每日安全动态推送(04-02)

  • A+
所属分类:未分类
Tencent Security Xuanwu Lab Daily News

• Who Contains the Containers?: 
https://googleprojectzero.blogspot.com/2021/04/who-contains-containers.html

   ・ James Forshaw:关于 Windows Server Containers 的安全研究原因、过程和一些见解。 –potato


• Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow: 
https://ysamm.com/?p=646

   ・ Facebook 在 OAuth 认证中的 fallback_redirect_uri 路径检查不完整,使得 Facebook 和 Instagram 账户可以被恶意接管。 – potato


• [PDF] https://syed-rafiul-hussain.github.io/wp-content/uploads/2021/03/ProChecker.pdf: 
https://syed-rafiul-hussain.github.io/wp-content/uploads/2021/03/ProChecker.pdf

   ・ ProChecker:用于自动化分析 4G LTE 协议的安全性和隐私框架。 – potato


• nOtWASP bottom 10: vulnerabilities that make you cry: 
https://portswigger.net/research/notwasp-bottom-10-vulnerabilities-that-make-you-cry

   ・ Michael Stepankin:nOtWASP 前十个让人哭笑不得的漏洞。 – potato


• Executing Shellcode via Callbacks: 
https://osandamalith.com/2021/04/01/executing-shellcode-via-callbacks/

   ・ 通过函数指针回调,很多 Win 32 的 API 可以被用于执行 shellcode。 – potato


• Facebook account takeover due to a wide platform bug in ajaxpipe responses: 
https://ysamm.com/?p=654

   ・ 当 ajaxpipe 或 quickling 的参数添加到 Fackbook 的任意站点请求时,错误的响应可能会造成 Facebook 的 access_token 被恶意接管。 – potato


• [Tools, macOS] MacOS Kernel, How Good Is This Apple?: 
https://www.viva64.com/en/b/0818/

   ・ MacOS内核安全性探讨。 – lanying37


• Resources: 
https://github.com/waleedassar/CVE-2021-24098

   ・ CVE-2021-24098 的 POC。关于 Windows 控制台驱动的拒绝服务漏洞。 – potato


• Zero click vulnerability in Apple’s macOS Mail: 
https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c

   ・ Mikko Kenttälä:macOS Mail 的一个无交互的漏洞。由于符号连接未正确删除,通过自动解压附件,可以实现在 Mail.app 的沙箱环境中添加或修改任意文件。 – potato


* 查看或搜索历史推送内容请访问: 
https://sec.today

* 新浪微博账号:腾讯玄武实验室 
https://weibo.com/xuanwulab


本文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(04-02)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: