Aggregator

库克的刀功，精准得近乎艺术。

作者：longofo@知道创宇404实验室 时间：2025年2月16日 本文为知道创宇404实验室内部分享沙龙“404 Open Day”的议题内容，作为目前团队AI安全研究系列的一部分，分享出来与大家一同交流学习。 1. 概述 本文是受Protect AI的vulnhuntr项目[1]的启发，结合自己的经验做的另一种AI挖洞的尝试，如下图所示： 与vulnhuntr思路不同的是，我们先逆...

HackerNews 编译，转载请注明出处： 美国网络安全和基础设施安全局（CISA）周二将影响 Palo Alto Networks PAN-OS 和 SonicWall SonicOS SSLVPN 的两个安全漏洞添加到其已知被利用漏洞（KEV）目录中，基于这些漏洞正在被积极利用的证据。 这两个漏洞如下： CVE-2025-0108（CVSS 评分：7.8）：Palo Alto Networks PAN-OS 管理 Web 界面中的身份验证绕过漏洞，允许未授权的攻击者通过网络访问管理 Web 界面，绕过通常需要的身份验证并调用某些 PHP 脚本。 CVE-2024-53704（CVSS 评分：8.2）：SSLVPN 身份验证机制中的身份验证不当漏洞，允许远程攻击者绕过身份验证。 Palo Alto Networks 已确认观察到针对 CVE-2025-0108 的积极利用尝试，并指出该漏洞可以与其他漏洞（如 CVE-2024-9474）结合使用，以允许未经授权访问未修补和未安全配置的防火墙。 “Palo Alto Networks 观察到在未修补和未安全配置的 PAN-OS Web 管理界面上，CVE-2025-0108 与 CVE-2024-9474 和 CVE-2025-0111 的利用尝试，”该公司在更新的公告中表示。 威胁情报公司 GreyNoise 表示，多达 25 个恶意 IP 地址正在积极利用 CVE-2025-0108，自近一周前被检测到以来，攻击者活动量增加了 10 倍。攻击流量的前三大来源是美国、德国和荷兰。 至于 CVE-2024-53704，网络安全公司 Arctic Wolf 透露，威胁行为者在 Bishop Fox 提供概念验证（PoC）后不久就开始利用该漏洞。 鉴于这些漏洞正在被积极利用，联邦民用执行部门（FCEB）机构被要求在 2025 年 3 月 11 日之前修复这些漏洞，以确保其网络的安全。   消息来源：The Hacker News；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability was found in Linux Kernel up to 6.11.8. It has been rated as critical. This issue affects some unknown processing of the component LoongArch. The manipulation leads to stack-based buffer overflow. The identification of this vulnerability is CVE-2024-53089. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Linux Kernel up to 6.11.6. Affected by this issue is the function __mt_dup of the component fork. The manipulation leads to allocation of resources. This vulnerability is handled as CVE-2024-50263. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.6.62/6.11.9 and classified as critical. Affected by this issue is the function psnet_open_pf_bar of the component solidrun. The manipulation leads to use after free. This vulnerability is handled as CVE-2024-53126. Access to the local network is required for this attack to succeed. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.11.10/6.12.1. It has been rated as critical. Affected by this issue is some unknown functionality of the component bpf. The manipulation leads to null pointer dereference. This vulnerability is handled as CVE-2024-56702. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.11.10/6.12.1. This affects the function kunit_kzalloc of the file sound_kunit.c. The manipulation leads to null pointer dereference. This vulnerability is uniquely identified as CVE-2024-56696. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Linux Kernel up to 6.12.1 and classified as problematic. Affected by this vulnerability is the function bpf_msg_pop_data of the component sockmap. The manipulation leads to enforcement of behavioral workflow. This vulnerability is known as CVE-2024-56720. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.6.59/6.11.6. It has been declared as problematic. This vulnerability affects unknown code of the component qmp-usb. The manipulation leads to null pointer dereference. This vulnerability was named CVE-2024-50240. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.6.56/6.11.3. Affected by this issue is the function devm_free_irq of the file kernel/irq/devres.c. The manipulation leads to use after free. This vulnerability is handled as CVE-2024-50057. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

