Tawagar masu bincike daga jami'o'i da dama a Jamus sun kirkiro wani sabon hari na MITM akan HTTPS wanda zai iya fitar da kukis na zaman lokaci da sauran bayanai masu mahimmanci, tare da aiwatar da lambar JavaScript na sabani a cikin mahallin wani shafin. Ana kiran harin ALPACA kuma ana iya amfani da shi ga sabar TLS waɗanda ke aiwatar da ka'idojin Layer na aikace-aikacen daban-daban (HTTPS, SFTP, SMTP, IMAP, POP3), amma suna amfani da takaddun shaida na TLS gama gari.
Ma'anar harin shine cewa idan yana da iko akan hanyar sadarwa ko hanyar shiga mara waya, maharin na iya tura zirga-zirgar gidan yanar gizo zuwa wata tashar hanyar sadarwa kuma ya tsara kafa haɗin gwiwa tare da FTP ko sabar saƙo mai goyan bayan ɓoyewar TLS kuma yana amfani da Takaddun shaida na TLS gama gari tare da uwar garken HTTP , kuma mai binciken mai amfani zai ɗauka cewa an kafa haɗi tare da sabar HTTP da ake nema. Tun da ƙa'idar TLS ta duniya ce kuma ba ta da alaƙa da ƙa'idodin matakin aikace-aikacen, kafa haɗin rufaffen ga duk sabis iri ɗaya ne kuma kuskuren aika buƙatu zuwa sabis ɗin da ba daidai ba za a iya ƙaddara kawai bayan kafa zaman rufaffiyar yayin aiwatar da umarnin buƙatun da aka aiko.
Don haka, idan, alal misali, kun tura hanyar haɗin mai amfani da asali zuwa HTTPS zuwa sabar wasiƙar da ke amfani da takaddun shaida da aka raba tare da sabar HTTPS, haɗin TLS zai sami nasarar kafa haɗin gwiwa, amma sabar saƙon ba zai iya aiwatar da abin da aka watsa ba. HTTP yayi umarni kuma zai dawo da amsa tare da lambar kuskure. Mai lilo zai sarrafa wannan martanin azaman martani daga rukunin da aka nema, ana watsa shi a cikin tashar sadarwar rufaffiyar daidai.
Ana ba da shawarar zaɓukan kai hari guda uku:
- "Loka" don dawo da kuki tare da sigogin tantancewa. Hanyar tana aiki idan uwar garken FTP da takaddun TLS ke rufewa ya ba ku damar loda da dawo da bayanan sa. A cikin wannan bambance-bambancen harin, maharin na iya samun damar riƙe sassan ainihin buƙatun HTTP na mai amfani, kamar abubuwan da ke cikin taken Kuki, misali, idan uwar garken FTP ta fassara buƙatar azaman fayil ɗin adanawa ko shigar da buƙatun masu shigowa gabaɗaya. Don samun nasarar kai hari, maharin yana buƙatar ko ta yaya ya fitar da abun ciki da aka adana. Harin ya shafi Proftpd, Microsoft IIS, vsftpd, filezilla da serv-u.
- “Zazzagewa” don tsara rubutun giciye (XSS). Hanyar tana nuna cewa maharin, sakamakon wasu magudi na mutum, na iya sanya bayanai a cikin sabis ɗin da ke amfani da takardar shaidar TLS gama gari, wanda za'a iya bayar da shi don amsa buƙatun mai amfani. Harin ya shafi sabar FTP da aka ambata a sama, sabar IMAP da sabar POP3 (mai aikawa, cyrus, kerio-connect da zimbra).
- "Reflection" don gudanar da JavaScript a cikin mahallin wani rukunin yanar gizon. Hanyar ta dogara ne akan komawa zuwa ɓangaren abokin ciniki na buƙatar, wanda ya ƙunshi lambar JavaScript da maharin ya aiko. Harin ya shafi sabar FTP da aka ambata a sama, da cyrus, kerio-connect da zimbra IMAP sabar, da sabar SMTP na aika saƙo.
