ProHoster > Блог > xov xwm hauv internet > Pwnie Awards 2019: qhov cuam tshuam loj tshaj plaws thiab kev ruaj ntseg tsis ua tiav

Pwnie Awards 2019: qhov cuam tshuam loj tshaj plaws thiab kev ruaj ntseg tsis ua tiav

Ntawm lub rooj sib tham Black Hat USA hauv Las Vegas coj qhov chaw khoom plig ceremony Pwnie Awards 2019, uas qhia txog qhov tseem ceeb tshaj plaws ntawm qhov tsis zoo thiab qhov ua tsis tiav ntawm kev ruaj ntseg hauv computer. Cov khoom plig Pwnie tau suav tias yog qhov sib npaug ntawm Oscars thiab Golden Raspberries hauv kev ruaj ntseg hauv computer thiab tau tuav txhua xyoo txij li xyoo 2007.

ntsiab cov yeej и kev xaiv tsa:

  • Qhov zoo tshaj plaws server kab. Muab khoom plig rau kev txheeb xyuas thiab siv cov txheej txheem nyuaj tshaj plaws thiab nthuav kab kab hauv kev pabcuam network. Cov yeej yog cov kws tshawb fawb qhia tawm Qhov tsis zoo hauv VPN tus muab kev pabcuam Pulse Secure, nws qhov kev pabcuam VPN yog siv los ntawm Twitter, Uber, Microsoft, sla, SpaceX, Akamai, Intel, IBM, VMware, US Navy, US Department of Homeland Security (DHS) thiab tej zaum ib nrab ntawm cov Cov tuam txhab los ntawm Fortune 500 Cov Kws Tshawb Fawb tau pom qhov chaw rov qab uas tso cai rau tus neeg tawm tsam tsis raug cai hloov tus password ntawm txhua tus neeg siv. Qhov ua tau ntawm kev siv qhov teeb meem kom tau txais cov hauv paus nkag mus rau VPN server uas tsuas yog qhov chaw nres nkoj HTTPS qhib tau pom;

    Ntawm cov neeg sib tw uas tsis tau txais qhov khoom plig, cov hauv qab no tuaj yeem sau tseg:

    • Ua haujlwm nyob rau theem ua ntej kev lees paub yooj yim nyob rau hauv Jenkins nruam kev koom ua ke system, uas tso cai rau koj mus ua txhaum cai ntawm lub server. Qhov tsis zoo yog nquag siv los ntawm bots los npaj cryptocurrency mining ntawm servers;
    • Tseem ceeb yooj yim nyob rau hauv Exim mail neeg rau zaub mov, uas tso cai rau koj mus tua code ntawm lub server nrog cov cai hauv paus;
    • Vulnerabilities hauv Xiongmai XMeye P2P IP koob yees duab, tso cai rau koj los tswj cov cuab yeej. Cov koob yees duab tau muab nrog tus password engineering thiab tsis siv cov ntawv pov thawj kos npe digital thaum hloov kho lub firmware;
    • Tseem ceeb yooj yim nyob rau hauv kev siv ntawm RDP raws tu qauv nyob rau hauv lub qhov rais, uas tso cai rau koj mus remotely coj koj cov cai;
    • Kom txhob raug nyob rau hauv WordPress, txuam nrog loading PHP code nyob rau hauv lub guise ntawm ib tug duab. Qhov teeb meem tso cai rau koj los ua qhov kev txiav txim siab ntawm tus neeg rau zaub mov, muaj cov cai ntawm tus sau cov ntawv tshaj tawm (Sau) ntawm lub xaib;
  • Qhov zoo tshaj plaws Client Software Bug. Tus yeej yog qhov yooj yim-rau-siv yooj yim hauv Apple FaceTime pab pawg hu xov tooj, tso cai rau tus thawj coj ntawm pab pawg hu kom yuam kev hu kom raug lees txais los ntawm tog neeg hu (piv txwv li, mloog thiab snooping).

