Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Mphotho ya Pwnie 2019: Zowopsa Kwambiri Zachitetezo ndi Zolephera

Mphotho ya Pwnie 2019: Zowopsa Kwambiri Zachitetezo ndi Zolephera

Pamsonkhano wa Black Hat USA ku Las Vegas chinachitika mwambo wopereka mphotho Pwnie Awards 2019, zomwe zikuwonetsa zofooka zazikulu kwambiri komanso zolephera zopanda pake pankhani yachitetezo cha makompyuta. Mphotho za Pwnie zimawonedwa ngati zofanana ndi Oscars ndi Golden Raspberries pankhani yachitetezo cha makompyuta ndipo zakhala zikuchitika chaka chilichonse kuyambira 2007.

waukulu opambana ΠΈ kusankhidwa:

  • Bwino seva cholakwika. Amapatsidwa mwayi wozindikira ndikugwiritsa ntchito cholakwika chaukadaulo komanso chosangalatsa pamanetiweki. Opambana anali ofufuza kuwululidwa Chiwopsezo cha wopereka VPN Pulse Secure, yemwe ntchito yake ya VPN imagwiritsidwa ntchito ndi Twitter, Uber, Microsoft, sla, SpaceX, Akamai, Intel, IBM, VMware, US Navy, US Department of Homeland Security (DHS) ndipo mwina theka la makampani ochokera pamndandanda wa Fortune 500. Ofufuza apeza chitseko chakumbuyo chomwe chimalola wotsutsa wosavomerezeka kusintha mawu achinsinsi a wogwiritsa ntchito aliyense. Kuthekera kogwiritsa ntchito vutoli kuti mupeze mizu yofikira ku seva ya VPN pomwe doko la HTTPS lotseguka lawonetsedwa;

    Mwa osankhidwa omwe sanalandire mphotho, zotsatirazi zitha kudziwidwa:

    • Imayendetsedwa mu pre-authentication stage kusatetezeka mu dongosolo lophatikizana la Jenkins, lomwe limakupatsani mwayi wopereka code pa seva. Chiwopsezocho chimagwiritsidwa ntchito mwachangu ndi bots kukonza migodi ya cryptocurrency pa maseva;
    • Zovuta kusatetezeka mu Exim mail seva, yomwe imakulolani kuti mupereke code pa seva ndi ufulu wa mizu;
    • Zowopsa mu makamera a Xiongmai XMeye P2P IP, omwe amakupatsani mwayi wowongolera chipangizocho. Makamera anaperekedwa ndi mawu achinsinsi a uinjiniya ndipo sanagwiritse ntchito chitsimikiziro cha siginecha ya digito pokonzanso firmware;
    • Zovuta kusatetezeka pokhazikitsa protocol ya RDP mu Windows, yomwe imakulolani kuti mugwiritse ntchito code yanu kutali;
    • Chiwopsezo mu WordPress, yolumikizidwa ndi kutsitsa khodi ya PHP pansi pa chithunzithunzi. Vutoli limakupatsani mwayi wopereka kachidindo kosagwirizana pa seva, kukhala ndi mwayi wa wolemba mabuku (Wolemba) patsamba;
  • Best Client Software Bug. Wopambana anali wosavuta kugwiritsa ntchito kusatetezeka mu pulogalamu yoyimba gulu la Apple FaceTime, kulola woyambitsa kuyimba kwa gulu kukakamiza kuyimba kuti kuvomerezedwe ndi gulu loyitanidwa (mwachitsanzo, kumvetsera ndi kuyang'ana).

    Komanso omwe adasankhidwa kuti alandire mphothoyo anali:

    • Chiwopsezo mu WhatsApp, yomwe imakulolani kuti mupereke nambala yanu potumiza foni yopangidwa mwapadera;
    • Chiwopsezo mu laibulale ya zithunzi za Skia zomwe zimagwiritsidwa ntchito mu msakatuli wa Chrome, zomwe zingayambitse kuwonongeka kwa kukumbukira chifukwa cha zolakwika zoyandama pakusintha kwina kwa geometric;
  • Kukwezeka Kwabwino Kwambiri Kwachiwopsezo Chamwayi. Victory adapatsidwa chifukwa chozindikira zofooka mu iOS kernel, yomwe ingagwiritsidwe ntchito kudzera pa ipc_voucher, yopezeka kudzera pa msakatuli wa Safari.