Misali, lokacin da mai amfani ya buɗe shafin da maharin ke sarrafawa, wannan shafin na iya fara buƙatun albarkatu daga rukunin yanar gizon da mai amfani ke da asusu mai aiki (misali, bank.com). Yayin harin MITM, wannan buƙatar da aka aika zuwa gidan yanar gizon banki.com za a iya tura shi zuwa sabar imel da ke amfani da takardar shaidar TLS da aka raba tare da bank.com. Tun da uwar garken wasikun ba ta ƙare zaman ba bayan kuskuren farko, za a sarrafa shugabannin sabis da umarni kamar "POST / HTTP/1.1" da "Mai watsa shiri:" azaman umarnin da ba a sani ba (sabar wasiƙar za ta dawo da "umarnin da ba a gane 500 ba" don kowane header).
Sabar wasiƙar ba ta fahimtar fasalin ka'idar HTTP kuma don ita ana sarrafa masu kai sabis da toshe bayanan buƙatun POST ta hanya ɗaya, don haka a jikin buƙatar POST zaku iya ƙayyade layi tare da umarni zuwa. uwar garken mail. Misali, zaku iya wucewa: mail DAGA: alert(1); wanda uwar garken mail zai dawo da saƙon kuskure 501 alert(1); : adireshin mara kyau: faɗakarwa (1); bazai bi ba
Za a karɓi wannan amsa ta mai binciken mai amfani da shi, wanda zai aiwatar da lambar JavaScript a cikin mahallin ba na gidan yanar gizon da maharin ya fara buɗe ba, amma na gidan yanar gizon banki.com wanda aka aika da buƙatar, tunda amsa ta zo cikin daidaitaccen zaman TLS. , takardar shaidar da ta tabbatar da sahihancin martanin bankin.com.
Wani bincike da aka yi a tsarin sadarwa na duniya ya nuna cewa, a gaba daya, kusan sabar yanar gizo miliyan 1.4 ne matsalar ta shafa, wanda zai iya kai hari ta hanyar hada bukatu ta hanyar amfani da ka'idoji daban-daban. Yiwuwar kai hari na gaske an ƙaddara don sabar yanar gizo dubu 119 waɗanda akwai sabar TLS masu rakiyar dangane da wasu ƙa'idodin aikace-aikacen.
An shirya misalan abubuwan amfani don sabar ftp pureftpd, proftpd, microsoft-ftp, vsftpd, filezilla da serv-u, IMAP da POP3 sabobin dovecot, mai aikawa, musayar, cyrus, kerio-connect da zimbra, SMTP sabobin postfix, eim, sendmail , mailenable, mdaemon da opensmtpd. Masu bincike sun yi nazarin yiwuwar kai hari kawai a hade tare da FTP, SMTP, IMAP da POP3, amma yana yiwuwa matsalar kuma ta iya faruwa ga sauran ka'idojin aikace-aikacen da ke amfani da TLS.
Don toshe harin, an ba da shawarar yin amfani da tsawo na ALPN (Application Layer Protocol Negotiation) don yin shawarwarin zaman TLS tare da la'akari da ka'idar aikace-aikacen da SNI (Sanarwar Sunan uwar garke) don ɗaure ga sunan mai watsa shiri a cikin yanayin amfani. Takaddun shaida na TLS da ke rufe sunayen yanki da yawa. A gefen aikace-aikacen, ana ba da shawarar iyakance iyaka akan adadin kurakurai lokacin aiwatar da umarni, bayan haka an ƙare haɗin. Tun a watan Oktoban bara ne aka fara aiwatar da matakan dakile harin. An riga an ɗauki matakan tsaro iri ɗaya a cikin Nginx 1.21.0 (wakilin imel), Vsftpd 3.0.4, Courier 5.1.0, Sendmail, FileZill, crypto/tls (Go) da Internet Explorer.
source: budenet.ru