Aggregator
Congratulations to 2020 Akamai Partners of the Year
3 years 11 months ago
Last year proved to be a year like no other. We faced unforeseen challenges, including adjusting to a new way of working, collaborating, and conducting business. It is an honor for me to announce the Akamai Partners of the Year for 2020 who went above and beyond in this tumultuous year. These awards recognize Akamai Partner Program (APP) partners that consistently delivered significant sales successes, innovative solution partnerships, and unequaled service levels as they adapted to the new norm of digital transformation.
Micheal McCollough
Sustainability at Akamai: An Efficient Platform Powered by Energy Aggregation
3 years 11 months ago
If I had a dollar for every time I heard ?unprecedented? in 2020, I could fund a clean energy project myself. And while we're tired of hearing this term, it's true amid the pandemic, U.S. presidential election, social justice movements, finalization of Brexit, and many other new and life-changing events that took place this past year.
Mike Mattera
扯扯ATT&CK和机器学习
3 years 11 months ago
机器学习这件事目前业内的共识是,写PPT的时候一定要写上。大家也一定要纷纷称赞这个事情的高妙之处,给我们带来了巨大的价值。你要是真问具体哪几个场景,解决了哪几个问题,误报漏报是啥情况,你投入了多少人力进行运营,就开始语焉不详
Survivorship Bias and Red Teaming
3 years 11 months ago
Survivorship bias is an interesting thing that we can observe nearly daily. It is the success stories of exponentially growing startups, the motivational speaker who shares their insights on how to be successful and so forth.
What is it exactly?
What is survivorship bias? Wikipedia defines it as “…the logical error of concentrating on the people or things that made it past some selection process and overlooking those that did not, typically because of their lack of visibility.
Red Team Tools Reveal Gaps in Vulnerability Management Practice
3 years 11 months ago
FireEye tools show attackers aren’t worried about your defenses.
Streaming Traffic Peaks During Biden Inauguration
3 years 11 months ago
Live news streaming traffic during the Biden inauguration ceremony on January 20 peaked at 12 Tbps on the Akamai Intelligent Edge Platform. The peak, which occurred as now-President Biden was taking the oath of office just before 12 PM ET, is roughly 8x higher than what we typically see for mid-day traffic on a weekday. However, it's still less than the 18 Tbps we observed during 2020 election night on November 3.
Harish Menon
Securing the DNS in a Post-Quantum World: Hash-Based Signatures and Synthesized Zone Signing Keys
3 years 11 months ago
This is the fifth in a multi-part series on cryptography and the Domain Name System (DNS). In my last article, I described efforts underway to standardize new cryptographic algorithms that are designed to be less vulnerable to potential future advances in quantum computing. I also reviewed operational challenges to be considered when adding new algorithms […]
The post Securing the DNS in a Post-Quantum World: Hash-Based Signatures and Synthesized Zone Signing Keys appeared first on Verisign Blog.
