Gulu la ofufuza ochokera ku mayunivesite angapo ku Germany apanga kuwukira kwatsopano kwa MITM pa HTTPS komwe kumatha kutulutsa ma cookie agawo ndi zidziwitso zina zodziwika bwino, komanso kuchita ma code a JavaScript mosagwirizana ndi tsamba lina. Kuwukiraku kumatchedwa ALPACA ndipo chitha kugwiritsidwa ntchito ku maseva a TLS omwe amagwiritsa ntchito ma protocol osiyanasiyana (HTTPS, SFTP, SMTP, IMAP, POP3), koma amagwiritsa ntchito satifiketi wamba TLS.
Chofunikira pakuwukira ndikuti ngati ali ndi mphamvu pazipata za netiweki kapena malo olowera opanda zingwe, wowukirayo amatha kuwongolera kuchuluka kwa intaneti ku doko lina la netiweki ndikukonzekera kukhazikitsidwa kwa kulumikizana ndi FTP kapena seva yamakalata yomwe imathandizira kubisa kwa TLS ndikugwiritsa ntchito Satifiketi ya TLS yodziwika ndi seva ya HTTP , ndipo msakatuli wogwiritsa ntchito angaganize kuti kulumikizana kwakhazikitsidwa ndi seva ya HTTP yomwe yafunsidwa. Popeza kuti protocol ya TLS ndi yapadziko lonse lapansi ndipo siimangiriridwa ndi ma protocol amtundu wa ntchito, kukhazikitsidwa kwa kulumikizana kobisika kwa mautumiki onse ndikofanana ndipo cholakwika chotumiza pempho ku ntchito yolakwika chitha kuzindikirika pokhapokha mutakhazikitsa gawo lobisika pomwe mukukonza. malamulo a pempho lotumizidwa.
Chifukwa chake, ngati, mwachitsanzo, mutumizanso kulumikizidwa kwa wogwiritsa ntchito komwe kudatumizidwa ku HTTPS ku seva yamakalata yomwe imagwiritsa ntchito satifiketi yogawidwa ndi seva ya HTTPS, kulumikizana kwa TLS kudzakhazikitsidwa bwino, koma seva yamakalata siidzatha kukonza zomwe zimatumizidwa. HTTP imalamula ndipo ibweza yankho ndi code yolakwika. Yankho ili lidzakonzedwa ndi msakatuli ngati yankho kuchokera patsamba lomwe mwapemphedwa, lofalitsidwa mu njira yolumikizirana yokhazikitsidwa bwino.
Njira zitatu zowukira zikuperekedwa:
- "Kwezani" kuti mutenge Cookie yokhala ndi magawo otsimikizira. Njirayi imagwira ntchito ngati seva ya FTP yophimbidwa ndi satifiketi ya TLS ikulolani kuti muyike ndikuchotsanso deta yake. M'mitundu yakuukira iyi, wowukirayo atha kukwaniritsa kusungidwa kwa magawo a pempho loyambirira la HTTP, monga zomwe zili pamutu wa Cookie, mwachitsanzo, ngati seva ya FTP imatanthauzira pempholo ngati fayilo yosunga kapena kuyika zopempha zomwe zikubwera kwathunthu. Kuti aukire bwino, wowukirayo amayenera kuchotsa zomwe zasungidwa. Kuwukiraku kumagwira ntchito ku Proftpd, Microsoft IIS, vsftpd, filezilla ndi serv-u.
- "Koperani" pokonza zolemba zapamasamba (XSS). Njirayi ikutanthauza kuti wowukirayo, chifukwa cha zolakwika zina, atha kuyika data mu ntchito yomwe imagwiritsa ntchito satifiketi yodziwika bwino ya TLS, yomwe imatha kuperekedwa potsatira pempho la wogwiritsa ntchito. Kuwukiraku kumagwira ntchito pa ma seva a FTP omwe tawatchulawa, ma seva a IMAP ndi ma seva a POP3 (otumiza, cyrus, kerio-connect ndi zimbra).
- "Reflection" kuti mugwiritse ntchito JavaScript pamasamba ena. Njirayi imachokera pakubwerera kwa kasitomala mbali ya pempho, yomwe ili ndi JavaScript code yotumizidwa ndi wotsutsa. Kuwukiraku kumagwira ntchito pamaseva a FTP omwe tawatchulawa, cyrus, kerio-connect ndi zimbra IMAP seva, komanso seva ya sendmail SMTP.
