Aggregator

库克的刀功，精准得近乎艺术。

作者：longofo@知道创宇404实验室 时间：2025年2月16日 本文为知道创宇404实验室内部分享沙龙“404 Open Day”的议题内容，作为目前团队AI安全研究系列的一部分，分享出来与大家一同交流学习。 1. 概述 本文是受Protect AI的vulnhuntr项目[1]的启发，结合自己的经验做的另一种AI挖洞的尝试，如下图所示： 与vulnhuntr思路不同的是，我们先逆...

HackerNews 编译，转载请注明出处： 美国网络安全和基础设施安全局（CISA）周二将影响 Palo Alto Networks PAN-OS 和 SonicWall SonicOS SSLVPN 的两个安全漏洞添加到其已知被利用漏洞（KEV）目录中，基于这些漏洞正在被积极利用的证据。 这两个漏洞如下： CVE-2025-0108（CVSS 评分：7.8）：Palo Alto Networks PAN-OS 管理 Web 界面中的身份验证绕过漏洞，允许未授权的攻击者通过网络访问管理 Web 界面，绕过通常需要的身份验证并调用某些 PHP 脚本。 CVE-2024-53704（CVSS 评分：8.2）：SSLVPN 身份验证机制中的身份验证不当漏洞，允许远程攻击者绕过身份验证。 Palo Alto Networks 已确认观察到针对 CVE-2025-0108 的积极利用尝试，并指出该漏洞可以与其他漏洞（如 CVE-2024-9474）结合使用，以允许未经授权访问未修补和未安全配置的防火墙。 “Palo Alto Networks 观察到在未修补和未安全配置的 PAN-OS Web 管理界面上，CVE-2025-0108 与 CVE-2024-9474 和 CVE-2025-0111 的利用尝试，”该公司在更新的公告中表示。 威胁情报公司 GreyNoise 表示，多达 25 个恶意 IP 地址正在积极利用 CVE-2025-0108，自近一周前被检测到以来，攻击者活动量增加了 10 倍。攻击流量的前三大来源是美国、德国和荷兰。 至于 CVE-2024-53704，网络安全公司 Arctic Wolf 透露，威胁行为者在 Bishop Fox 提供概念验证（PoC）后不久就开始利用该漏洞。 鉴于这些漏洞正在被积极利用，联邦民用执行部门（FCEB）机构被要求在 2025 年 3 月 11 日之前修复这些漏洞，以确保其网络的安全。   消息来源：The Hacker News；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability was found in Linux Kernel up to 6.11.8. It has been rated as critical. This issue affects some unknown processing of the component LoongArch. The manipulation leads to stack-based buffer overflow. The identification of this vulnerability is CVE-2024-53089. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Linux Kernel up to 6.11.6. Affected by this issue is the function __mt_dup of the component fork. The manipulation leads to allocation of resources. This vulnerability is handled as CVE-2024-50263. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.11.10/6.12.1. It has been rated as critical. Affected by this issue is some unknown functionality of the component bpf. The manipulation leads to null pointer dereference. This vulnerability is handled as CVE-2024-56702. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.11.10/6.12.1. This affects the function kunit_kzalloc of the file sound_kunit.c. The manipulation leads to null pointer dereference. This vulnerability is uniquely identified as CVE-2024-56696. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Linux Kernel up to 6.12.1 and classified as problematic. Affected by this vulnerability is the function bpf_msg_pop_data of the component sockmap. The manipulation leads to enforcement of behavioral workflow. This vulnerability is known as CVE-2024-56720. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.6.59/6.11.6. It has been declared as problematic. This vulnerability affects unknown code of the component qmp-usb. The manipulation leads to null pointer dereference. This vulnerability was named CVE-2024-50240. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

