Koox cilmi-baarayaal ah oo ka socda jaamacado dhowr ah oo ku yaal Jarmalka ayaa sameeyay weerar cusub oo MITM ah HTTPS kaas oo soo saari kara cookies-ka fadhiga iyo xogta kale ee xasaasiga ah, iyo sidoo kale fulinta koodka JavaScript ee macruufka ah ee macnaha guud ee goob kale. Weerarka waxaa loo yaqaan ALPACA waxaana lagu dabaqi karaa server-yada TLS ee fuliya borotokoolka lakabka codsiga ee kala duwan (HTTPS, SFTP, SMTP, IMAP, POP3), laakiin adeegsada shahaadooyinka TLS ee caadiga ah.
Nuxurka weerarku waa in haddii uu gacanta ku hayo albaabka shabakadda ama barta gelitaanka wireless-ka, weeraryahanku wuxuu u wareejin karaa taraafikada shabakadda deked kale wuxuuna abaabuli karaa samaynta xiriirinta FTP ama server-ka boostada ee taageera sirta TLS oo adeegsada a Shahaadada TLS ee ay la wadaagto server-ka HTTP , iyo browserka isticmaaluhu waxa uu u qaadan doonaa in xidhiidh la sameeyay serfarka HTTP ee la codsaday. Maadaama borotokoolka TLS uu yahay mid caalami ah oo aan ku xidhnayn borotokoolka heerka codsiga, samaynta xidhiidhka sir ah ee adeegyada oo dhan waa isku mid oo khaladka codsi u dirida adeega khaldan waxa la go'aamin karaa oo kaliya ka dib marka la sameeyo fadhi qarsoodi ah inta lagu guda jiro hawsha amarrada codsiga la soo diray.
Sidaas awgeed, haddii, tusaale ahaan, aad u hagaajiso xidhiidhka isticmaale ee markii hore lagu sheegay HTTPS server-ka mailka ee isticmaala shahaado lala wadaagayo server-ka HTTPS, xidhiidhka TLS ayaa si guul leh loo dhisi doonaa, laakiin server-ka boostada ma awoodo inuu farsameeyo wixii la gudbiyay. HTTP waxay amartaa waxayna ku soo celin doontaa jawaabta koodka khaladka ah. Jawaabtan waxaa u habayn doona browser-ku si ay uga jawaabto goobta la codsado, oo lagu kala qaado kanaalka isgaadhsiinta sir ah oo si sax ah loo aasaasay.
Saddex doorasho oo weerar ah ayaa la soo jeediyay:
- "Soo rar" si aad u soo ceshato kukiga leh cabbirka xaqiijinta. Habka waa lagu dabaqi karaa haddii server-ka FTP ee ay daboolayso shahaadada TLS ay kuu ogolaato inaad soo rogto oo aad soo qaadato xogtiisa. Kala duwanaanshiyaha weerarka, weeraryahanku waxa uu ku guulaysan karaa sii haynta qaybo ka mid ah adeegsadaha codsigiisa asalka ah ee HTTP, sida waxa ku jira madaxa Kukiyada, tusaale ahaan, haddii server-ka FTP uu u fasiro codsiga sidii fayl kaydin ah ama uu gabi ahaanba diiwaan galiyo codsiyada imanaya. Si si guul leh loo weeraro, weeraryahanku wuxuu markaas u baahan yahay inuu si uun u soo saaro waxa ku kaydsan. Weerarku wuxuu quseeyaa Proftpd, Microsoft IIS, vsftpd, filezilla iyo serv-u.
- "Soo deji" si loo abaabulo qoraal-qorista goob-goobeedka (XSS). Habkani waxa uu tilmaamayaa in qofka wax weeraraya, iyada oo ay sabab u tahay wax-is-daba-marin shakhsi ah, uu xogta u gelin karo adeeg adeegsada shahaado TLS ee caadiga ah, kaas oo markaas la soo saari karo iyada oo laga jawaabayo codsiga isticmaalaha. Weerarku waa mid lagu dabaqi karo adeegayaasha FTP ee kor ku xusan, IMAP server-yada iyo adeegayaasha POP3 (qaade, cyrus, kerio-connect iyo zimbra).
- "Milicsi" si loo socodsiiyo JavaScript iyadoo la eegayo macnaha goobta kale. Habka waxa uu ku salaysan yahay u soo celinta qaybta macmiilka ee codsiga, kaas oo ka kooban koodka JavaScript uu soo diray weerarka. Weerarku waa mid lagu dabaqi karo adeegayaasha FTP ee kor ku xusan, IMAP servers cyrus, kerio-connect iyo zimbra, iyo sidoo kale diritaanka SMTP server.