Burt Kaliski
Packer-Fuzzer漏扫工具RCE 0day(当前已被官方修复)
3 years 11 months ago
0x00关于本文今天朋友丢我一个授权测试的站,那个站用vue写的前端,因此前端js包含了所有的接口。而另一方面整个前端就一个登录框堵在那儿,因此翻js几乎成了唯一的思路。翻着翻着,我烦了,于是估摸着网上已经有前辈们写出了专门针对webpack的扫描工具,一搜就搜到了Packer-Fuzzer(https://github.com/rtcatc/Packer-Fuzzer)当我浏览这个工具的介绍的时候,我注意到了这句话“本工具将会通过PyExecJS运行原生NodeJS代码,故我们推荐您安装NodeJS环境”
看到这句话我一下就警觉起来,毕竟nodejs是可以执行命令的,而相关的安全问题已经让蚁剑翻过车了(https://xz.aliyun.com/t/8167),于是一瞬改变目标开始研究这个工具,并且挖掘出了RCE
当前漏洞已经被官方修复,并且奖励800(由于我Twitter上提前公开了漏洞导致高危->中危)本文将会从分析者的角度分析漏洞
0x01定位js执行点简单搜索execjs就可以找到执行点,位置在Recoversplit.py的57行
0x02 防护绕过作者在写这个代码的时候也意识到了被反打的可能性(“防止黑吃黑被命令执行”),所以当js出现了exec和spawn的时候就不会执行,但是这样的简单的防护几乎是没有用的。且不说nodejs沙箱逃逸已经被师傅们玩出花来了,单是这里eval没有过滤掉就可以通过字符串拼接或者url编码的方式绕过这个限制比如说这里就用了url编码了能弹出计算器的payload,解码并eval之后就能弹出计算器
0x03 调用分析那么这个执行点是怎么被调用到的呢看了下代码,发现执行点在RecoverSplit类的jsCodeCompile里,这个函数被同一个类的checkCodeSpilting调用,而checkCodeSpilting又被这个类的recoverStart调用,recoverStart被Project类的parseStart调用,而parseStart,而再往前追溯就是命令参数处理之类乱七八糟的地方了知道了这些东西之后,我们就可以根据它的调用一步一步走,一点一点写出RCE的POC了
0x04 如何进入recoverStart函数?让程序相信这个网站使用了webpack我们看到这个parseStart长这样发现如果想要让程序调用recoverStart,就需要让前面的checkStart返回1或者777,这里的checkStart的意思是检查网站是否真的用了webpack技术,如果真的用了才继续扫描下去
checkStart调用了checkHTML,如果能让checkHTML返回1就可以让checkStart返回1跟过去看一下
发现如果返回的html包含了fingerprint_html的某一项就返回1
在fingerprint_html中看到了这些片段,可以知道,只需要在html里面包含其中的任意一个片段就可以让扫描器相信网站使用了webpack技术
因此在POC的html中,我加入了<noscript>naive!</noscript>来骗过扫描器
0x04 如何进入checkCodeSpilting函数?recoverStart用于处理js(而不是html了)
这里并没有加入什么恼人的判断,那个if也只是判断文件后缀名不为db。推测扫描器是先把js下到本地然后再读取的,因此在构造POC的时候,通过script src引入一个js,就可以让它进入到这个函数0x04 如何进入jsCodeCompile函数并把我们想要的东西传入?checkCodeSpilting会读取文件,判断是否包含了document.createElement("script");这个字符串(以检查是否有异步加载的js代码),如果是的话再做一个正则匹配,然后把值加一个前缀一个后缀之后传入jsCodeCompile函数想要成功调用jsCodeCompile函数,在js中就得加入document.createElement("script");,而想要传我们想传的参数进去就得研究这个正则了。我比较菜,对正则一直心怀恐惧,但是好在这个正则也不难懂,首先匹配一个字母或者数字或者下划线(\w),在匹配一个点和一个字母p以及加号(\.p+),接着就是匹配到的内容,正则会不断匹配知道遇到一个.和一个字母j以及字母s(\.js)因此实际上就是 这个正则就是匹配如下内容【随便一个字母数字下划线】p【我们想让他匹配的内容】.js
匹配完了之后,前面加个",后面加个.js,变成jsCode传入jsCodeCompile
0x04 如何在jsCodeCompile函数中实现RCE?这个函数是最后也是最重要的函数,它相对复杂,因此需要分几个步骤分析首先看到这个js执行的地方,它进行了“防止黑吃黑命令执行”的检查之后,首先会去编译这个js,接着从nameList里面取东西然后传入到js中的js_compile函数里。因此我们要做的就是两件事情,一个是让jsCodeFunc里面变成我们的RCE代码,第二个是让nameList里面有东西可以传进去