Mwachitsanzo, wogwiritsa ntchito akatsegula tsamba lomwe limayang'aniridwa ndi wowukira, tsamba ili litha kuyambitsa kupempha thandizo kuchokera patsamba lomwe wogwiritsa ntchitoyo ali ndi akaunti (mwachitsanzo, bank.com). Pakuukira kwa MITM, pempholi lotumizidwa patsamba la bank.com litha kutumizidwa ku seva ya imelo yomwe imagwiritsa ntchito satifiketi ya TLS yomwe imagawidwa ndi bank.com. Popeza seva yamakalata simathetsa gawolo pambuyo pa cholakwika choyamba, mitu yautumiki ndi malamulo monga "POST / HTTP/1.1" ndi "Host:" zidzasinthidwa ngati malamulo osadziwika (seva yamakalata idzabwerera "500 lamulo losadziwika" la mutu uliwonse).
Seva yamakalata samamvetsetsa zomwe zili mu protocol ya HTTP ndipo chifukwa chake mitu yautumiki ndi chipika cha data cha pempho la POST chimakonzedwanso chimodzimodzi, kotero mu thupi la pempho la POST mutha kufotokozera mzere wokhala ndi lamulo seva yamakalata. Mwachitsanzo, mutha kudutsa: MAIL KUCHOKERA: alert(1); kumene seva yamakalata idzabweza uthenga wolakwika wa 501 alert(1); : adilesi yolakwika: chenjezo(1); sangatsatire
Yankholi lidzalandiridwa ndi msakatuli wa wogwiritsa ntchito, yemwe adzagwiritsa ntchito JavaScript code m'malo mwake osati pa tsamba lotseguka la wowukirayo, koma patsamba la bank.com komwe pempholo lidatumizidwa, popeza yankho lidabwera mkati mwa gawo lolondola la TLS. , satifiketi yomwe idatsimikizira kutsimikizika kwa mayankho a bank.com.
Kujambula kwapadziko lonse lapansi kunawonetsa kuti pafupifupi ma seva opitilira 1.4 miliyoni amakhudzidwa ndi vutoli, zomwe ndizotheka kuchita chiwopsezo mwa kusakaniza zopempha pogwiritsa ntchito ma protocol osiyanasiyana. Kuthekera kwa kuwukira kwenikweni kunatsimikiziridwa kwa ma seva 119 zikwizikwi omwe amatsagana ndi ma seva a TLS kutengera ma protocol ena ogwiritsira ntchito.
Zitsanzo za zochitika zakonzedwa kwa ma seva a ftp pureftpd, proftpd, microsoft-ftp, vsftpd, filezilla ndi serv-u, IMAP ndi POP3 seva dovecot, courier, exchange, cyrus, kerio-connect ndi zimbra, SMTP seva postfix, exim, sendmail. , mailenable, mdaemon ndi opensmtpd. Ofufuza adaphunzira za kuthekera kochita chiwembu kokha kuphatikiza ma seva a FTP, SMTP, IMAP ndi POP3, koma ndizotheka kuti vutoli litha kuchitikanso pama protocol ena omwe amagwiritsa ntchito TLS.
Kuti aletse kuukira, akuyenera kugwiritsa ntchito kuwonjezera kwa ALPN (Application Layer Protocol Negotiation) kuti akambirane gawo la TLS poganizira za pulogalamu yogwiritsira ntchito ndi SNI (Server Name Indication) kuti agwirizane ndi dzina la wolandirayo ngati akugwiritsa ntchito. Satifiketi za TLS zokhala ndi mayina angapo. Pa mbali yogwiritsira ntchito, tikulimbikitsidwa kuchepetsa malire pa chiwerengero cha zolakwika pamene mukukonza malamulo, pambuyo pake kugwirizanako kumathetsedwa. Njira yopangira njira zoletsera chiwembucho idayamba mu Okutobala chaka chatha. Njira zotetezera zofananira zatengedwa kale mu Nginx 1.21.0 (mail proxy), Vsftpd 3.0.4, Courier 5.1.0, Sendmail, FileZill, crypto/tls (Go) ndi Internet Explorer.
Source: opennet.ru