ProHoster > Блог > labaran intanet > Hacks na Ubuntu, Firefox, Chrome, Docker da VirtualBox an nuna su a gasar Pwn2Own 2024

Hacks na Ubuntu, Firefox, Chrome, Docker da VirtualBox an nuna su a gasar Pwn2Own 2024

An taƙaita sakamakon kwanaki biyu na gasar Pwn2Own 2024, da ake gudanarwa kowace shekara a matsayin wani ɓangare na taron CanSecWest a Vancouver. Dabarun aiki don cin gajiyar raunin da ba a san su ba an haɓaka su don Desktop Ubuntu, Windows 11, Docker, Oracle VirtualBox, VMWare Workstation, Adobe Reader, Firefox, Chrome, Edge da Tesla. An nuna jimillar hare-hare guda 23 da suka yi nasara, inda suka yi amfani da raunin 29 da ba a san su ba.

Hare-haren sun yi amfani da sabbin abubuwan da suka tabbata na aikace-aikace, masu bincike da tsarin aiki tare da duk abubuwan sabuntawa da saitunan tsoho. Jimlar kuɗin da aka biya shine USD 1,132,500. Don hacking Tesla, an ba da ƙarin Tesla Model 3. Adadin ladan da aka biya don gasar Pwn2Own guda uku na ƙarshe ya kai $ 3,494,750. Ƙungiyar da ta fi yawan maki ta sami $202.

Hacks na Ubuntu, Firefox, Chrome, Docker da VirtualBox an nuna su a gasar Pwn2Own 2024

An kai hare-hare:

  • Hare-hare hudu masu nasara akan Desktop na Ubuntu, yana barin mai amfani mara amfani don samun haƙƙin tushen (kyautar dala dubu 20 da dubu 10, lambobin yabo biyu na dala dubu 5). Rashin lahani yana faruwa ne sakamakon yanayin tsere da kuma ambaliya.
  • Harin Firefox wanda ya ba da damar ketare keɓewar akwatin sandbox da aiwatar da lamba a cikin tsarin lokacin buɗe shafi na musamman (kyautar dala dubu 100). Rashin lahani yana faruwa ne ta hanyar kuskure wanda ke ba da damar karantawa da rubuta bayanai zuwa wani yanki da ke wajen iyakar ma'ajin da aka ware don abun JavaScript, da kuma yuwuwar musanya mai gudanar da taron zuwa wani abu mai gata na JavaScript. Masu zafi a kan duga-dugan, masu haɓakawa daga Mozilla sun buga sabunta Firefox 124.0.1 da sauri, suna kawar da matsalolin da aka gano.
  • Hare-hare guda hudu akan Chrome, wanda ya ba da izinin aiwatar da lambar a cikin tsarin lokacin buɗe shafin da aka tsara musamman (kyautar dala 85 da 60 dubu kowanne, lambobin yabo biyu na 42.5 dubu). Ana haifar da lahani ta hanyar samun damar ƙwaƙwalwar ajiya bayan karantawa kyauta, mara amfani, da ingantaccen shigar da ba daidai ba. Abubuwan amfani guda uku na duniya ne kuma suna aiki ba kawai a cikin Chrome ba, har ma a Edge.
  • An kai hari kan Apple Safari wanda ya ba da izinin aiwatar da lambar a cikin tsarin lokacin buɗe shafi na musamman (kyautar $60). Rashin lahani yana faruwa ne sakamakon ambaliya ta lamba.
  • Hacks hudu na Oracle VirtualBox wanda ya ba ku damar fita tsarin baƙo kuma ku aiwatar da lamba a gefen mai masaukin baki (kyautar dala dubu 90 da kyaututtuka uku na dala dubu 20). An kai hare-haren ta hanyar cin gajiyar raunin da ya haifar da ambaliyar ruwa, yanayin tsere, da samun damar ƙwaƙwalwar ajiya bayan kyauta.
  • Harin da aka kai a kan Docker wanda ya ba ku damar tserewa daga keɓaɓɓen kwantena (kyautar dala dubu 60). Rashin lafiyar yana faruwa ta hanyar samun damar ƙwaƙwalwar ajiya bayan kyauta.
  • Hare-hare guda biyu akan VMWare Workstation wanda ya ba da damar fita daga tsarin baƙo da aiwatar da lamba a gefen mai masaukin baki. Hare-haren sun yi amfani da damar ƙwaƙwalwar ajiya bayan kyauta, madaidaicin buffer, da madaidaicin da ba a fara ba (kuɗin kuɗi na $30 da $130).
  • Hare-hare guda biyar akan Microsoft Windows 11 wanda ya ba ku damar haɓaka gata (launi uku na dala dubu 15, da kari ɗaya na dala dubu 30 da 7500 kowanne). An haifar da raunin da ya faru ta yanayin tsere, cunkoson lamba, ƙidayar ƙidayar kuskure, da ingantacciyar shigar da bayanai.
  • Kisa code lokacin sarrafa abun ciki a cikin Adobe Reader ($ 50 dubu lambar yabo). Harin ya yi amfani da rauni wanda ya ba da izinin ketare hani na API da kwaro wanda ya ba da izinin sauya umarni.
  • An kai hari kan tsarin bayanai na motar Tesla, wanda aka yi ta hanyar yin amfani da bas ɗin CAN BUS da kuma ba da damar cimma adadin lamba da kuma samun damar shiga ECU (na'urar sarrafa lantarki). Kyautar ta kai dala dubu 200 da wata mota kirar Tesla Model 3.
  • Ƙoƙarin yin kutse na Microsoft SharePoint da VMware ESXi bai yi nasara ba.

Har yanzu ba a ba da rahoton ainihin abubuwan da ke tattare da matsalar ba; daidai da sharuɗɗan gasar, za a buga cikakken bayani game da duk lahanin kwana 0 da aka nuna kawai bayan kwanaki 90, waɗanda aka bai wa masana'antun don shirya abubuwan haɓakawa waɗanda ke kawar da cutar. rauni.

source: budenet.ru

Add a comment