Submit #770523: Tiandy Technologies Co., Ltd. Integrated Management Platform 7.17.0 Unrestricted Upload of File with Dangerous Type [Accepted]
Submit #770523 / VDB-351144
Aggregator
CVE-2026-4219 | INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android ae.index.apgcs BuildConfig.java ACCESS_KEY/HASH_KEY hard-coded credentials
2 days 18 hours ago
A vulnerability categorized as problematic has been discovered in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of the argument ACCESS_KEY/HASH_KEY can lead to hard-coded credentials.
This vulnerability is tracked as CVE-2026-4219. The attack is restricted to local execution. Moreover, an exploit is present.
The vendor was contacted early about this disclosure but did not respond in any way.
vuldb.com
Submit #770513: INDEX Conferences & Exhibitions Organization L.L.C YWF | BPOF | APGCS 1.0.2 Authorization Credential Exposure [Accepted]
2 days 18 hours ago
Submit #770513 / VDB-351143
fxizenta
Everest
2 days 18 hours ago
You must login to view this content
cohenido
Sarcoma
2 days 18 hours ago
You must login to view this content
cohenido
Утраченная рукопись Архимеда. Мировая охота. Столетие поисков. А она чиллила в каталоге провинциального музея
2 days 18 hours ago
1906 год — сфоткали. 1918 — потеряли. 1998 — продали за миллионы. 2025 — Эврика!
我们如何黑掉麦肯锡和Jack & Jill的AI平台
2 days 18 hours ago
提权实录:通过命名管道劫持可写服务
2 days 18 hours ago
提权实录:通过命名管道劫持可写服务
前言
在分析某 Windows 应用的服务组件时,发现其创建的命名管道访问控制配置宽松,允许低权限用户连接并发送指令,从而触发高权限的终止任意进程操作(taskkill)。进一步分析发现,被终止的服务会自动重启,而其可执行文件的权限配置错误,允许 Everyone 组读写。结合这两个缺陷,可构造一条完整的本地提权利用链。
漏洞挖掘过程 命名管道 关于命名管道命名管道(Named Pipe)是 Windows 操作系统提供的一种进程间通信(IPC)机制,允许不同进程(包括跨会话、跨权限级别)通过一个带名称的管道进行双向或单向数据交换。命名管道具有全局可见的名称(通常位于 \pipe\ 命名空间下,如 \\.\pipe\KeyServicePipe),支持多客户端连接,并可通过安全描述符(Security Descriptor) 设置访问控制列表(ACL),以限制哪些用户或组可以读取、写入或创建连接。
命名管道常被用作高权限服务与低权限客户端之间的通信通道。然而,若开发者未正确配置管道的 ACL(例如允许 Everyone 或 Authenticated Users 具有写权限),攻击者就可以作为客户端向服务端发送消息,从而使得服务执行敏感操作(如启动/终止进程、读取文件等),以此构成权限提升或远程代码执行的风险。
发现命名管道发现命名管道及查看其对应的 ACL 策略可以借助 Sysinternals Suite 内的 pipelist 和 accesschk。这里 0cat 向我推荐了一款可视化友好的工具:Pipetap。通过查看 Pipelist 发现存在一个 ACL 策略为 Everyone 可写的命名管道:KeyServicePipe。
该命名管道对应的进程也是以 System 权限运行着,完全符合我们挖掘提权的条件。
进程终止逻辑根据命名管道服务进程定位到其可执行文件,接着通过 IDA 进行一键导出反编译代码。配合着 AI 进行分析,很容易就定位到相关信息。
首先是入口接收到信息并根据不同的偏移量解析客户端所发送过来的消息,根据这些偏移量得知消息包含 2 个部分:消息头和消息体,消息头为 12 个字节。
其次是消息头的逻辑,我们可以看见其有三个部分,每个部分刚好 4 字节(DWORD)。三个部分分别为:会话 ID、消息类型、消息体长度。这些信息也是基于后续的调试输出所得知。读到消息类型后,会判断消息类型的范围必须在 1-37 之间。