    Kuj nominated rau nqi zog yog:

    • Kom txhob raug hauv WhatsApp, uas tso cai rau koj ua tiav koj cov cai los ntawm kev xa ib lub suab hu tshwj xeeb;
    • Kom txhob raug nyob rau hauv lub tsev qiv ntawv Skia graphics siv nyob rau hauv Chrome browser, uas tuaj yeem ua rau lub cim xeeb kev noj nyiaj txiag vim yog qhov yuam kev hauv qee qhov kev hloov pauv geometric;
  • Qhov Zoo Tshaj Plaws ntawm Kev Tsim Nyog Muaj Peev Xwm Muaj Peev Xwm. Yeej tau muab khoom plig rau kev txheeb xyuas yooj yim hauv iOS kernel, uas tuaj yeem siv los ntawm ipc_voucher, nkag tau los ntawm Safari browser.

    Kuj nominated rau nqi zog yog:

    • Kom txhob raug hauv Windows, tso cai rau koj kom tau txais kev tswj hwm tag nrho ntawm lub kaw lus los ntawm kev tswj hwm nrog CreateWindowEx (win32k.sys) muaj nuj nqi. Qhov teeb meem raug txheeb xyuas thaum lub sij hawm tsom xam ntawm malware uas siv qhov tsis zoo ua ntej nws raug kho;
    • Kom txhob raug hauv runc thiab LXC, cuam tshuam rau Docker thiab lwm lub thawv cais tawm, tso cai rau lub thawv cais tswj los ntawm tus neeg tawm tsam los hloov cov ntaub ntawv runc executable thiab tau txais cov cai hauv paus ntawm tus tswv tsev sab;
    • Kom txhob raug hauv iOS no (CFPrefsDaemon), uas tso cai rau koj hla kev cais hom thiab ua tiav cov cai nrog cov cai hauv paus;
    • Kom txhob raug nyob rau hauv ib tsab ntawm Linux TCP pawg siv hauv Android, tso cai rau cov neeg siv hauv zos los txhawb lawv cov cai ntawm lub cuab yeej;
    • Vulnerabilities hauv systemd-journald, uas tso cai rau koj kom tau txais cov cai hauv paus;
    • Kom txhob raug nyob rau hauv tmpreaper utility rau tu / tmp, uas tso cai rau koj txuag koj cov ntaub ntawv nyob rau hauv ib feem ntawm cov ntaub ntawv system;
  • Zoo tshaj Cryptographic Attack. Muab khoom plig rau kev txheeb xyuas qhov sib txawv tseem ceeb tshaj plaws hauv cov tshuab tiag tiag, cov txheej txheem thiab encryption algorithms. Qhov khoom plig tau muab khoom plig rau kev txheeb xyuas yooj yim nyob rau hauv WPA3 wireless network kev ruaj ntseg tshuab thiab EAP-pwd, uas tso cai rau koj los tsim dua tus password txuas thiab nkag mus rau wireless network yam tsis paub tus password.

    Lwm cov neeg sib tw rau qhov khoom plig yog:

    • Txujci kev tawm tsam ntawm PGP thiab S / MIME encryption hauv email cov neeg siv khoom;
    • Daim ntawv thov txias khau raj txoj kev kom tau txais kev nkag mus rau cov ntsiab lus ntawm cov ntaub ntawv encrypted Bitlocker;
    • Kom txhob raug hauv OpenSSL, uas tso cai rau koj cais cov xwm txheej ntawm kev txais cov padding tsis raug thiab MAC tsis raug. Qhov teeb meem yog tshwm sim los ntawm kev tuav tsis raug ntawm xoom bytes hauv padding oracle;
    • Teeb meem nrog daim npav ID siv hauv lub teb chaws Yelemees siv SAML;
    • teeb meem nrog rau entropy ntawm random tooj nyob rau hauv kev siv ntawm kev txhawb nqa rau U2F tokens hauv ChromeOS;
    • Kom txhob raug nyob rau hauv Monocypher, vim qhov tsis muaj EdDSA kos npe tau lees paub tias yog lawm.
  • Qhov kev tshawb fawb tshiab tshaj plaws puas tau. Qhov khoom plig tau muab tsub rau tus tsim tawm ntawm cov thev naus laus zis Vectorized Emulation, uas siv AVX-512 vector cov lus qhia los ua raws li kev ua tiav cov haujlwm, tso cai rau kev nce ntxiv hauv fuzzing kev ntsuas ceev (txog 40-120 billion cov lus qhia ib ob). Cov txheej txheem tso cai rau txhua tus tub ntxhais CPU khiav 8 64-ntsis lossis 16 32-ntsis virtual tshuab ua ke nrog cov lus qhia rau fuzzing kev sim ntawm daim ntawv thov.

    Cov hauv qab no tau tsim nyog rau qhov khoom plig:

    • Kom txhob raug hauv Power Query thev naus laus zis los ntawm MS Excel, uas tso cai rau koj los teeb tsa cov lej ua tiav thiab hla cov ntawv thov kev cais tawm thaum qhib cov ntawv nthuav qhia tshwj xeeb;
    • Txujci deceiving lub autopilot ntawm Tesla tsheb kom provoke tsav mus rau hauv txoj kab uas yuav los;
    • ua hauj lwm thim rov qab engineering ntawm ASICS nti Siemens S7-1200;
    • SonarSnoop - ntiv tes txav mus txog qhov txheej txheem los txiav txim lub xov tooj xauv code, raws li lub hauv paus ntsiab lus ntawm kev ua haujlwm sonar - cov lus sab sauv thiab qis ntawm lub xov tooj smartphone tsim kom muaj kev vibrations tsis hnov ​​​​tsw, thiab cov microphones built-in tuaj tos lawv los txheeb xyuas qhov muaj kev vibrations cuam tshuam los ntawm tes;
    • Kev loj hlob NSA's Ghidra thim rov qab engineering toolkit;
    • SAFE - cov txheej txheem los txiav txim siab siv cov cai rau kev ua haujlwm zoo ib yam hauv ntau cov ntaub ntawv ua tiav raws li kev txheeb xyuas ntawm binary sib dhos;
    • creation ib txoj hauv kev los hla Intel Boot Guard mechanism kom thauj khoom hloov kho UEFI firmware yam tsis muaj kev txheeb xyuas qhov kos npe digital.
  • Qhov feem ntau lame cov tshuaj tiv thaiv los ntawm tus neeg muag khoom (Lamest Vendor Teb). Kev xaiv tsa rau qhov tsis txaus siab tshaj plaws rau cov lus hais txog qhov tsis zoo ntawm koj tus kheej cov khoom. Cov neeg yeej yog cov tsim tawm ntawm BitFi crypto hnab nyiaj, uas qw txog kev ruaj ntseg ntawm lawv cov khoom, uas nyob rau hauv kev muaj tiag tig los ua kev xav, thab cov kws tshawb fawb uas txheeb xyuas qhov tsis zoo, thiab tsis them nyiaj tshwj xeeb rau kev txheeb xyuas cov teeb meem;

    Ntawm cov neeg thov rau qhov khoom plig kuj suav nrog:

