Tweetovi
- Tweetovi, trenutna stranica.
- Tweetovi i odgovori
- Medijski sadržaj
Blokirali ste korisnika/cu @mmolgtm
Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @mmolgtm
-
In this post I give details about how to create an exploit for the type confusion vulnerability (CVE-2018-19134) of Ghostscript and turn it into a RCE. I have to say PostScript is not my prefer language for writing exploit.https://lgtm.com/blog/ghostscript_CVE-2018-19134_exploit …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
This post gives the details of some type confusions (CVE-2018-19134,19475-76) that I found in Ghostscript after studying reports of similar issues filed by
@taviso between 2016 and 2018. The tools used for finding these bugs are open sourced.https://lgtm.com/blog/ghostscript_typeconfusion …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
This post contains the details of a sandbox escape bug in Ghostscript that I found a couple of months ago that is a variant of the ones that
@taviso discovered last August.https://lgtm.com/blog/ghostscript_CVE-2018-19475 …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Done some variant analysis with the Ghostscript RCEs that
@taviso found in the last few months and ended up finding another -dSAFER bypass RCE, plus some type confusions, one of which is also a proper RCE. All patched in 9.26. Write ups coming soon.https://youtu.be/20yfCccIORE?list=PL4nLCsS1XswwqIa4di5NHxbh0xAHQ-xgw …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
This post reviews OGNL mitigation measures in Struts and how they were bypassed in the past, leading up to a CVE-2018-11776 exploit that actually works.https://lgtm.com/blog/apache_struts_CVE-2018-11776-exploit …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Patch Apple devices and avoid public wifi!
@kevin_backhouse discovered a kernel heap overflow that can be triggered by someone sharing the same network as you, affecting all devices by default without user interaction.https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407 …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
In this post on Struts' OGNL injection vulnerabilities I'll go through a type of RCE issue called "double evaluation". There are a number of new issues, although no CVE as Struts did not think it's their responsibility.https://lgtm.com/blog/apache_struts_double_evaluations …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
In this second post on Struts' ognl injection vulnerabilities I'll give an overview of the structure of Struts and a more detailed dataflow analysis of CVE-2018-11776.https://lgtm.com/blog/apache_struts_CVE-2018-11776-part2 …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
For people looking into intrusion detection of CVE-2018-11776. From what is available in public, it should be clear that the attack is done via a url with ognl. So look for url that contains ognl. An exploit won't tell you more than that.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Struts users should take the advice of the Struts team to upgrade: https://cwiki.apache.org/confluence/display/WW/S2-057 … the new versions are backward compatible and they don't just patched CVE-2018-11776 but also include general security improvements to make life harder for hackers.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
As some people have asked about exploits of CVE-2018-11776. I don't plan to release it at the moment so that users can have time to upgrade, I would also like to urge others to refrain from releasing exploits just yet.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
I'm writing some blogs that study RCEs in
#apachestruts. I'll start with the latest CVE-2018-11776 that I found and how they are related to some previously known RCEs.https://lgtm.com/blog/apache_struts_CVE-2018-11776 …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
A few weeks ago,
@trendytofu wrote in#ZDI about an incomplete auth bypass fix that turned post auth EL injections such as ZDI-17-663 of@steventseeley into RCE. Here is another EL injection in Spring that also has an interesting fix/patch story:https://lgtm.com/blog/spring_data_rest_CVE-2017-8046_ql …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Man Yue Mo proslijedio/la je Tweet
Interested in how we approach security research and disclosing
#0days? We now have a page detailing our official vulnerability disclosure policy, and detailing how we use QL to discover them in the first place: https://lgtm.com/security#vulnerabilities#SecurityResearchHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
We review some
#javadeser vulnerabilities in Android and showed how to find them using QL, these include CVE-2014-7911(@tehjh), CVE-2015-3825 (@peles_o and@roeehay), CVE-2017-411/412(@laginimaineb) and a new one CVE-2017-0871: https://lgtm.com/blog/android_deserialization …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Thanks to the hard work of the Java team, (Anders Schack-Mulligen in particular), the 'Deserialization of user-controlled data' query in http://lgtm.com now catches Struts' CVE-2017-9805 with great precision! https://lgtm.com/projects/g/mmosemmle/struts_9805/alerts/?mode=tree&severity=error&rule=1823453799 …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.