Aggregator

安全日报（2024.03.22）

TellYouThePass阴魂不散

腾讯安全威胁情报中心推出2024年2月安全漏洞必修清单

活动时间：2024年3月30日

腾讯安全威胁情报中心推出24年2月安全漏洞必修清单，漏洞介绍及修复建议详见全文。

解密黑产IP切换技术及风险IP分布数据

美军通过“雷穹”项目为零信任能力下一步实施和部署奠定了良好的基础。

一、插件介绍Turbo Intruder 是一个 Burp Suite 扩展插件，用于发送大量 HTTP 请求并分析结果，可拥抱十亿请求攻击。它旨在处理那些需要异常速度、持续时间或复杂性的攻击来补充Burp Intruder。二、插件原理使用第一次请求的时候就建立好连接，后续获取资源都是通过这条连接

Applications are foundational to the internet and form the basic building blocks of any organization’s IT stack. Having complete and detailed visibility into the applications in your network is an important step in formulating an overall security posture for your organization. Visibility enables organizations to understand the types and traffic patterns of applications, determine the … Continued

The post App Dictionary: Stop guessing, start protecting. appeared first on VMware Security Blog.

Welcome to the second and final day of Pwn2Own Vancouver 2024! We saw some amazing research yesterday, including a Tesla exploit and a single exploit hitting both Chrome and Edge. So far, we have paid out $723,500 for the event, and we’re poised to hit $1,000,000 again. Today looks to be just as exciting with more attempts in virtualization, browser sandbox escapes, and the Pwn2Own’s first ever Docker escape, so stay tuned for all of the results!

And that’s a wrap! Pwn2Own Vancouver 2024 has come to a close. In total, we awarded $1,132,500 for 29 unique 0-days. We’re also happy to award Manfred Paul with the title of Master of Pwn. He won $202,500 and 25 points total. Combining the last three events (Toronto, Automotive, and Vancouver), we’ve awarded $3,494,750 for this year’s Pwn2Own events. Here’s how the Top 10 of this event added up:

Congratulations to all the winners. We couldn’t hold this event without the hard work of the contestants. And thanks to the vendors as well. They now have 90 days to fix these vulnerabilities. Special thanks to Tesla for their sponsorship and support. For details of each of today’s exploits, see the entries below.

SUCCESS - Marcin Wiązowski used an improper input validation bug to escalate privileges on Windows 11. He earns $15,000 and 3 Master of Pwn points.

SUCCESS - STAR Labs SG's exploit of VMware Workstation used two bugs. One is an uninitialized variable, but the other was previously known. They still win $30,000 and 6 Master of Pwn points.

SUCCESS - ColdEye used two bugs, including a UAF, to exploit Oracle VirtualBox. He even managed to leave the guest OS intact. His guest-to-host escape earns him $20,000 and 4 Master of Pwn points.

SUCCESS - Manfred Paul (@_manfp) used an OOB Write for the RCE and an exposed dangerous function bug to achieve his sandbox escape of Mozilla Firefox. He earns another $100,000 and 10 Master of Pwn points, which puts him in the lead with 25.

SUCCESS - First time Pwn2Own contestant Gabriel Kirkpatrick (gabe_k of exploits.forsale) used an always tricky race condition to escalate privileges on #Windows 11. He earns $15,000 and 3 Master of Pwn points.

SUCCESS - Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) from Palo Alto Networks used an OOB Read plus a novel technique for defeating V8 hardening to get arbitrary code execution in the renderer. They were able to exploit Chrome and Edge with the same bugs, earning $42,500 and 9 Master of Pwn points.

BUG COLLISION - STAR Labs SG successfully demonstrated their privilege escalation on Ubuntu desktop. However, they used a bug that was previously reported. They still earn $5,000 and 1 Master of Pwn point.

BUG COLLISION - Although the Hackinside Team was able to escalate privileges on Windows 11 through an integer underflow, the bug was known by the vendor. They still earn $7,500 and 1.5 Master of Pwn points.

SUCCESS -Seunghyun Lee (@0x10n) of KAIST Hacking Lab used a UAF to RCE in the renderer on both Microsoft Edge and Google Chrome. He earns $85,000 and 9 Master of Pwn points. That brings his contest total to $145,000 and 15 Master of Pwn points.

SUCCESS - The first Docker desktop escape at Pwn2Own involved two bugs, including a UAF. The team from STAR Labs SG did great work in the demonstration and earned $60,000 and 6 Master of Pwn points.

SUCCESS - Valentina Palmiotti (@chompie1337) with IBM X-Force used an Improper Update of Reference Count bug to escalate privileges on Windows 11. She nailed her first #Pwn2Own event and walks away with $15,000 and 3 Master of Pwn points.

BUG COLLISION - The final entry of Pwn2Own Vancouver 2024 ends as a collision as Theori used a bug that was previously know to escalate privileges on Ubuntu desktop. He still wins $5,000 and 1 Master of Pwn point.

本文为根据0xEVom的审计报告对漏洞进行的梳理和复现。这位小哥在对Olas合约的审计中获得了$29,515.84

安全日报（2024.03.21）

In our second post we described attacks on models and the concepts of input privacy and output privacy. ln our last post, we described horizontal and vertical partitioning of data in privacy-preserving federated learning (PPFL) systems. In this post, we explore the problem of providing input privacy in PPFL systems for the horizontally-partitioned setting. Models, training, and aggregation To explore techniques for input privacy in PPFL, we first have to be more precise about the training process. In horizontally-partitioned federated learning, a common approach is to ask each participant to

添加管理员微信号：quake_360， 邀请加入技术交流群～

基于C#的后门载荷在摩诃草历史攻击中比较少见，我们通过分析代码，发现该类组件应该是摩诃草组织新开发的第一阶段恶意后门

本篇文章重点对GDPR中关于处罚的内容进行介绍。

什么是PE文件？

PE文件是Windows操作系统中常见的可执行文件格式，全称为Portable Execut