最后就进入消息分发,根据不同的消息类型进行分发。不同的消息类型对应不同的处理逻辑,在这里实际上踩了个坑,正常跟进向下的逻辑 Map 寻找,而实际上在服务创建的构造函数内就已经定义好了:sub_424FF0(v5, 消息类型, 消息处理函数)。
关键问题逻辑就是其作为命名管道服务端有一个消息接收分发机制,根据消息类型来进行消息的分发。如图所示,当消息类型为 24 时则进入消息进入 sub_4216B0 函数处理。
在 sub_4216B0 函数内本质上就是获取消息体进行处理,最重要的就行消息体的 +4 字节偏移位,其为 PID(这里做了强转换,因此无法进行命令注入)。PID 首先用于 TASKLIST 命令进行命令查找。
只有当指定的 PID 进程存在时才会接着向下走,走到 TASKKILL 命令,根据 PID 强制关闭进程。至此,我们就发现了一条低权限进程通过命名管道以 System 权限进行 TASKKILL 任意进程的路径。
系统服务 关于系统服务Windows 服务(Windows Service)是 Windows 操作系统中一种在后台持续运行的程序,无需用户交互即可执行特定任务。如果服务在配置时没有做好权限的 ACL 配置则会导致三类风险:可修改服务二进制文件、可修改服务注册表项、可修改服务本身,易被攻击者利用实现本地权限提升或恶意篡改服务配置与运行逻辑。
可修改服务二进制文件这里直接借助 SharpUp 来进行一键分析:SharpUp.exe check ModifiableServiceBinaries。发现有很多服务的可执行文件是可以修改的,但是要配合攻击链路,就需要满足被 TASKKILL 强制终止进程后,还会自动重启的。这里测试出来发现 KeyAgent 服务满足这一逻辑。
利用链构建利用链构建比较简单,先启动独立的线程不断的循环尝试将恶意文件 EvilAgent.exe 替换目标服务的合法可执行文件 KeyAgent.exe,同时作为客户端连接命名管道 \\.\pipe\KeyServicePipe 并发送构造好的 KillProcess 消息触发命名管道服务进程执行 TASKKILL 命令终止 KeyAgent.exe 进程,最后借助 KeyAgent.exe 服务自动重启特性加载恶意文件,完成本地权限提升的利用链构建。
EvilAgent.exe 是 SystemGap 项目里的 SystemGapAll。其同样也借助命名管道实现高低权限进程间的通信,低权限向高权限发送要执行的命令,高权限执行并把结果返回给低权限。
总结本提权利用链的成功构建,关键在于命名管道访问控制配置不当与服务可执行文件权限配置错误这两个缺陷的组合利用,在实战过程中发现这也类似的问题也很多,是个值得关注的攻击面。最后,在此特别感谢 @倾旋 在漏洞挖掘过程中提供的协助。
SecWiki News 2026-03-15 Review
2 days 18 hours ago
今日暂未更新资讯~
更多最新文章,请访问SecWiki
更多最新文章,请访问SecWiki
成本96美元的便携式防空导弹火箭及发射器
2 days 18 hours ago
本次内容发布原因,仅限于安全风险事项告知,仅针对同类设备存在的风险隐患作出预警提示,旨在提醒相关部门提前做好安全设防与风险管控,本内容无任何不良引导,请勿擅自模仿相关操作。
这个项目在2026年初突然火起来,很多人称它为96美元的3D打印防空导弹。
它本质上是一个极低成本的实验性制导火箭平台,展示了消费级电子+3D打印在业余/半专业制导武器原型上的潜力。
当然,实际飞行稳定性和制导精度距离真正的军用MANPADS(如毒刺、针式)还有非常非常远的距离,但作为DIY/黑客项目已经非常震撼了。
一句话评价: “用不到100美元的零件,让爱好者第一次在家里造出了带简易惯性+轨道修正的火箭原型,这件事本身就挺科幻的。”,重点:轨道修正,可见倒数几张图。
仓库包含对低成本火箭、业余制导、ESP32嵌入式开发、3D打印武器化结构的研究。
https://github.com/novatic14/MANPADS-System-Launcher-and-Rocket
火箭部分:
采用折叠尾翼 + 前翼(canard)稳定布局
搭载 ESP32 作为飞行计算机
使用 MPU6050 IMU(惯性测量单元,成本很低,大概几美元)
支持空中实时轨迹修正(recalculates mid-air trajectory)
3D打印结构件
发射器部分:
集成 GPS、电子罗盘、气压计等传感器
用于提供方位、姿态和遥测数据
设计与仿真工具:
机械结构全部用 Fusion 360 设计
用 OpenRocket 做过火箭飞行仿真(业余火箭爱好者常用软件)
成本控制:
整个硬件BOM(物料清单)控制在约96美元内,非常夸张的低成本
仓库内容概览
CAD Files/:火箭 + 发射器的完整机械设计文件(Fusion 360格式)
Firmware/:火箭飞行控制器 + 发射器固件源代码(基于ESP32)
Simulation/:OpenRocket 的仿真文件
README 里有:30秒项目概览、规格参数、BOM成本明细等
最后一张图为效果图。
CVE-2026-4218 | myAEDES App up to 1.18.4 on Android aedes.me.beta EngageBayUtils.java AUTH_KEY information disclosure
2 days 19 hours ago
A vulnerability was found in myAEDES App up to 1.18.4 on Android. It has been rated as problematic. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a manipulation of the argument AUTH_KEY results in information disclosure.
