Sakamakon kwanaki uku na gasar Pwn2Own 2021, da ake gudanarwa kowace shekara a matsayin wani ɓangare na taron CanSecWest, an taƙaita. Kamar shekarar da ta gabata, an gudanar da gasar kusan kuma an nuna hare-haren ta yanar gizo. Daga cikin maƙasudan 23 da aka yi niyya, dabarun aiki don cin gajiyar raunin da ba a san su ba an nuna su don Desktop Ubuntu, Windows 10, Chrome, Safari, Parallels Desktop, Microsoft Exchange, Microsoft Teams da Zuƙowa. A kowane hali, an gwada sabbin nau'ikan shirye-shiryen, gami da duk sabbin abubuwan da aka samu. Adadin kudaden da aka biya ya kai dalar Amurka miliyan daya da dubu dari biyu (jimillar kudaden kyauta dala miliyan daya da rabi).
A gasar, an yi ƙoƙari uku don yin amfani da rashin ƙarfi a cikin Desktop Ubuntu. Ƙoƙarin farko da na biyu suna da inganci kuma maharan sun sami damar nuna haɓakar gata a cikin gida ta hanyar amfani da raunin da ba a san su ba a baya da ke da alaƙa da ambaliya da ƙwaƙwalwar kyauta sau biyu (wanda har yanzu ba a ba da rahoton ɓangarori na matsalar ba; Ana ba masu haɓakawa kwanaki 90 don gyarawa. kurakurai kafin bayyana bayanai). An biya kari na $30 don waɗannan raunin.
Ƙoƙari na uku, wanda wata ƙungiya ta yi a cikin rukunin cin zarafin gata na gida, ya sami nasara kaɗan kawai - cin nasara ya yi aiki kuma ya ba da damar samun tushen tushen, amma harin ba a cika lamuni ba, tunda an riga an san kuskuren da ke tattare da raunin. ga masu haɓaka Ubuntu kuma sabuntawa tare da gyara yana cikin shirye-shiryen.
An kuma nuna nasarar kai hari ga masu bincike bisa injin Chromium - Google Chrome da Microsoft Edge. Don ƙirƙirar amfani da ke ba ku damar aiwatar da lambar ku yayin buɗe wani shafi na musamman da aka tsara a cikin Chrome da Edge (an ƙirƙiri amfani ɗaya na duniya don masu bincike biyu), an biya kyautar dala dubu 100. An shirya gyara da za a buga a cikin sa'o'i masu zuwa, ya zuwa yanzu duk abin da aka sani shi ne cewa rashin lahani yana cikin tsarin da ke da alhakin sarrafa abun ciki na yanar gizo (mai bayarwa).
Sauran hare-hare masu nasara:
- $200 na kutse na aikace-aikacen Zoom (ya yi nasarar aiwatar da lambarsa ta hanyar aika saƙo zuwa wani mai amfani, ba tare da buƙatar wani aiki daga ɓangaren mai karɓa ba). Harin ya yi amfani da lahani guda uku a cikin Zoom da kuma daya a cikin manhajar Windows.
- $200 don hacking na Microsoft Exchange (ketare tantancewa da haɓaka gata na gida akan sabar don samun haƙƙin gudanarwa). An nuna wani cin nasara da aka samu ga wata ƙungiya, amma ba a biya lambar yabo ta biyu ba, tunda an riga an yi amfani da kurakurai iri ɗaya ta ƙungiyar farko.
- $200 don hacking na Microsoft Teams (lambobin aiwatarwa akan sabar).
- $ 100 dubu don cin gajiyar Apple Safari (cikakken lamba a cikin Safari da buffer ambaliya a cikin macOS kernel don kewaya akwatin sandbox da aiwatar da lamba a matakin kwaya).
- $140 dubu don shiga ba tare da izini ba Parallels Desktop (fitar da injin kama-da-wane da lambar aiwatarwa akan babban tsarin). An kai harin ne ta hanyar amfani da lahani daban-daban guda uku - ƙwaƙwalwar ajiyar da ba a fara ba, tari mai yawa da kuma yawan adadin lamba.
- Kyaututtuka biyu na dala dubu 40 kowanne don hacking Parallels Desktop (kuskuren ma'ana da ambaliya wanda ya ba da izinin aiwatar da lambar a cikin OS na waje ta hanyar ayyuka a cikin injin kama-da-wane).
- Kyaututtuka uku na dala dubu 40 don cin nasara guda uku na Windows 10 (yawan lamba ta lamba, samun damar ƙwaƙwalwar ajiya da aka rigaya da yanayin tsere wanda ya ba da damar samun gata na SYSTEM).
An yi ƙoƙari, amma ba a yi nasara ba, don yin hacking na Oracle VirtualBox. Nade-nade don shiga ba tare da izini ba Firefox, VMware ESXi, Hyper-V abokin ciniki, MS Office 365, MS SharePoint, MS RDP da Adobe Reader sun kasance ba a ɗauka ba. Har ila yau, babu wanda ya yarda ya nuna yadda aka yi kutse na tsarin bayanai na motar Tesla, duk da kyautar dala dubu 600 tare da motar Tesla Model 3.
source: budenet.ru