ProHoster > Blog > internet nhau > Pwnie Awards 2019: Yakanyanya Yakakosha Kuchengetedzeka Kusagadzikana uye Kukundikana

Pwnie Awards 2019: Yakanyanya Yakakosha Kuchengetedzeka Kusagadzikana uye Kukundikana

Pamusangano weBlack Hat USA muLas Vegas zvakaitika mhemberero yekupa mubayiro Pwnie Awards 2019, iyo inoratidzira zvakanyanya kukosha kwekusagadzikana uye kutadza kusinganzwisisike mumunda wekuchengetedza komputa. Iyo Pwnie Awards inoonekwa seyakaenzana neOscars neGoridhe Raspberries mumunda wekuchengetedza komputa uye yave ichiitwa gore negore kubvira 2007.

chikuru vakundi ΠΈ nominations:

  • Yakanakisa server bug. Yakapihwa mubairo wekuzivisa uye kushandisa iyo yakanyanya hunyanzvi uye inonakidza bug mune network sevhisi. Vakakunda vaive vaongorori pachena kusagadzikana muVPN mupi Pulse Secure, ane VPN sevhisi inoshandiswa ne Twitter, Uber, Microsoft, sla, SpaceX, Akamai, Intel, IBM, VMware, iyo US Navy, iyo US Dhipatimendi reHomeland Security (DHS) uye pamwe hafu ye makambani kubva kuFortune list 500. Vatsvakurudzi vakawana backdoor inobvumira munhu asina kuvimbiswa anorwisa kuti achinje password yemumwe mushandisi. Iko mukana wekushandisa dambudziko kuti uwane midzi yekuwana VPN server iyo chete HTTPS port yakavhurwa yakaratidzwa;

    Pakati pevakakwikwidza vasina kugamuchira mubairo, zvinotevera zvinogona kucherechedzwa:

    • Inoshandiswa mu pre-authentication stage vulnerability muJenkins inoenderera mberi yekubatanidza sisitimu, iyo inokutendera iwe kuti uite kodhi pane server. Kusagadzikana kunoshandiswa zvakanyanya ne bots kuronga cryptocurrency mining pamaseva;
    • Critical vulnerability muExim mail server, iyo inokutendera kuti uite kodhi pane sevha ine midzi kodzero;
    • Vulnerabilities mu Xiongmai XMeye P2P IP makamera, achikubvumidza kuti utore kutonga kwemudziyo. Makamera akapiwa password yeinjiniya uye haana kushandisa digital signature verification pakugadzirisa firmware;
    • Critical vulnerability mukuitwa kweiyo RDP protocol muWindows, iyo inokutendera kuti uite kodhi yako kure;
    • Kunetseka muWordPress, yakabatana nekurodha PHP kodhi pasi pechimiro chemufananidzo. Dambudziko rinokutendera kuti uite zvekupokana kodhi pane server, uine ropafadzo dzemunyori wezvinyorwa (Munyori) pane saiti;
  • Best Client Software Bug. Akakunda ndiye aive nyore kushandisa vulnerability muApple FaceTime group yekufona system, zvichibvumira muvambi wekufona kweboka kuti amanikidze kudanwa kuti kugamuchirwe nebato rakadaidzwa (semuenzaniso, rekuteerera uye kubvunza).

    Vakasarudzwawo kuti vawane mubairo uyu vaiva:

    • Kunetseka muWhatsApp, iyo inokutendera kuti uite kodhi yako nekutumira yakanyatsogadzirirwa kufona kwezwi;
    • Kunetseka muraibhurari yeSkia graphics inoshandiswa muChrome browser, iyo inogona kutungamirira kuhuwori hwendangariro nekuda kwezvikanganiso zvinoyangarara mune dzimwe shanduko dzejometri;
  • Kukwidziridzwa kwakanakisa kweKusagadzikana. Victory akapihwa nekuda kwekuzivisa vulnerabilities muIOS kernel, inogona kushandiswa kuburikidza ne ipc_voucher, inowanikwa kuburikidza neSafari browser.