This vulnerability is identified as CVE-2026-4218. The attack is only possible with local access. Additionally, an exploit exists.
The vendor was contacted early about this disclosure but did not respond in any way.
vuldb.com
CVE-2026-4217 | XREAL Nebula App up to 3.2.1 on Android ai.nreal.nebula.universal CloudStoragePlugin.java accessKey/secretAccessKey/securityToken key management
2 days 19 hours ago
A vulnerability was found in XREAL Nebula App up to 3.2.1 on Android. It has been declared as problematic. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument accessKey/secretAccessKey/securityToken leads to key management error.
This vulnerability is referenced as CVE-2026-4217. The attack can only be performed from a local environment. Furthermore, an exploit is available.
The vendor was contacted early about this disclosure but did not respond in any way.
vuldb.com
Submit #770509: myAEDES myAEDES(aedes.me.beta) 1.18.4 Authorization Credential Exposure [Accepted]
2 days 19 hours ago
Submit #770509 / VDB-351142
fxizenta
CVE-2026-4216 | i-SENS SmartLog App up to 2.6.8 on Android air.SmartLog.android hard-coded credentials
2 days 19 hours ago
A vulnerability was found in i-SENS SmartLog App up to 2.6.8 on Android. It has been classified as critical. This affects an unknown function of the component air.SmartLog.android. This manipulation causes hard-coded credentials.
The identification of this vulnerability is CVE-2026-4216. The attack can only be executed locally. Furthermore, there is an exploit available.
The vendor explains: "The function referenced in the report currently exists in our deployed system. It is related to a developer mode used during the configuration process for Bluetooth pairing between the blood glucose meter and the SmartLog application. This function is intended for configuration purposes related to device integration and testing. (...) [I]n a future application update, we plan to review measures to either remove the developer mode function or restrict access to it."
vuldb.com
Submit #770503: XREAL Technology Limited Nebula 3.2.1 Exposed Cryptographic Key and IV [Accepted]
2 days 19 hours ago
Submit #770503 / VDB-351141
fxizenta
Submit #770497: i-SENS SmartLog(air.SmartLog.android) 2.6.8 Developer Mode Credential Exposure [Accepted]
2 days 19 hours ago
Submit #770497 / VDB-351140
fxizenta
CVE-2026-4215 | FlowCI flow-core-x up to 1.23.01 SMTP Host ConfigServiceImpl.java save server-side request forgery
2 days 19 hours ago
A vulnerability was found in FlowCI flow-core-x up to 1.23.01 and classified as critical. The impacted element is the function Save of the file core/src/main/java/com/flowci/core/config/service/ConfigServiceImpl.java of the component SMTP Host Handler. The manipulation results in server-side request forgery.
This vulnerability was named CVE-2026-4215. The attack may be performed from remote. In addition, an exploit is available.
The vendor was contacted early about this disclosure but did not respond in any way.
vuldb.com
Submit #770491: flow flow-core-x 1.23.01 Server-Side Request Forgery [Accepted]
2 days 19 hours ago
Submit #770491 / VDB-351139
fakebug
Lloyds Banking Group Investigates Mobile App Data Exposure Affecting Multiple UK Banks
2 days 19 hours ago
Lloyds Banking Group has launched an internal investigation after a technical error in its mobile banking applications allowed some customers to briefly see other users’ transaction details. The incident affected the mobile apps of several brands operated by the group, including Lloyds Bank, Halifax, and Bank of Scotland. According to the bank, the issue arose […]
The post Lloyds Banking Group Investigates Mobile App Data Exposure Affecting Multiple UK Banks appeared first on Centraleyes.
The post Lloyds Banking Group Investigates Mobile App Data Exposure Affecting Multiple UK Banks appeared first on Security Boulevard.
Rebecca Kappel
USENIX Security ’25 (Enigma Track) – Usernames, Passwords And Security
2 days 19 hours ago
Presenter: Rik Farrow
Our thanks to USENIX Security '25 (Enigma Track) (USENIX '25 for publishing their Creators, Authors and Presenter’s tremendous USENIX Security '25 (Enigma Track) (USENIX '25 content on the Organizations' YouTube Channel.
The post USENIX Security ’25 (Enigma Track) – Usernames, Passwords And Security appeared first on Security Boulevard.
Marc Handelman