Vakahwina vegore Pwnie Awards 2021 vakaziviswa, chinova chiitiko chakakurumbira, umo vatori vechikamu vanoratidzira hunyanya hwakanyanya uye zvikanganiso zvisina musoro mumunda wekuchengetedzwa kwemakomputa.
Iwo Pwnie Makomborero vanoona zvese kugona uye kusakwanisa mumunda wekuchengetedzwa kweruzivo. Vanokunda vanosarudzwa nekomiti yezvekuchengetedza indasitiri nyanzvi kubva kumasarudzo akaunganidzwa kubva munharaunda yekuchengetedza ruzivo.
Vakundi mazita
Nani zvirinani kukwira kwekuwedzera kunetseka: Uyu mubairo Yakapihwa kukambani Qualys yekuona kushomeka CVE-2021-3156 mune iyo sudo utility, iyo inokutendera iwe kuwana rombo remidzi. Kushushikana kwave kuripo mune kodhi kweanenge makore gumi uye kunozivikanwa nenyaya yekuti kutsvagirwa kwayo kwaida kuongororwa kwakazara kweyekushandisa pfungwa.
Yakanakisa server kukanganisa: izvi Akapihwa mubairo wekuona nekushandisa iyo inonyanya kuomarara bug uye inonakidza mune network network. Kukunda kwakapihwa kuzivisa mutsva mutsva wekurwisa Microsoft Exchange. Ruzivo rwekukuvadzwa kwese mukirasi iyi harina kuburitswa, asi ruzivo rwakatoburitswa nezve kushomeka kweCVE-2021-26855 (ProxyLogon), iyo inokutendera kuti utore dhata kubva kumushandisi asinganetse pasina kuvimbiswa, uye CVE-2021-27065, iyo inokutendera iwe kumhanyisa kodhi yako pane sevha ine manejimendi kodzero.
Kurwisa kwakanyanya kwekrispto: rakapihwa yekutarisa kukundikana kwakanyanya mumasisitimu, protocols uye chaiyo encryption algorithms. Mubairo fYakaburitswa kuMicrosoft yekusagadzikana (CVE-2020-0601) mukuitwa kweelliptic curve dijitari masigine inobvumidza kugadzirwa kwemakiyi epachivande zvichienderana nekiyi yeruzhinji. Iyo nyaya yakabvumidza kugadzirwa kwekunyepedzera TLS zvitupa zveHTTPS nemanyepo masiginecha edhijitari, ayo Windows akasimbisa seakavimbika.
Yakawanda yekuvandudza kutsvagisa: Mubayiro yakapihwa kune vaongorori vakatsanangura nzira yeBlindSide kudzivirira chengetedzo yekero kusarongeka (ASLR) uchishandisa parutivi chiteshi kudonhedza kunobva mukufungidzira kuitiswa kwemirairo ne processor.
Mazhinji Epic KUKUNDA zvikanganiso: yakapihwa Microsoft kuburitswa kwakawanda kwechigamba chisingashande yeiyo PrintNightmare kudzvinyirirwa (CVE-2021-34527) muWindows anodhinda kuburitsa system inobvumidza kodhi yako kumhanya. Microsoft pakutanga yakaratidza nyaya seyenharaunda, asi gare gare zvakazoitika kuti kurwiswa kwacho kunogona kuitiswa kure. Microsoft yakazoburitsa zvigadziriso kanokwana kana, asi nguva yega yega mhinduro yaingovhara imwe chete yakakosha kesi, uye vaongorori vakawana nzira nyowani yekurwisa.
Yakanakisa bug mune yevatengi software: mubairo wacho waive yakapihwa muongorori akawana iyo CVE-2020-28341 kunetseka muSamsoni yakachengeteka cryptography, akagamuchira CC EAL 5+ chengetedzo. Kushushikana kwakaita kuti zvikwanise kudarika zvachose kuchengetedzwa uye kuwana mukana wecodhi inomhanya pane chip uye dhata yakachengetwa mune iyo enclave, yekupfuura yekuvhara saver, uye zvakare kuita shanduko kune iyo firmware kugadzira rakavanzika musuwo kumashure.
Kunetseka kwakanyanya kutarisirwa pasi: mubairo wacho waive yakapihwa maQualys ekucherechedzwa kwenhamba ye21Nails kushomeka muExpim mail server, 10 yadzo inogona kushandiswa kure. Vagadziri veEexim vaive vasina chokwadi nezvekushandisa nyaya uye vakapedza anopfuura mwedzi mitanhatu vachigadzira mhinduro.
Mhinduro isina kusimba kubva kumugadziri: uku kudomwa yemhinduro isina kukodzera zvachose kumushumo wekushupika mune chako chigadzirwa. Akakunda aive Cellebrite, forensic uye data application yekuchera kwekuchengetedzwa kwemutemo. Cellebrite haana kupindura zvakakwana kumushumo wekushupika wakaburitswa naMoxie Marlinspike, munyori weiyo Signal protocol. Moxie akatanga kufarira Cellebrite mushure mekutumira nhau munhau yekugadzira tekinoroji yekutyora yakavharidzirwa Signal mameseji, ayo akazove ekunyepa, nekuda kwekusanzwisiswa kwemashoko ari muchinyorwa chewebsite yeCellebrite., Iyo yakazobviswa (iyo "kurwisa" kwaida kupinda chaiko parunhare uye kugona kuvhura iyo skrini, ndiko kuti, yakaderedzwa pakuona mameseji mumutumwa, asi kwete nemaoko, asi uchishandisa yakakosha application inofanidza zviito zvevashandisi).
Moxie akaongorora manyorerwo eCellebrite uye akawana kusagadzikana kwakanyanya kwakabvumidza kodhi yekumanikidza kuitiswa paiyedza kuongorora data rakanyatsogadzirwa. Iyo Cellebrite app yakaratidzawo ichishandisa yechinyakare ffmpeg raibhurari iyo isina kuvandudzwa kwemakore mapfumbamwe uye iine huwandu hukuru hwekusatakurwa kunetseka. Panzvimbo pekubvuma nyaya nekudzigadzirisa, Cellebrite akaburitsa chirevo chekuti ine hanya nekuvimbika kwedata revashandisi, inochengetedza chengetedzo yezvigadzirwa zvayo padanho rakakodzera.
Finalmente Kubudirira Kubudirira - Akapihwa Ilfak Gilfanov, munyori weIDA disassembler uye Hex-Rays decompiler, nekuda kwekupa kwake mukugadzira maturusi evanotsvaga kuchengetedzeka uye kugona kwake kuchengetedza chigadzirwa chiripo-kusvika-makore makumi matatu.
mabviro: https://pwnies.com