Chikwata chevaongorori kubva kumayunivhesiti akati wandei muGermany yakagadzira itsva MITM kurwisa paHTTPS iyo inogona kuburitsa makuki emusangano uye imwe data inonzwisisika, pamwe nekuita zvekupokana JavaScript kodhi mumamiriro eimwe saiti. Kurwiswa uku kunodaidzwa kuti ALPACA uye inogona kuiswa kumaseva eTLS anoisa akasiyana application layer protocol (HTTPS, SFTP, SMTP, IMAP, POP3), asi shandisa zvakajairika TLS zvitupa.
Izvo zvakakosha zvekurwiswa ndezvekuti kana aine simba pamusoro petiweki gedhi kana isina waya yekupinda nzvimbo, anorwisa anogona kuendesa webhu traffic kune imwe network network uye kuronga kumisikidzwa kwekubatana neFTP kana mail server inotsigira TLS encryption uye inoshandisa a TLS chitupa chakajairika neHTTP server , uye mushandisi webrowser anozofunga kuti kubatana kwakatangwa neiyo yakakumbirwa HTTP server. Sezvo iyo TLS protocol iri yepasirese uye isina kusungirirwa kune application-level protocol, kumisikidzwa kweiyo encrypted yekubatanidza kune ese masevhisi kwakafanana uye kukanganisa kwekutumira chikumbiro kune isiriyo sevhisi kunogona kutariswa chete mushure mekutangisa chikamu chakavharidzirwa uchigadzirisa mirairo yechikumbiro chakatumirwa.
Saizvozvo, kana, semuenzaniso, iwe ukaendesazve mushandisi wekubatanidza kwakatanga kuendeswa kuHTTPS kune yetsamba sevha inoshandisa chitupa chakagovaniswa neHTTPS server, iyo TLS yekubatanidza ichagadziriswa zvinobudirira, asi sevha yetsamba haizokwanisi kugadzirisa iyo yakatumirwa. HTTP inoraira uye ichadzorera mhinduro ine kodhi yekukanganisa. Iyi mhinduro ichagadziriswa nebrowser semhinduro kubva kune yakakumbirwa saiti, inofambiswa mukati meiyo yakavharidzirwa yakavharidzirwa nzira yekutaurirana.
Sarudzo nhatu dzekurwisa dzinotsanangurwa:
- "Rodha" kuti utore Cookie ine maparamendi echokwadi. Iyo nzira inoshanda kana sevha yeFTP yakavharwa nechitupa cheTLS ichikubvumidza kurodha uye kutora data rayo. Mune iyi mutsauko wekurwisa, anorwisa anogona kuwana kuchengetwa kwezvikamu zvemushandisi zvepakutanga chikumbiro cheHTTP, senge zviri mukati meCookie musoro, semuenzaniso, kana sevha yeFTP ichidudzira chikumbiro sefaira rekuchengetedza kana matanda anouya zvikumbiro zvachose. Kuti ubudirire kurwisa, anorwisa anobva atoda neimwe nzira kubvisa zvakachengetwa. Kurwiswa uku kunoshanda kune Proftpd, Microsoft IIS, vsftpd, filezilla uye serv-u.
- "Dhawunirodha" yekuronga muchinjika-saiti scripting (XSS). Iyo nzira inoreva kuti anorwisa, semhedzisiro yekumwe kunyengedza kwemunhu, anogona kuisa data musevhisi inoshandisa yakajairwa TLS chitupa, icho chinogona kupihwa mukupindura chikumbiro chemushandisi. Kurwiswa uku kunoshanda kune ataurwa pamusoro apa maseva eFTP, IMAP maseva uye POP3 maseva (courier, cyrus, kerio-connect uye zimbra).
- "Reflection" kumhanyisa JavaScript mumamiriro eimwe saiti. Iyo nzira yakavakirwa pakudzoka kune mutengi chikamu chechikumbiro, icho chine JavaScript kodhi yakatumirwa neanorwisa. Kurwiswa uku kunoshanda kune ataurwa pamusoro apa maseva eFTP, iyo cyrus, kerio-batanidza uye zimbra IMAP maseva, pamwe neyekutumira SMTP server.