Tusaale ahaan, marka adeegsaduhu furo bog uu gacanta ku hayo weeraryahan, boggan waxa laga yaabaa inuu bilaabo codsi kheyraad goob uu isticmaaluhu ku leeyahay akoon firfircoon (tusaale, bank.com). Inta lagu jiro weerarka MITM, codsigan lagu hagaajiyay website-ka bangiga.com waxaa loo wareejin karaa iimaylka server-ka isticmaala shahaadada TLS ee lala wadaago bank.com. Maaddaama server-ka boostada uusan joojin fadhiga ka dib qaladkii ugu horreeyay, cinwaannada adeegga iyo amarrada sida "POST / HTTP/1.1" iyo "Host:" waxaa loo habayn doonaa amarro aan la garanayn (Seerarka boostada ayaa soo celin doona "500 amar aan la aqoonsan" madax kasta).
Server-ku ma fahmaayo sifada hab-maamuuska HTTP oo waxaa loo maamulaa maamulayaasha adeega iyo blockka xogta codsiga POST si la mid ah, marka jirka codsiga POST waxaad ku qeexi kartaa xariiq amar lagu siinayo serverka boostada. Tusaale ahaan, waxaad ka gudbi kartaa: BOOSAASKA: alert(1); kaas oo server-ku soo celin doono fariin qalad ah 501 alert(1); : ciwaanka khaldan: heegan(1); ma raaci karaan
Jawaabtan waxaa heli doona browserka isticmaalaha, kaas oo fulin doona koodhka JavaScript iyadoo loo eegayo macnaha guud ee maahan degelkii hore ee qofka weerarka gaystay, laakiin degelka bangiga.com ee codsiga loo diray, maadaama ay jawaabtu ku timid fadhi sax ah oo TLS ah. , shahaado ay ku cadaysay saxnimada jawaabta bangiga.com.
Baadhitaan lagu sameeyay shabakada caalamiga ah ayaa muujisay in guud ahaan, qiyaastii 1.4 milyan oo mareegaha internetka ah ay saamayso dhibaatada, taas oo ay suurtogal tahay in lagu qaado weerar iyadoo la isku qasayo codsiyada iyadoo la adeegsanayo borotokool kala duwan. Suurtagalnimada weerar dhab ah ayaa loo go'aamiyay 119 kun oo mareegaha shabakadda kuwaas oo ay jireen adeegayaal TLS la socda oo ku saleysan borotokoolka codsiyada kale.
Tusaalooyinka ka faa'iidaysiga ayaa loo diyaariyey adeegayaasha ftp pureftpd, proftpd, microsoft-ftp, vsftpd, filezilla iyo serv-u, IMAP iyo POP3 servers dovecot, dire, sarrifka, cyrus, kerio-connect iyo zimbra, SMTP servers postfix, exim, dirmail , Mailable, mdaemon iyo opensmtpd. Cilmi-baadhayaashu waxay daraasad ku sameeyeen suurtagalnimada in la qaado weerar kaliya marka lagu daro FTP, SMTP, IMAP iyo POP3 server, laakiin waxaa suurtogal ah in dhibaatadu ay sidoo kale ku dhici karto borotokoolka codsiyada kale ee isticmaala TLS.
Si loo joojiyo weerarka, waxaa la soo jeediyay in la isticmaalo ALPN (Application Layer Protocol Negotiation) kordhinta si looga wada xaajoodo kalfadhiga TLS iyada oo la tixgelinayo nidaamka codsiga iyo kordhinta SNI (Tilmaanta Magaca Adeegga) si loogu xidho magaca martida loo yahay kiiska isticmaalka Shahaadooyin TLS ah oo daboolaya magacyo domain oo dhowr ah. Dhinaca codsiga, waxaa lagula talinayaa in la xaddido xaddidaadda tirada khaladaadka marka la samaynayo amarrada, ka dib markaa xiriirka la joojiyo. Habka lagu horumarinayo tallaabooyinka looga hortagayo weerarka ayaa billowday bishii Oktoobar ee sannadkii hore. Tallaabooyin ammaan oo la mid ah ayaa horeyba looga qaaday Nginx 1.21.0 (wakiilka boostada), Vsftpd 3.0.4, Courier 5.1.0, Sendmail, FileZill, crypto/tls (Go) iyo Internet Explorer.
Source: opennet.ru