,以及 7.12.0 之前至 7.12.5。\n\n[GitHub] Python3 RCE PoC for CVE-2021-26084\n\n在受影响的 Confluence Server 和 Data Center 版本中,存在一个 OGNL 注入漏洞,未经身份验证的攻击者可以利用此漏洞在 Confluence Server 或 Data Center 实例上执行任意代码。受影响的版本包括 6.13.23 之前,6.14.0 之前至 7.4.11,7.5.0 之前至 7.11.6,以及 7.12.0 之前至 7.12.5。\n\n[GitHub] Python3 RCE 证明漏洞存在示例代码(CVE-2021-26084)"
2024年4月19日 04:01 Github_POC
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
[GitHub]Simple Python code to check for arbitrary uploading

" 全球保护(GlobalProtect)功能中存在一个命令注入漏洞,特定版本的PAN-OS软件以及独特的特性配置可能使未经身份验证的攻击者能够在防火墙上以root权限执行任意代码。针对PAN-OS 10.2、PAN-OS 11.0和PAN-OS 11.1的修复方案正在开发中,预计将于2024年4月14日发布。云NGFW、Panorama设备和服务器接入(Prisma Access)不受此漏洞影响。所有其他版本的PAN-OS同样不受影响。\n\n[GitHub] 简单Python代码,用于检查任意上传。"
2024年4月19日 04:01 Github_POC
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
[GitHub]Python script to check Palo Alto firewalls for CVE-2024-3400 exploit attempts

" 全球保护功能中存在命令注入漏洞,特定版本的PAN-OS软件以及独特的功能配置可能使未经身份验证的攻击者能够在防火墙上以root权限执行任意代码。PAN-OS 10.2、PAN-OS 11.0 和 PAN-OS 11.1 的修复方案正在开发中,预计将于2024年4月14日发布。云NGFW、Panorama设备和服务器接入不会受到此漏洞的影响。所有其他版本的PAN-OS也不会受到影响。[GitHub]用于检查Palo Alto防火墙是否受到CVE-2024-3400漏洞攻击的Python脚本。"
2024年4月19日 04:01 Github_POC
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
[GitHub]Script that exploits the vulnerability of the ProFTP 1.3.5 service with CVE-2015-3306

" ProFTPD 1.3.5中的mod_copy模块允许远程攻击者通过site cpfr和site cpto命令读取和写入任意文件。\n[GitHub]利用CVE-2015-3306攻击ProFTPD 1.3.5服务的安全漏洞的脚本。"
2024年4月19日 02:02 googleprojectzero
Posted by Mateusz Jurczyk, Google Project Zero
In the 20-month period between May 2022 and December 2023, I thoroughly audited the Windows Registry in search of local privilege escalation bugs. It all started unexpectedly: I was in the process of developing a coverage-based Windows kernel fuzzer based on the Bochs x86 emulator (one of my favorite tools for security research: see Bochspwn, Bochspwn Reloaded, and my earlier font fuzzing infrastructure), and needed some binary formats to test it on. My first pick were PE files: they are very popular in the Windows environment, which makes it easy to create an initial corpus of input samples, and a basic fuzzing harness is equally easy to develop with just a single GetFileVersionInfoSizeW API call. The test was successful: even though I had previously fuzzed PE files in 2019, the new element of code coverage guidance allowed me to discover a completely new bug: issue #2281.
For my next target, I chose the Windows registry. That's because arbitrary registry hives 
2024年4月19日 02:02 googleprojectzero
Posted by Mateusz Jurczyk, Google Project Zero
Before diving into the low-level security aspects of the registry, it is important to understand its role in the operating system and a bit of history behind it. In essence, the registry is a hierarchical database made of named "keys" and "values", used by Windows and applications to store a variety of settings and configuration data. It is represented by a tree structure, in which keys may have one or more sub-keys, and every subkey is associated with exactly one parent key. Furthermore, every key may also contain one or more values, which have a type (integer, string, binary blob etc.) and are used to store actual data in the registry. Every key can be uniquely identified by its name and the names of all of its ascendants separated by the special backslash character ('\'), and starting with the name of one of the top-level keys (HKEY_LOCAL_MACHINE, HKEY_USERS, etc.). For example, a full registry path may look like this: HKEY_CURRENT_USER\Software\Microsoft\Wind
2024年4月19日 01:16 Black Hills Information Securi
This article originally featured in the very first issue of our PROMPT# zine — Choose Wisely. You can find that issue (and all the others) here: https://www.blackhillsinfosec.com/prompt-zine/ I remember a […]
The post Red Teaming: A Story From the Trenches appeared first on Black Hills Information Security.

" 本文最初出现在我们的PROMPT#杂志第一期——明智选择中。您可以在这里找到那期杂志(以及其他期杂志):https://www.blackhillsinfosec.com/prompt-zine/\n\n我记得有一次……\n\n红队:来自战壕的故事 首先出现在Black Hills信息安全网站上。"
2024年4月19日 00:12 Packet Storm
Red Hat Security Advisory 2024-1876-03 - An update for shim is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include buffer overflow, bypass, integer overflow, and out of bounds read vulnerabilities.

" 红帽安全公告2024-1876-03:现已为Red Hat企业Linux 9.2扩展更新支持提供shim更新。解决的问题包括缓冲区溢出、绕过、整数溢出和越界读取漏洞。"
2024年4月19日 00:12 Packet Storm
Red Hat Security Advisory 2024-1877-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include denial of service, information leakage, null pointer, and use-after-free vulnerabilities.

" 红帽安全公告2024-1877-03 - 针对Red Hat Enterprise Linux 8.6 Extended Update Support的 kernel 更新现已可用。解决的问题包括服务拒绝、信息泄露、空指针和释放后使用等漏洞。"
2024年4月19日 00:12 Packet Storm
Red Hat Security Advisory 2024-1878-03 - An updated version of Red Hat Update Infrastructure is now available. RHUI 4.8 fixes several security an operational bugs, adds some new features and upgrades the underlying Pulp to a newer version. Issues addressed include HTTP request smuggling, crlf injection, denial of service, and traversal vulnerabilities.

" 红帽安全公告2024-1878-03 - 现已提供Red Hat更新基础设施的更新版本。RHUI 4.8修复了多个安全和操作性缺陷,添加了一些新功能,并将底层Pulp升级到较新版本。解决的问题包括HTTP请求走私、CRLF注入、拒绝服务以及遍历漏洞等。"
2024年4月19日 00:12 Packet Storm
Red Hat Security Advisory 2024-1879-03 - An update for gnutls is now available for Red Hat Enterprise Linux 9. Issues addressed include an information leakage vulnerability.

" 红帽安全公告2024-1879-03:现已为红帽企业Linux 9提供gnutls更新。解决的问题包括一个信息泄漏漏洞。"
2024年4月19日 00:12 Packet Storm
Red Hat Security Advisory 2024-1880-03 - An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include denial of service and privilege escalation vulnerabilities.

" 红帽安全公告2024-1880-03:现已为Red Hat Enterprise Linux 8.8扩展更新支持提供nodejs:18模块的更新。解决的问题包括服务拒绝和权限提升漏洞。"