    • Ib tus kws tshawb fawb txog kev ruaj ntseg liam tus thawj coj ntawm Atrient ntawm kev tawm tsam nws txhawm rau yuam kom nws tshem tawm tsab ntawv ceeb toom ntawm qhov tsis zoo uas nws tau txheeb xyuas, tab sis tus thawj coj tsis lees paub qhov xwm txheej thiab cov koob yees duab soj ntsuam tsis tau kaw qhov kev tawm tsam;
    • Zoom ncua kev kho qhov teeb meem tseem ceeb yooj yim nyob rau hauv nws txoj kev sib tham thiab kho qhov teeb meem tsuas yog tom qab tshaj tawm rau pej xeem. Qhov tsis txaus ntseeg tau tso cai rau tus neeg tawm tsam sab nraud kom tau txais cov ntaub ntawv los ntawm lub vev xaib lub koob yees duab ntawm macOS cov neeg siv thaum qhib nplooj ntawv tsim tshwj xeeb hauv qhov browser (Zoom launched http server ntawm tus neeg siv sab uas tau txais cov lus txib los ntawm daim ntawv thov hauv zos).
    • Kev kho tsis raug rau ntau tshaj 10 xyoo teeb meem nrog OpenPGP cryptographic key servers, hais txog qhov tseeb tias cov cai sau ua lus OCaml tshwj xeeb thiab tseem tsis muaj tus tswj xyuas.

    Qhov tshaj plaws hyped vulnerability tshaj tawm puas tau. Muab khoom plig rau qhov kev mob siab tshaj plaws thiab kev pab cuam loj tshaj plaws ntawm qhov teeb meem hauv Is Taws Nem thiab xov xwm, tshwj xeeb tshaj yog tias qhov tsis zoo thaum kawg hloov mus ua qhov tsis muaj txiaj ntsig hauv kev xyaum. Qhov khoom plig tau muab rau Bloomberg rau daim ntawv qhia hais txog kev txheeb xyuas cov neeg soj xyuas chips hauv Super Micro boards, uas tsis tau lees paub, thiab qhov chaw qhia kiag li lwm yam ntaub ntawv.

    Hais txog nomination:

    • Vulnerability nyob rau hauv libssh, uas kov rau ib daim ntawv thov neeg rau zaub mov (libssh yuav luag tsis tau siv rau cov servers), tab sis tau nthuav tawm los ntawm NCC Group raws li qhov tsis zoo uas tso cai rau tawm tsam txhua tus neeg siv OpenSSH.
    • Tawm tsam siv DICOM cov duab. Lub ntsiab lus yog tias koj tuaj yeem npaj cov ntaub ntawv ua tiav rau Windows uas yuav zoo li cov duab DICOM siv tau. Cov ntaub ntawv no tuaj yeem rub tawm mus rau cov cuab yeej kho mob thiab tua.
    • Kom txhob raug Thrangrycat, uas tso cai rau koj hla txoj kev ruaj ntseg khau raj ntawm Cisco li. Qhov tsis zoo yog cais raws li qhov teeb meem overblown vim nws xav tau cov cai hauv paus rau kev tawm tsam, tab sis yog tias tus neeg tawm tsam twb muaj peev xwm nkag tau hauv paus, ces qhov kev ruaj ntseg peb tuaj yeem tham txog. Qhov tsis txaus ntseeg kuj yeej nyob rau hauv qeb ntawm cov teeb meem tsis txaus ntseeg tshaj plaws, vim nws tso cai rau koj los qhia txog qhov chaw nyob ruaj khov rau hauv Flash;
  • Qhov loj tshaj tsis ua hauj lwm (Feem ntau Epic FAIL). Qhov yeej tau muab rau Bloomberg rau ntau cov lus zoo siab nrog cov ncauj lus nrov tab sis tsim cov lus tseeb, kev tawm tsam ntawm cov peev txheej, qhovntsej thiaj tsis mob rau kev koom tes, kev siv cov ntsiab lus xws li "cyberweapons", thiab tsis tuaj yeem lees txais. Lwm cov nominees muaj xws li:
    • Shadowhammer nres ntawm Asus firmware hloov tshiab kev pabcuam;
    • Hacking BitFi vault tshaj tawm tias "unhackable";
    • Leaks ntawm tus kheej cov ntaub ntawv thiab cov cim nkag mus rau Facebook.

Tau qhov twg los: opennet.ru

Ntxiv ib saib