首先我们来出了让jsCodeFunc有RCE代码的问题jsCodeFunc的生成过程如下首先从jsCode中正则匹配出被[]包裹着的第一个内容,作为js_compile函数的参数,然后jsCode本身再被插入进去赋值给作为js_url,看起来工具的作者是希望能够动态解析js以获取url地址因此为了让里面能够接收一个参数,需要直接在jsCode里面加入一个[s],匹配到之后就会让variable为字母s,这样前面的部分就是js_compile(s),解决了前面传入参数的问题接着就要处理如何加入了jsCode之后能执行恶意代码的问题了。刚才的分析结果表明传入的内容前面被加了个"后面被加了个.js,而且我们还要在传入内容加一个[s],并且加完了这一堆东西之后还不能有问题。虽然看起来条件苛刻,实际上处理起来也不复杂,针对前面的",我们再加一个"然后来个;来结束语句即可。接着加入RCE语句,最后为了对付后面的.js和[s],直接用//注释掉由于后面拼接的return js_url}前面有个\n,因此注释对其不起作用,因此我们不需要自己return一个值然后用大括号闭合
接着我们来处理如何让nameList有值的问题
发现nameList就是匹配了两个正则表达式之后加进来的,因此随便加一个能让某个表达式匹配到内容的字符串就可以了,这里我加的是{114514:,会让第一个正则表达式匹配到114514,并且加入到nameList中我们把{114514:加入到刚才写的语句的注释中就可以了以上就是payload的完整生成过程0x05 RCE展示&POC
地址:https://github.com/TomAPU/poc_and_exp/tree/master/Packer-Fuzzer-RCE
0x06修复个人认为单纯的过滤没法在根本上解决问题,可能需要找一个安全的JS执行方式
DriverTom
Fuzzing战争系列之二:不畏浮云遮望眼
3 years 11 months ago
flanker017
Fuzzing战争系列之二:不畏浮云遮望眼
3 years 11 months ago
本文是Fuzzing战争系列的第二篇,也是Fuzzing战争:从刀剑弓斧到星球大战的续篇
Technical report: Responsible use of the Border Gateway Protocol (BGP) for ISP interworking
3 years 11 months ago
Technical report on best practice use of this fundamental data routing protocol.
取证小知识-99
3 years 11 months ago
取证小知识-99
SharpSQLTools-上传下载文件,xp_cmdshell与sp_oacreate双回显和clr加载程序集
3 years 11 months ago
和RcoIl一起写的小工具,可上传下载文件,xp_cmdshell和xp_cmdshell与sp_oacreate双回显和clr加载程序集执行相应操作。
JumpServer日志读取漏洞自动化审计分析
3 years 11 months ago
JumpServer在上周被披露出一个远程命令执行漏洞,这个远程命令执行主要由一个log日志跨目录读取引发。
对一个使用JWT验证的系统渗透纪实
3 years 11 months ago
某次,对某客户的系统进行渗透测试,上头的命令是必须拿下网站系统管理员用户的权限,经过分析后发现该系统使用Spr …
whwlsfb
Games Drive Christmas Web Traffic
3 years 11 months ago
If you turned on a new game console and/or downloaded video games over the holidays, you certainly weren't alone. New data from Akamai shows that game-related traffic delivered across our network was more than double the Q4 average on December 25, and up nearly 50% on December 26. During the same period, traffic for all other industries combined was relatively even compared to the rest of the quarter.
Jonathan Singer
A Place To Belong
3 years 11 months ago
While I've worked for Silicon Valley-based startups and even spent time in the travel tech industry, I'd sometimes feel I was just part of the system. Working each day to earn my keep, and with no bigger purpose than that.
Thong Hsin Sheng
请不要用IE打开,以免蓝屏。
3 years 11 months ago
让你不听话,蓝屏了吧?WIndows condrv.sys 组件存在一处逻辑漏洞,当本地用户向该组件传递特定的路径时会导致操作系统蓝屏,并拒绝服务。condrv.sys组件用于当开发者想要直接与...
独自等待
喜马拉雅SRC年度奖励计划&新年三倍活动
3 years 11 months ago
年度奖励计划&新年三倍活动