HackerNews 编译，转载请注明出处： 特洛伊木马式游戏安装程序在大规模 StaryDobry 攻击中部署加密货币矿工，卡巴斯基将这一大规模活动命名为 StaryDobry，该活动于 2024 年 12 月 31 日首次被检测到，持续了一个月。此次攻击的目标是全球的个人和企业，卡巴斯基的遥测数据显示，俄罗斯、巴西、德国、白俄罗斯和哈萨克斯坦的感染浓度较高。 研究人员塔季扬娜·什什科娃（Tatyana Shishkova）和基里尔·科尔切米尼（Kirill Korchemny）在周二发布的一份分析报告中表示：“这种方法帮助威胁行为者充分利用了矿工植入，目标是强大的游戏机，这些机器能够维持挖矿活动。” 此次 XMRig 加密货币矿工活动利用了流行的模拟和物理游戏，如 BeamNG.drive、Garry’s Mod、Dyson Sphere Program、Universe Sandbox 和 Plutocracy，作为诱饵发起复杂的攻击链。这包括在 2024 年 9 月将使用 Inno Setup 制作的被投毒的游戏安装程序上传到各种种子网站，表明活动背后的不明威胁行为者精心策划了这些攻击。 下载这些发布版本（也称为“重打包”）的用户会看到一个安装程序界面，提示他们继续进行安装过程，在此过程中会提取并执行一个投放器（“unrar.dll”）。 该 DLL 文件在确定是否在调试或沙盒环境中运行后才会继续执行，这表明其具有高度的规避行为。随后，它会查询多个网站，如 api.myip [.]com、ip-api [.]com 和 ipwho [.]is，以获取用户的 IP 地址并估算其位置。如果这一步失败，国家默认为中国或白俄罗斯，原因尚不清楚。 下一阶段涉及收集机器的指纹信息，解密另一个可执行文件（“MTX64.exe”），并将其内容写入磁盘上的文件 “Windows.Graphics.ThumbnailHandler.dll”，该文件位于 %SystemRoot% 或 %SystemRoot%\Sysnative 文件夹中。 基于一个名为 EpubShellExtThumbnailHandler 的合法开源项目，MTX64 通过加载下一阶段的有效载荷（一个名为 Kickstarter 的便携式可执行文件），修改了 Windows Shell Extension Thumbnail Handler 功能，以谋取自身利益，然后解包嵌入其中的加密数据块。 该数据块与前一步类似，被写入磁盘，文件名为 “Unix.Directory.IconHandler.dll”，位于文件夹 %appdata\Roaming\Microsoft\Credentials%InstallDate%\ 中。 新创建的 DLL 被配置为从远程服务器获取最终阶段的二进制文件，该服务器负责运行矿工植入，同时还会持续检查运行进程列表中的 taskmgr.exe 和 procmon.exe。如果检测到这些进程中的任何一个，该工件将立即终止。 该矿工是一个经过轻微修改的 XMRig 版本，使用预定义的命令行在具有 8 个或更多核心的 CPU 上启动挖矿过程。“如果少于 8 个，矿工不会启动，”研究人员表示。“此外，攻击者选择在他们自己的基础设施中托管挖矿池服务器，而不是使用公共服务器。” “XMRig 使用其内置功能解析构建的命令行。矿工还会创建一个单独的线程来检查系统中运行的进程监控器，使用的方法与前一阶段相同。”由于缺乏可以将其与任何已知犯罪软件行为者联系起来的指标，StaryDobry 仍未被归因。尽管如此，样本中的俄语字符串表明可能存在说俄语的威胁行为者。   消息来源：The Hacker News；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.6.63/6.11.10/6.12.1. Affected is the function gf100_gr_chan_new of the component nouveau. The manipulation leads to denial of service. This vulnerability is traded as CVE-2024-56752. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Linux Kernel up to 6.11.10/6.12.1. This affects the function dlm_recover_members. The manipulation leads to improper update of reference count. This vulnerability is uniquely identified as CVE-2024-56749. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Linux Kernel up to 6.6.53/6.10.12/6.11.1 and classified as critical. This vulnerability affects the function pr_debug of the component ARM. The manipulation leads to denial of service. This vulnerability was named CVE-2024-47716. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.11.7. It has been rated as problematic. Affected by this issue is the function panthor_device_mmap_io. The manipulation leads to Privilege Escalation. This vulnerability is handled as CVE-2024-53071. Access to the local network is required for this attack to succeed. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in Linux Kernel up to 6.10.13/6.11.2. This affects the function xa_erase of the component panthor. The manipulation leads to improper update of reference count. This vulnerability is uniquely identified as CVE-2024-50174. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Rational Software ClearCase 2002-05-00/4.1 and classified as problematic. This issue affects some unknown processing of the component Portscan Handler. The manipulation leads to denial of service. The identification of this vulnerability is CVE-2002-1322. The attack may be initiated remotely. Furthermore, there is an exploit available.

AngryOxide AngryOxide was developed as a way to learn Rust, netlink, kernel sockets, and WiFi exploitation all at once. The overall goal of this tool is to provide a single-interface survey capability with advanced...

The post AngryOxide: 802.11 Attack Tool appeared first on Penetration Testing Tools.

Cookie-Monster Steal browser cookies for Edge, Chrome, and Firefox through a BOF or exe! Cookie-Monster will extract the WebKit master key, locate a browser process with a handle to the Cookies and Login Data...

The post Cookie-Monster: BOF to steal browser cookies & credentials appeared first on Penetration Testing Tools.

LOLSpoof LOLSpoof is an interactive shell program that automatically spoofs the command line arguments of the spawned process. Just call your incriminate-looking command line LOLBin (e.g. powershell -w hidden -enc ZwBlAHQALQBwAHIAbwBjAGUA….) and LOLSpoof will...

The post LOLSpoof: An interactive shell to spoof some LOLBins command line appeared first on Penetration Testing Tools.