UDaniel Stenberg, umbhali wensiza yokuthola nokuthumela idatha nge-curl yenethiwekhi, ukugxekile ukusetshenziswa kwamathuluzi e-AI lapho kwakhiwa imibiko yokuba sengozini. Imibiko enjalo ihlanganisa imininingwane enemininingwane, ibhalwe ngolimi olujwayelekile futhi ibukeka isezingeni eliphezulu, kodwa ngaphandle kokuhlaziya okucatshangelwayo empeleni ingadukisa kuphela, esikhundleni sezinkinga zangempela ngokuqukethwe kukadoti okubukeka kuyikhwalithi.
Iphrojekthi ye-Curl ikhokha imiklomelo ngokuhlonza ubuthakathaka obusha futhi isivele ithole imibiko engama-415 yezinkinga ezingase zibe khona, engu-64 kuphela kuyo eqinisekisiwe njengobungozi kanye nama-77 njengeziphazamisi ezingavikeleki. Ngakho, u-66% wayo yonke imibiko ibingenalo ulwazi oluwusizo futhi ithathe kuphela isikhathi kubathuthukisi ebesingasetshenziswa kokuthile okuwusizo.
Abathuthukisi baphoqeleka ukuthi bachithe isikhathi esiningi bedlulisa imibiko engenamsebenzi futhi bahlole kabili ulwazi oluqukethwe lapho izikhathi eziningana, ngoba ikhwalithi yangaphandle yomklamo idala ukuzethemba okwengeziwe kulwazi futhi kunomuzwa wokuthi umthuthukisi akazange aqonde okuthile. Ngakolunye uhlangothi, ukukhiqiza umbiko onjalo kudinga umzamo omncane womfakisicelo, ongazihluphi ngokubheka inkinga yangempela, kodwa umane akopishe ngobumpumputhe idatha etholwe kubasizi be-AI, enethemba lokuthi uzoba nenhlanhla emzabalazweni wokuthola umvuzo.
Izibonelo ezimbili zemibiko enjalo kadoti zinikezwa. Ngosuku olwandulela ukudalulwa okuhleliwe kolwazi mayelana nokuba sengcupheni okuyingozi kuka-Okthoba (CVE-2023-38545), umbiko wathunyelwa nge-Hackerone wokuthi isiqeshana esinokulungiswa kwase kutholakala esidlangalaleni. Eqinisweni, umbiko ubuqukethe ingxube yamaqiniso ngezinkinga ezifanayo namazwibela olwazi olunemininingwane mayelana nokuba sengozini kwangaphambilini okuhlanganiswe umsizi we-AI we-Google u-Bard. Ngenxa yalokho, ulwazi lwalubukeka lusha futhi lufanelekile, futhi lwalungenakho ukuxhumana neqiniso.
Isibonelo sesibili siphathelene nomlayezo otholwe ngo-December 28 mayelana nokuchichima kwebhafa kusibambi se-WebSocket, esithunyelwe umsebenzisi osevele azisile amaphrojekthi ahlukahlukene mayelana nokuba sengozini nge-Hackerone. Njengendlela yokukhiqiza kabusha inkinga, umbiko uhlanganise amagama ajwayelekile mayelana nokudlulisa isicelo esilungisiwe ngenani elikhulu kunosayizi webhafa esetshenziswa uma kukopishwa nge-strcpy. Umbiko uphinde wanikeza isibonelo sokulungiswa (isibonelo sokushintsha i-strcpy nge-strncpy) futhi ubonise isixhumanisi somugqa wekhodi "strcpy(keyval, randstr)", okuyinto, ngokusho komfakisicelo, equkethe iphutha.
Umthuthukisi wahlola kabili yonke into kathathu futhi akazange athole izinkinga, kodwa njengoba umbiko ubhalwe ngokuzethemba futhi uqukethe nokulungiswa, kwakukhona umuzwa wokuthi kukhona okushodayo endaweni ethile. Umzamo wokucacisa ukuthi umcwaningi ukwazile kanjani ukweqa isheke likasayizi ocacile elikhona ngaphambi kocingo lwe-strcpy nokuthi usayizi webhafa ye-keyval uvele kanjani waba ngaphansi kosayizi wedatha efundiwe okuholele emininingwaneni, kodwa engathwali imininingwane eyengeziwe, izincazelo. ehlafuna kuphela izimbangela ezivamile ezivamile zokuchichima kwe-buffer ezingahlobene nekhodi ethize ye-Curl. Izimpendulo zazisikhumbuza ukuxhumana nomsizi we-AI, futhi ngemva kokuchitha isigamu sosuku emizamweni engenangqondo yokuthola ukuthi inkinga izibonakalisa kanjani, umthuthukisi ekugcineni waqiniseka ukuthi empeleni kwakungekho sengozini.
Source: opennet.ru