    Komanso omwe adasankhidwa kuti alandire mphothoyo anali:

    • Chiwopsezo mu Windows, kukulolani kuti mukhale ndi ulamuliro wonse pa dongosololi kupyolera muzosintha ndi ntchito ya CreateWindowEx (win32k.sys). Vutoli lidadziwika pakuwunika kwa pulogalamu yaumbanda yomwe idagwiritsa ntchito chiwopsezocho chisanakonzedwe;
    • Chiwopsezo mu runc ndi LXC, zomwe zikukhudza Docker ndi makina ena odzipatula, kulola chidebe chodzipatula chomwe chimayendetsedwa ndi wowukira kuti chisinthe fayilo yomwe ingathe kuchitidwa ndikupeza mwayi wamizu kumbali ya wolandila;
    • Chiwopsezo mu iOS (CFPrefsDaemon), yomwe imakulolani kuti mulambalale njira zodzipatula ndikuchita ma code okhala ndi mizu;
    • Chiwopsezo mu kope la Linux TCP stack yogwiritsidwa ntchito mu Android, kulola wosuta wamba kuti akweze mwayi wawo pa chipangizo;
    • Zowopsa mu systemd-journald, yomwe imakupatsani mwayi wopeza ufulu wa mizu;
    • Chiwopsezo mu tmpreaper chida chotsuka /tmp, chomwe chimakupatsani mwayi wosunga fayilo yanu mugawo lililonse la fayilo;
  • Best Cryptographic Attack. Amapatsidwa mwayi wozindikira mipata yofunikira kwambiri pamakina enieni, ma protocol ndi ma algorithms achinsinsi. Mphotho idaperekedwa chifukwa chozindikira zofooka muukadaulo wachitetezo chamtundu wa WPA3 wopanda zingwe ndi EAP-pwd, womwe umakupatsani mwayi wobwereza mawu achinsinsi olumikizirana ndikupeza ma netiweki opanda zingwe popanda kudziwa mawu achinsinsi.

    Ena omwe adalandira mphothoyi anali:

    • Njira kuukira kwa PGP ndi S/MIME encryption mumakasitomala a imelo;
    • Ntchito njira yozizira yoyambira kuti mupeze zomwe zili m'magawo obisika a Bitlocker;
    • Chiwopsezo mu OpenSSL, yomwe imakulolani kuti mulekanitse mikhalidwe yolandila padding yolakwika ndi MAC yolakwika. Vutoli limayamba chifukwa cha kusagwira bwino kwa zero byte mu padding oracle;
    • Mavuto okhala ndi ma ID makhadi omwe amagwiritsidwa ntchito ku Germany pogwiritsa ntchito SAML;
    • vuto ndi entropy ya manambala mwachisawawa pakukhazikitsa kuthandizira kwa ma tokeni a U2F mu ChromeOS;
    • Chiwopsezo mu Monocypher, chifukwa chake ma signature a null EdDSA adadziwika kuti ndi olondola.
  • Kafukufuku wopangidwa mwatsopano kwambiri. Mphothoyo idaperekedwa kwa wopanga luso laukadaulo Vectorized Emulation, yomwe imagwiritsa ntchito malangizo a AVX-512 vekitala kuti atsanzire pulojekiti, zomwe zimapangitsa kuti pakhale kuwonjezeka kwakukulu kwa liwiro la kuyesa kwa fuzzing (mpaka 40-120 biliyoni malangizo pamphindikati). Njirayi imalola kuti pakatikati pa CPU iliyonse aziyendetsa makina a 8 64-bit kapena 16 32-bit molingana ndi malangizo oyesa kuyesa kwa pulogalamuyo.

    Otsatirawa anali oyenerera kulandira mphothoyo:

    • Chiwopsezo muukadaulo wa Power Query kuchokera ku MS Excel, womwe umakupatsani mwayi wokonza ma code ndikudutsa njira zodzipatula pakutsegula masamba opangidwa mwapadera;
    • Njira kunyenga woyendetsa galimoto wa Tesla kuti apangitse kuyendetsa mumsewu womwe ukubwera;
    • ntchito sinthani uinjiniya wa ASICS chip Siemens S7-1200;
    • SonarSnoop - Njira yolondolera zala kuti mudziwe nambala yotsegulira foni, kutengera mfundo yakugwiritsa ntchito kwa sonar - olankhula apamwamba ndi otsika a foni yamakono amatulutsa ma vibrate osamveka, ndipo ma maikolofoni omwe adamangidwa amawatenga kuti awone ngati kugwedezeka kumawonekera kuchokera dzanja;
    • Development zida za NSA za Ghidra reverse engineering;
    • SUNGAKHALA - njira yodziwira kugwiritsa ntchito kachidindo kwa ntchito zofanana m'mafayilo angapo omwe atha kuchitidwa potengera kusanthula kwamagulu a binary;
    • chilengedwe njira yodutsa njira ya Intel Boot Guard kuti muyike firmware ya UEFI yosinthidwa popanda kutsimikizira siginecha ya digito.
  • Kwambiri wolumala anachita kwa wogulitsa (Lamest Vendor Response). Kusankhidwa kwa mayankho osakwanira ku uthenga wokhudzana ndi chiwopsezo cha malonda anu. Opambana ndi omwe amapanga chikwama cha BitFi crypto, omwe amafuula za chitetezo chowonjezereka cha mankhwala awo, zomwe kwenikweni zinakhala zongopeka, zimazunza ofufuza omwe amazindikira zofooka, ndipo samalipira mabonasi omwe analonjezedwa kuti azindikire mavuto;