    Vakasarudzwawo kuti vawane mubairo uyu vaiva:

    • Kunetseka muWindows, zvichikubvumidza kuti uwane kutonga kwakazara pamusoro peiyo sisitimu kuburikidza nekugadzirisa neiyo CreateWindowEx (win32k.sys) basa. Dambudziko rakaonekwa panguva yekuongorora malware iyo yakashandisa kusagadzikana isati yagadziriswa;
    • Kunetseka murunc neLXC, inobata Docker uye mamwe masisitimu ekuzviparadzanisa nevamwe, ichibvumira mudziyo wakasarudzika unodzorwa neanorwisa kuti uchinje iyo runc inoteeka faira uye kuwana midzi ropafadzo padivi remugadziri system;
    • Kunetseka muIOS (CFPrefsDaemon), iyo inokutendera kuti upfuure nzira dzekuzviparadzanisa uye kuita kodhi ine kodzero dzemidzi;
    • Kunetseka mune edition yeLinux TCP stack inoshandiswa muAroid, ichibvumira mushandisi wemuno kukwidziridza maropafadzo avo pachigadzirwa;
    • Vulnerabilities mu systemd-journald, iyo inokutendera iwe kuti uwane midzi kodzero;
    • Kunetseka mune tmpreaper utility yekuchenesa /tmp, iyo inokutendera iwe kuchengetedza faira yako mune chero chikamu chefaira system;
  • Yakanyanya Cryptographic Attack. Yakapihwa yekuzivisa akanyanya kukosha mapundu mumasisitimu chaiwo, maprotocol uye encryption algorithms. Mubairo wakapihwa pakuzivikanwa vulnerabilities muWPA3 isina waya network yekuchengetedza tekinoroji uye EAP-pwd, iyo inokutendera kuti udzokorore password yekubatanidza uye kuwana mukana kune isina waya network usingazive password.

    Vamwe vakakwikwidza mubairo uyu vaive:

    • Method kurwiswa paPGP uye S/MIME encryption mune email vatengi;
    • Kushanda inotonhora bhoti nzira yekuwana mukana kune zviri mukati me encrypted Bitlocker partitions;
    • Kunetseka muOpenSSL, iyo inokutendera iwe kuparadzanisa mamiriro ekugamuchira isiriyo padding uye isiriyo MAC. Dambudziko rinokonzerwa nekubata kusina kunaka kwe zero bytes mu padding oracle;
    • Matambudziko ine ID makadhi anoshandiswa kuGermany uchishandisa SAML;
    • dambudziko ine entropy yenhamba dzisina kurongeka mukuita kwerutsigiro rweU2F tokens muChromeOS;
    • Kunetseka muMonocypher, nekuda kwekuti null EdDSA masiginicha akaonekwa seakarurama.
  • Tsvagiridzo ine hutsva hwakapfuura. Mubairo wakapihwa mugadziri wehunyanzvi Vectorized Emulation, iyo inoshandisa AVX-512 vector mirairo kutevedzera chirongwa chekuita, ichibvumira kuwedzera kukuru kwekumhanya kwekuyedza fuzzing (kusvika 40-120 bhiriyoni mirairo pasekondi). Iyo tekinoroji inobvumira yega yega yeCPU musimboti kumhanya 8 64-bit kana 16 32-bit chaiwo muchina wakafanana nemirayiridzo yekuedza kupusa kwechishandiso.

    Vanotevera ndivo vaikodzera kuwana mubairo uyu:

    • Kunetseka muPower Query tekinoroji kubva kuMS Excel, iyo inokutendera iwe kuronga kodhi kuuraya uye kunzvenga nzira dzekuzviparadzanisa dzemashandisirwo paunenge uchivhura maspredishiti akagadzirwa;
    • Method kunyengedza autopilot yeTesla mota kumutsa kutyaira munzira iri kuuya;
    • basa reverse engineering ye ASICS chip Siemens S7-1200;
    • SonarSnoop - Chigunwe chekufambisa nzira yekuona kodhi yekuvhura foni, zvichibva pamusimboti wekushanda kwesonar - vatauri vepamusoro nepasi veiyo smartphone vanoburitsa zvisinganzwike vibrations, uye maikorofoni akavakirwa-mukati anoatora kuti aongorore kuvepo kwekuzunguzika kunoratidzwa kubva ruoko;
    • Development iyo NSA's Ghidra reverse engineering toolkit;
    • SAFE - hunyanzvi hwekuona kushandiswa kwekodhi yemabasa akafanana mumafaira akati wandei anoteedzera zvichienderana nekuongororwa kwemabhinari magungano;
    • zvisikwa nzira yekunzvenga iyo Intel Boot Guard maitiro ekurodha yakagadziridzwa UEFI firmware pasina dhijitari siginecha verification.
  • Iyo yakanyanya kuremara kuita kubva kune mutengesi (Ramest Vendor Response). Kudomwa kwemhinduro isina kunyatsokwana kune meseji yekusagadzikana mune chako chigadzirwa. Vanokunda ndivo vagadziri veBitFi crypto wallet, vanodanidzira pamusoro pe-ultra-security yechigadzirwa chavo, izvo chaizvoizvo zvakazove zvekufungidzira, kushungurudza vatsvakurudzi vanocherechedza kukanganisa, uye havabhadhara mabhonasi akavimbiswa ekuziva matambudziko;

