- BSidesSF 2017 – www.youtube.com
Security BSides San Francisco is a two-day information security conference. It is a conference by the community for the community.
- Hackers Earns big at Pwn2Own
Hackers managed to take down Microsoft Edge and escape a virtual machine to boot on the third day of Pwn2Own early Friday. Members from Qihoo’s 360 Security Team carried out the VM exploit, earning the group $105,000, by far the highest amount awarded to a group at the hacking challenge this week.
- VM Escape Earns Hackers $105K at Pwn2Own – threatpost.com
- Virtual machine escape fetches $105,000 at Pwn2Own hacking contest [updated] – arstechnica.com
- XSSJacking – github.com
This is an attack that can trigger Self-XSS if the page in question is also vulnerable to Clickjacking.
- UAC Bypass
A new User Access Control (UAC) bypass technique relies on altering Windows registry app paths and using the Backup and Restore utility to load malicious code without any security warning. The technique revolves around the notion of “auto-elevation,” which is a state that Microsoft assigns to various trusted binaries.
- Windows 10 UAC Bypass Uses Backup and Restore Utility – www.bleepingcomputer.com
- function Invoke-AppPathBypass – raw.githubusercontent.com
- GitHub Enterprise Remote Code Execution – exablue.de
Everyone uses GitHub. If you have huge amount of green paper or you are very paranoid about your code, you can run your own GitHub. For $2,500 USD per 10 user years you get GitHub Enterprise: A virtual machine containing a fully-featured GitHub instance. Despite a few edge cases that are handled with an occasional GitHub.enterprise? invocation, it runs the same code base as the original.