Tuni aka sanar da wadanda suka lashe kyautar Pwnie Awards 2021

Darkcrizt

4 minti

An sanar da waɗanda suka yi nasara a shekara ta Pwnie Awards 2021, wanda shahararren lamari ne, wanda mahalarta suka bayyana mafi mawuyacin rauni da nakasu a fagen tsaron kwamfuta.

Kyautar Pwnie sun yarda da kyau da rashin iya aiki a bangaren tsaron bayanai. Kwamitin ƙwararrun masana'antun masana'antun tsaro ne ke zaɓar waɗanda suka yi nasara bisa ga nade-naden da aka tattara daga ƙungiyar tsaro ta bayanai.

Jerin masu cin nasara

Mafi kyawun gata haɓaka rauni: Wannan lambar yabo An ba shi kamfanin Qualys don gano raunin CVE-2021-3156 a cikin kayan aikin sudo, wanda ke ba ku damar samun gatan tushen. Rashin raunin ya kasance a cikin lambar kusan shekaru 10 kuma sananne ne saboda gano sa yana buƙatar cikakken nazarin dabarun mai amfani.

Mafi kuskuren sabar: wannan An ba da lambar yabo don ganowa da amfani da ƙwaƙƙwaran ƙwaƙƙwaran fasaha kuma mai ban sha'awa a cikin sabis na cibiyar sadarwa. An ba da nasara don ganowa sabon vector na hare -hare kan Microsoft Exchange. Ba a fitar da bayanai kan duk raunin da ke cikin wannan ajin ba, amma an riga an bayyana bayanai game da raunin CVE-2021-26855 (ProxyLogon), wanda ke ba ku damar dawo da bayanai daga mai amfani ba tare da izini ba, da CVE-2021-27065, wanda ke ba ku damar gudanar da lambar ku akan sabar tare da haƙƙin mai gudanarwa.

Mafi kyawun harin crypto: an ba shi don gano mafi girman gazawa a cikin tsarin, ladabi da alƙaluman ɓoyayyiyar haƙiƙa. Kyautar fAn sake shi ga Microsoft don rauni (CVE-2020-0601) a cikin aiwatar da sa hannun dijital mai lankwasawa wanda ke ba da damar ƙirƙirar maɓallan masu zaman kansu dangane da makullin jama'a. Batun ya ba da damar ƙirƙirar takaddun TLS na jabu don HTTPS da sa hannun dijital na karya, waɗanda Windows ta tabbatar a matsayin amintacce.

Mafi yawan bincike: Kyautar kyauta ga masu bincike waɗanda suka ba da shawarar hanyar BlindSide don gujewa tsaron bazuwar adireshi (ASLR) ta amfani da kwararar tashar tashar da ke haifar da hasashen aiwatar da umarnin ta mai sarrafawa.

Yawancin kurakuran FASAHA na Epic: an ba Microsoft don sakin sakin facin da ba ya aiki don raunin PrintNightmare (CVE-2021-34527) a cikin tsarin fitarwa na Windows wanda ke ba da damar lambar ku ta yi aiki. Microsoft da farko ya nuna alamar a matsayin na gida, amma daga baya ya zama cewa ana iya kai harin nesa ba kusa ba. Daga nan Microsoft ya fitar da sabbin abubuwa sau hudu, amma a duk lokacin da mafita kawai ta rufe akwati na musamman, kuma masu binciken sun sami sabuwar hanyar kai harin.

Mafi kyawun kwaro a cikin software na abokin ciniki: wannan lambar ya kasance wanda aka ba shi ga wani mai bincike wanda ya gano raunin CVE-2020-28341 a cikin amintaccen cryptography na Samsung, ya sami CC EAL 5+ takardar shaidar aminci. Rashin raunin ya sa ya yiwu a ƙetare kariya gaba ɗaya da samun damar lambar da ke gudana akan guntu da bayanan da aka adana a cikin ƙulli, ƙetare makullin ajiyar allo, da kuma yin canje -canje ga firmware don ƙirƙirar ƙofar baya ta ɓoye.

Mafi raunin rauni: lambar yabo ta kasance da aka ba Qualys don gano adadin raunin 21Nails a cikin sabar wasiƙar Exim, 10 daga cikinsu ana iya amfani da su daga nesa. Masu haɓaka Exim sun kasance masu shakku game da amfani da batutuwan kuma sun shafe sama da watanni 6 suna haɓaka mafita.

Amsa mafi rauni daga masana'anta: wannan nadin mukami ne don mafi dacewar amsa ga rahoton rauni a samfur naka. Wanda ya ci nasara shine Cellebrite, mai bincike da aikace -aikacen hakar bayanai don aiwatar da doka. Cellebrite bai ba da isasshen amsa ga rahoton raunin da Moxie Marlinspike ya wallafa ba, marubucin yarjejeniyar sigina. Moxie ya zama mai sha'awar Cellebrite bayan ya buga labarin kafofin watsa labarai game da ƙirƙirar fasaha don karya saƙonnin Sigina wanda aka ɓoye, wanda daga baya ya zama ƙarya, saboda fassarar bayanin da ke cikin labarin akan gidan yanar gizon Cellebrite., Wanda daga baya aka cire (the "farmaki" yana buƙatar samun damar jiki zuwa wayar da ikon buɗe allo, wato an rage shi zuwa kallon saƙonni a cikin manzo, amma ba da hannu ba, amma ta amfani da aikace -aikace na musamman wanda ke kwaikwayon ayyukan mai amfani).

Moxie ya bincika aikace -aikacen Cellebrite kuma ya sami mawuyacin rauni wanda ya ba da damar aiwatar da lambar sabani yayin ƙoƙarin bincika bayanan da aka ƙera musamman. Aikace -aikacen Cellebrite kuma ya bayyana gaskiyar cewa tana amfani da ɗakin karatu na ffmpeg wanda ba a sabunta shi ba tsawon shekaru 9 kuma yana ƙunshe da adadi mai yawa na rashin daidaituwa. Maimakon amincewa da batutuwan da gyara su, Cellebrite ya ba da sanarwa cewa yana kula da amincin bayanan mai amfani, yana kiyaye amincin samfuran sa a matakin da ya dace.

Finalmente Babban Nasara - An ba Ilfak Gilfanov, marubucin disassembler IDA da Hex -Rays decompiler, don ba da gudummawarsa ga haɓaka kayan aiki don masu bincike na tsaro da ikonsa na ci gaba da samfurin har zuwa shekaru 30.

Source: https://pwnies.com


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.