    Mwa omwe adalembetsa nawo mphothoyi adawonanso:

    • Wofufuza zachitetezo adadzudzula wotsogolera wa Atrient kuti amuwukire kuti amukakamize kuti achotse lipoti pachiwopsezo chomwe adazindikira, koma wotsogolera akukana zomwe zidachitika ndipo makamera oyang'anira sanalembe zomwe zachitika;
    • Makulitsidwe akuchedwa kukonza vuto lalikulu zofooka m'dongosolo lake lamisonkhano ndikuwongolera vutoli pokhapokha atawululidwa pagulu. Chiwopsezocho chinalola wowukira wakunja kuti apeze zambiri pamakamera awebusayiti a ogwiritsa ntchito a MacOS akatsegula tsamba lopangidwa mwapadera mu msakatuli (Zoom idayambitsa seva ya http kumbali ya kasitomala yomwe idalandira malamulo kuchokera ku pulogalamu yakomweko).
    • Kulephera kukonza kwa zaka zoposa 10 vuto ndi OpenPGP cryptographic makiyi maseva, kutchula mfundo yakuti code inalembedwa m'chinenero cha OCaml ndipo amakhala opanda wosamalira.

    Chidziwitso chachiwopsezo kwambiri pano. Amapatsidwa mwayi wofotokozera zovuta komanso zazikulu zavuto pa intaneti ndi zofalitsa, makamaka ngati chiwopsezocho chidzakhala chosagwiritsidwa ntchito. Mphothoyo idaperekedwa kwa Bloomberg mawu za kuzindikirika kwa tchipisi ta akazitape mu ma board a Super Micro, omwe sanatsimikizidwe, ndipo gwero lidawonetsa kwathunthu zambiri.

    Zatchulidwa posankhidwa:

    • Chiwopsezo mu libssh, chomwe kukhudza ntchito za seva imodzi (libssh sichimagwiritsidwa ntchito konse pamaseva), koma idaperekedwa ndi NCC Gulu ngati chiwopsezo chomwe chimalola kuukira seva iliyonse ya OpenSSH.
    • Kuukira pogwiritsa ntchito zithunzi za DICOM. Chowonadi ndichakuti mutha kukonzekera fayilo yotheka ya Windows yomwe imawoneka ngati chithunzi chovomerezeka cha DICOM. Fayiloyi ikhoza kutsitsidwa ku chipangizo chachipatala ndikuichita.
    • Chiwopsezo Thrangrycat, zomwe zimakupatsani mwayi wodutsa njira yotetezeka ya boot pazida za Cisco. Chiwopsezochi chimawerengedwa ngati vuto lochulukirachulukira chifukwa chimafunikira ufulu wa mizu kuti aukire, koma ngati wowukirayo adatha kale kupeza mizu, ndiye chitetezo chotani chomwe tingakambirane. Chiwopsezocho chinapambananso m'gulu lazovuta zomwe sizimaganiziridwa kwambiri, chifukwa zimakulolani kuti mulowetse pakhomo lokhazikika mu Flash;
  • Kulephera kwakukulu (Zambiri za Epic FAIL). Kupambanaku kudaperekedwa kwa Bloomberg chifukwa cha zolemba zotsogola zokhala ndi mitu yayikulu koma zowona zenizeni, kupondereza magwero, kutsika m'malingaliro achiwembu, kugwiritsa ntchito mawu monga "cyberweapons", ndi zomveka zosavomerezeka. Enanso osankhidwa ndi awa:
    • Shadowhammer kuwukira pa Asus firmware update service;
    • Kubera chipinda chosungiramo zinthu za BitFi cholengezedwa ngati "chosatsekeka";
    • Kutayikira deta munthu ndi zizindikiro kupeza Facebook.

Source: opennet.ru

Kuwonjezera ndemanga