Semuenzaniso, kana mushandisi avhura peji inodzorwa neanorwisa, peji ino inogona kutanga chikumbiro chekushandisa kubva kune saiti iyo mushandisi ane inoshanda account (semuenzaniso, bank.com). Munguva yekurwiswa kweMITM, chikumbiro ichi chakanyorerwa kubhengi.com webhusaiti inogona kuendeswa kune email server inoshandisa chitupa cheTLS chakagovaniswa nebank.com. Sezvo sevha yetsamba isingamise chikamu mushure mekukanganisa kwekutanga, misoro yebasa nemirairo yakadai se "POST / HTTP/1.1" uye "Host:" ichagadziriswa semirairo isingazivikanwe (iyo mail server ichadzoka "500 isingazivikanwe command" ye. musoro wega wega).
Iyo mail server hainzwisisi maficha eHTTP protocol uye kune iyo misoro yebasa uye data block yechikumbiro chePOST inogadziriswa nenzira imwechete, saka mumutumbi wechikumbiro chePOST unogona kutsanangura mutsara une rairo iyo mail server. Semuenzaniso, unogona kupfuura: MAIL KUBVA: alert(1); uko iyo mail server ichadzorera 501 kukanganisa meseji alert(1); : kero isina kurongeka: chenjedzo(1); inogona kusatevera
Iyi mhinduro ichagamuchirwa nebrowser yemushandisi, iyo ichaita iyo JavaScript kodhi muchirevo kwete cheanorwisa akatanga kuvhurika webhusaiti, asi yewebhusaiti bank.com kwakatumirwa chikumbiro, sezvo mhinduro yakauya mukati meiyo TLS chikamu. , chitupa chakasimbisa huchokwadi hwebhangi.com mhinduro.
Kuongororwa kwetiweki yepasirese kwakaratidza kuti kazhinji, anenge 1.4 miriyoni maseva ewebhu anobatwa nedambudziko, izvo zvinogoneka kuita kurwisa nekusanganisa zvikumbiro uchishandisa maprotocol akasiyana. Iko mukana wekurwiswa kwechokwadi wakatemerwa 119 zviuru zvewebhu maseva ayo aive achiperekedza TLS maseva zvichienderana nemamwe mapuroteni ekushandisa.
Mienzaniso yezviitiko zvakagadzirirwa ftp maseva pureftpd, proftpd, microsoft-ftp, vsftpd, filezilla uye serv-u, IMAP uye POP3 maseva dovecot, courier, exchange, cyrus, kerio-connect uye zimbra, SMTP maseva postfix, exim, kutumira tsamba. , inotumirwa, mdaemon uye opensmtpd. Vatsvagiri vakadzidza mukana wekuita kurwisa chete musanganiswa neFTP, SMTP, IMAP uye POP3 maseva, asi zvinogoneka kuti dambudziko rinogona kuitika kune mamwe mapuroteni ekushandisa anoshandisa TLS.
Kuvhara kurwiswa, zvinokurudzirwa kushandisa ALPN (Application Layer Protocol Negotiation) yekuwedzera kutaurirana musangano weTLS uchifunga nezve application protocol uye SNI (Server Name Indication) yekuwedzera kusunga kune zita remuenzi kana uchishandisa. TLS zvitupa zvinofukidza akati wandei mazita emazita. Padivi rekushandisa, zvinokurudzirwa kudzikisira muganho pahuwandu hwezvikanganiso kana uchigadzirisa mirairo, mushure mezvo kubatana kunopera. Nzira yekugadzira matanho ekudzivirira kurwisa yakatanga muna Gumiguru gore rakapera. Matanho ekuchengetedza akafanana akatotorwa muNginx 1.21.0 (mail proxy), Vsftpd 3.0.4, Courier 5.1.0, Sendmail, FileZill, crypto/tls (Go) uye Internet Explorer.
Source: opennet.ru