HackerNews 编译，转载请注明出处： 特洛伊木马式游戏安装程序在大规模 StaryDobry 攻击中部署加密货币矿工，卡巴斯基将这一大规模活动命名为 StaryDobry，该活动于 2024 年 12 月 31 日首次被检测到，持续了一个月。此次攻击的目标是全球的个人和企业，卡巴斯基的遥测数据显示，俄罗斯、巴西、德国、白俄罗斯和哈萨克斯坦的感染浓度较高。 研究人员塔季扬娜·什什科娃（Tatyana Shishkova）和基里尔·科尔切米尼（Kirill Korchemny）在周二发布的一份分析报告中表示：“这种方法帮助威胁行为者充分利用了矿工植入，目标是强大的游戏机，这些机器能够维持挖矿活动。” 此次 XMRig 加密货币矿工活动利用了流行的模拟和物理游戏，如 BeamNG.drive、Garry’s Mod、Dyson Sphere Program、Universe Sandbox 和 Plutocracy，作为诱饵发起复杂的攻击链。这包括在 2024 年 9 月将使用 Inno Setup 制作的被投毒的游戏安装程序上传到各种种子网站，表明活动背后的不明威胁行为者精心策划了这些攻击。 下载这些发布版本（也称为“重打包”）的用户会看到一个安装程序界面，提示他们继续进行安装过程，在此过程中会提取并执行一个投放器（“unrar.dll”）。 该 DLL 文件在确定是否在调试或沙盒环境中运行后才会继续执行，这表明其具有高度的规避行为。随后，它会查询多个网站，如 api.myip [.]com、ip-api [.]com 和 ipwho [.]is，以获取用户的 IP 地址并估算其位置。如果这一步失败，国家默认为中国或白俄罗斯，原因尚不清楚。 下一阶段涉及收集机器的指纹信息，解密另一个可执行文件（“MTX64.exe”），并将其内容写入磁盘上的文件 “Windows.Graphics.ThumbnailHandler.dll”，该文件位于 %SystemRoot% 或 %SystemRoot%\Sysnative 文件夹中。 基于一个名为 EpubShellExtThumbnailHandler 的合法开源项目，MTX64 通过加载下一阶段的有效载荷（一个名为 Kickstarter 的便携式可执行文件），修改了 Windows Shell Extension Thumbnail Handler 功能，以谋取自身利益，然后解包嵌入其中的加密数据块。 该数据块与前一步类似，被写入磁盘，文件名为 “Unix.Directory.IconHandler.dll”，位于文件夹 %appdata\Roaming\Microsoft\Credentials%InstallDate%\ 中。 新创建的 DLL 被配置为从远程服务器获取最终阶段的二进制文件，该服务器负责运行矿工植入，同时还会持续检查运行进程列表中的 taskmgr.exe 和 procmon.exe。如果检测到这些进程中的任何一个，该工件将立即终止。 该矿工是一个经过轻微修改的 XMRig 版本，使用预定义的命令行在具有 8 个或更多核心的 CPU 上启动挖矿过程。“如果少于 8 个，矿工不会启动，”研究人员表示。“此外，攻击者选择在他们自己的基础设施中托管挖矿池服务器，而不是使用公共服务器。” “XMRig 使用其内置功能解析构建的命令行。矿工还会创建一个单独的线程来检查系统中运行的进程监控器，使用的方法与前一阶段相同。”由于缺乏可以将其与任何已知犯罪软件行为者联系起来的指标，StaryDobry 仍未被归因。尽管如此，样本中的俄语字符串表明可能存在说俄语的威胁行为者。   消息来源：The Hacker News；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.6.63/6.11.10/6.12.1. Affected is the function gf100_gr_chan_new of the component nouveau. The manipulation leads to denial of service. This vulnerability is traded as CVE-2024-56752. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Linux Kernel up to 6.6.53/6.10.12/6.11.1. This vulnerability affects the function module_add_driver of the component Driver Core. The manipulation leads to null pointer dereference. This vulnerability was named CVE-2024-47688. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Linux Kernel up to 6.11.10/6.12.1. This affects the function dlm_recover_members. The manipulation leads to improper update of reference count. This vulnerability is uniquely identified as CVE-2024-56749. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Linux Kernel up to 6.6.53/6.10.12/6.11.1 and classified as critical. This vulnerability affects the function pr_debug of the component ARM. The manipulation leads to denial of service. This vulnerability was named CVE-2024-47716. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.6.53/6.10.12/6.11.1 and classified as critical. This issue affects the function mt7996_mcu_sta_bfer_he. The manipulation leads to null pointer dereference. The identification of this vulnerability is CVE-2024-47681. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.11.2. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component AMD Display. The manipulation of the argument dummy_boolean leads to Privilege Escalation. This vulnerability is known as CVE-2024-49971. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.11.10/6.12.1. It has been classified as critical. This affects the function pm_runtime_get_if_active of the component ipu6. The manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2024-56680. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.6.57/6.11.4. It has been classified as problematic. This affects an unknown part of the component xhci. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2024-50075. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.