natiijooyinka labada maalmood ee tartamada Pwn2Own 2020, oo la qabto sanadkiiba iyadoo qayb ka ah shirka CanSecWest. Sanadkan tartanku waxa uu ahaa mid si toos ah loo qabtay waxaana weerarada lagu soo bandhigay qaab online ah. Tartanku wuxuu soo bandhigay farsamooyin shaqo oo looga faa'iidaysan karo dayacanka aan hore loo aqoon ee Ubuntu Desktop (Linux kernel), Windows, macOS, Safari, VirtualBox iyo Adobe Reader. Wadarta lacagta la bixiyay waxay ahayd 270 kun oo doolar (wadarta guud ee sanduuqa abaalmarinta in ka badan 4 milyan oo dollarka Maraykanka ah).
- Kordhinta maxalli ah ee mudnaanta gudaha Ubuntu Desktop iyada oo laga faa'iidaysanayo nuglaanshaha kernel Linux ee la xidhiidha xaqiijinta khaldan ee qiyamka wax gelinta (abaalmarinta $30);
- Muujinta ka bixitaanka jawiga martida ee VirtualBox iyo fulinta koodka leh xuquuqda hypervisor, ka faa'iidaysiga laba dayacan - awoodda akhrinta xogta meel ka baxsan kaydka loo qoondeeyay iyo qaladka marka la shaqeynayo doorsoomayaal aan la aqoon (abaalmarinta 40 kun oo doolar). Ka baxsan tartanka, wakiilada Zero Day Initiative waxay sidoo kale soo bandhigeen hack kale oo VirtualBox ah, kaas oo u oggolaanaya helitaanka nidaamka martigelinta iyada oo loo marayo khalkhalgelinta jawiga martida;
- Jebinta Safari oo leh mudnaan sare leh heerka macOS kernel iyo u socodsiinta xisaabiyaha xidid ahaan. Ka faa'iidaysiga, silsilad ah 6 khalad ayaa loo adeegsaday (abaalmarinta 70 kun oo doolar);
- Labo mudaaharaad oo ku saabsan mudnaanta maxalliga ah ee kor u kaca ee Windows iyada oo loo marayo ka faa'iidaysiga dayacanka ee keenaya helitaanka aagga xusuusta ee hore loo xoreeyay (laba abaalmarin oo ah 40 kun oo doolar midkiiba);
- Helitaanka maamulka gudaha Windows marka la furayo dukumeenti PDF si gaar ah loogu nashqadeeyay gudaha Adobe Reader. Weerarku waxa uu ku lug leeyahay dayacanka Acrobat iyo Windows kernel ee la xidhiidha gelitaanka aagagga xusuusta ee hore loo xoreeyay (abaalmarinta $50).
Magacaabista jabsiga Chrome, Firefox, Edge, Microsoft Hyper-V Client, Microsoft Office iyo Microsoft Windows RDP ayaan wali la sheegan. Waxaa la isku dayay in la jabsado VMware Workstation, laakiin waa lagu guulaysan waayay.
Sida sannadkii hore, qaybaha abaalgudka kuma jiraan jabsiga inta badan mashaariicda isha furan (nginx, OpenSSL, Apache httpd).
Si gooni ah, waxaan ogaan karnaa mawduuca jabsiga nidaamyada macluumaadka ee gaariga Tesla. Ma jirin isku dayo lagu jabsaday Tesla tartanka, inkastoo abaalmarinta ugu badan ee $ 700 kun, laakiin si gooni ah oo ku saabsan aqoonsiga dayacanka DoS (CVE-2020-10558) ee Tesla Model 3, kaas oo u oggolaanaya, marka la furayo bog gaar ah oo loogu talagalay browser-ka gudaha ku dhex jira, inuu joojiyo ogeysiisyada autopilot-ka oo uu carqaladeeyo hawlgalka qaybaha sida cabbirka xawaaraha, browserka, qaboojiyaha, nidaamka navigation, iwm.
Source: opennet.ru