bayani game da () a cikin ka'idar UPnP, wanda ke ba ku damar tsara aikawa da zirga-zirga zuwa mai karɓa ta hanyar amfani da aikin "SUBSCRIBE" da aka bayar a cikin ma'auni. An sanya raunin sunan lamba . Ana iya amfani da rashin lafiyar don fitar da bayanai daga cibiyoyin sadarwar da ke kariya ta tsarin rigakafin asarar bayanai (DLP), tsara nazarin tashoshin kwamfuta akan hanyar sadarwa ta ciki, da kuma haɓaka hare-haren DDoS ta amfani da miliyoyin na'urorin UPnP da aka haɗa da hanyar sadarwa ta duniya, kamar kebul. modem, masu amfani da gida, na'urorin wasan bidiyo, kyamarorin IP, akwatunan saiti na TV, cibiyoyin watsa labarai da firintocin.
matsala a cikin cewa aikin "SUBSCRIBE" da aka bayar a cikin ƙayyadaddun yana ba kowane mai hari na waje damar aika fakitin HTTP tare da taken Callback kuma yayi amfani da na'urar UPnP azaman wakili don aika buƙatun zuwa wasu runduna. An bayyana aikin "SUBSCRIBE" a cikin ƙayyadaddun UPnP kuma ana amfani dashi don bin diddigin canje-canje a wasu na'urori da sabis. Yin amfani da taken Callback HTTP, zaku iya ayyana URL na sabani wanda na'urar zata yi ƙoƙarin haɗawa.
Kusan duk aiwatar da UPnP bisa , wanda aka saki har zuwa 17 ga Afrilu. Ciki har da kasancewar rashin ƙarfi a cikin buɗaɗɗen kunshin tare da aiwatar da hanyar shiga mara waya (WPS AP). Gyara yana samuwa a halin yanzu kamar . Har yanzu ba a fitar da sabuntawa a cikin rabawa ba (, , , , , , ). Matsalar kuma mafita dangane da buɗaɗɗen tari na UPnP , wanda har yanzu babu wani gyara da aka samu.
Ka'idar UPnP tana bayyana hanyar ganowa ta atomatik da sadarwa tare da na'urori akan hanyar sadarwar gida. Koyaya, tun asali an ƙirƙiri ƙa'idar don amfani a cikin cibiyoyin sadarwa na gida kuma ba ta samar da kowane nau'i na tantancewa da tabbatarwa ba. Duk da wannan, miliyoyin na'urori ba sa kashe tallafin UPnP akan musaya na cibiyar sadarwa na waje da don buƙatun daga hanyar sadarwar duniya. Ana iya kai harin ta kowace irin na'urar UPnP.
Misali, ana iya kai wa Xbox One consoles hari ta hanyar tashar sadarwa ta 2869 saboda suna ba da damar sauye-sauye kamar raba abun ciki don a kula da su ta hanyar umarnin SUBSCRIBE.
An sanar da Budadden Haɗin Haɗin kai (OCF) game da batun a ƙarshen shekarar da ta gabata, amma da farko ya ƙi ɗaukar shi a matsayin rauni a cikin ƙayyadaddun bayanai. Bayan maimaita ƙarin cikakken rahoto, an gane matsalar kuma an ƙara buƙatar amfani da UPnP kawai akan mu'amalar LAN zuwa ƙayyadaddun bayanai. Tun da matsala ta samo asali ne ta hanyar aibi a cikin ma'auni, yana iya ɗaukar lokaci mai tsawo kafin a gyara lahani a cikin na'urori guda ɗaya, kuma sabunta firmware bazai bayyana don tsofaffin na'urori ba.
Kamar yadda tsaro ke aiki, ana ba da shawarar ware na'urorin UPnP daga buƙatun waje tare da bangon wuta, toshe buƙatun HTTP na waje "SUBSCRIBE" da "SANARWA" akan tsarin rigakafin harin, ko musaki ƙa'idar UPnP akan mu'amalar hanyar sadarwa ta waje. Ana ba da shawarar masana'antun su kashe aikin SUBSCRIBE a cikin saitunan tsoho kuma su iyakance shi zuwa karɓar buƙatun daga cibiyar sadarwa na ciki kawai lokacin da aka kunna.
Don gwada raunin na'urorinku ga rashin lahani kayan aiki na musamman da aka rubuta cikin Python kuma aka rarraba a ƙarƙashin lasisin MIT.
source: budenet.ru