    Pakati pevakakumbira mubairo vakafungawo:

    • Muongorori wezvekuchengetedza akapomera mutungamiriri weAtrient kuti amurwise kuitira kuti amumanikidze kuti abvise mushumo wekusagadzikana kwaakaona, asi mutungamiriri anoramba chiitiko uye makamera ekutarisa haana kunyora kurwiswa;
    • Zoom yakanonoka kugadzirisa nyaya yakakosha vulnerabilities muhurongwa hwayo hwemusangano uye yakagadzirisa dambudziko mushure mekuzivisa pachena. Kusagadzikana kwakabvumira anorwisa wekunze kuti atore data kubva pawebhu makamera evashandisi veMacOS paanenge achivhura peji rakagadzirwa mubrowser (Zoom yakatanga sevha ye http padivi remutengi iyo yakagamuchira mirairo kubva kune yemuno application).
    • Kutadza kugadzirisa kweanopfuura makore gumi dambudziko neOpenPGP cryptographic kiyi maseva, ichitaura chokwadi chekuti kodhi yakanyorwa mune chaiyo OCaml mutauro uye inoramba isina muchengeti.

    Chiziviso chehudzvinyiriri chenjodzi parizvino. Inopihwa iyo inonyanya kusiririsa uye yakakura-yakakura yekuvhara dambudziko paInternet uye nevezvenhau, kunyanya kana kusazvibata kunozopedzisira kwave kusashandisika mukuita. Mubairo wakapihwa kuBloomberg statement nezve kuzivikanwa kwevasori machipisi muSuper Micro mabhodhi, ayo asina kusimbiswa, uye sosi yakaratidza zvachose mamwe mashoko.

    Ataurwa mukudomwa:

    • Kusagadzikana mu libssh, izvo kubata pamusoro single server applications (libssh inenge isati yamboshandiswa kumaseva), asi yakaratidzwa neNCC Group sekusagadzikana kunobvumira kurwisa chero OpenSSH server.
    • Kurwisa uchishandisa DICOM mifananidzo. Icho chiripo ndechekuti iwe unogona kugadzirira faira rinogoneka reWindows rinoita senge rakakodzera DICOM mufananidzo. Iri faira rinogona kudhawunirodherwa kumudziyo wekurapa wobva waitwa.
    • Kunetseka Thrangrycat, iyo inokutendera kuti upfuure yakachengeteka bhutsu michina paCisco zvishandiso. Kusagadzikana kwacho kunorondedzerwa sedambudziko rakawandisa nekuti rinoda kodzero dzemidzi kurwisa, asi kana munhu akarwisa anga atokwanisa kuwana midzi, saka chengetedzo ipi yatingataure nezvayo. Kusagadzikana kwakakunda zvakare muchikamu chematambudziko asingatarisirwe zvakanyanya, sezvo zvichikubvumidza iwe kuunza chisingaperi backdoor muFlash;
  • Kukundikana kukuru (Yakanyanya Epic FAIL). Kukunda kwakapihwa Bloomberg nekuda kwenyaya dzenyaya dzinonakidza dzine misoro mikuru asi chokwadi chakagadzirwa, kudzvanyirirwa kwezvinyorwa, kudzikira mudzidziso dzekurangana, kushandiswa kwemazwi akadai se "cyberweapons", uye zvirevo zvisingatenderwe. Vamwe vakasarudzwa vanosanganisira:
    • Shadowhammer kurwisa paAsus firmware update service;
    • Kubira BitFi vault yakashambadzirwa se "isina kuvharika";
    • Kudonha kwedata remunhu uye zviratidzo kupinda paFacebook.

Source: opennet.ru

Voeg