Abaphumeleleyo bamabhaso ePwnie Awards 2021 sele bebhengeziwe

Darkcrizt

Imizuzu ye4

Abaphumeleleyo kumabhaso ePwnie Awards 2021 babhengeziwe, Ngumnyhadala obalaseleyo, apho abathathi-nxaxheba batyhila ezona ntsilelo zibalulekileyo kunye neziphene ezingenangqondo kwicandelo lokhuseleko lwekhompyuter.

Amabhaso kaPwnie bayakuqonda ukubalasela nokungangxami kwicandelo lokhuseleko lolwazi. Abaphumeleleyo bakhethwa yikomiti yecandelo lezokhuseleko kwezomsebenzi ezivela kubatyunjwa abaqokelelwe kuluntu lwezokhuseleko.

Uluhlu lwabaphumeleleyo

Ilungelo elingcono lokunyuka komngcipheko: Eli bhaso Iwongwe kwinkampani iQualys yokuchonga ukuba semngciphekweni kweCVE-2021-3156 kwi-utility utility, ekuvumela ukuba ufumane amalungelo engcambu. Ukuba sesichengeni kuye kwakho ikhowudi malunga neminyaka eli-10 kwaye kuyaphawuleka kwinto yokuba ukubonwa kwayo kufuna uhlalutyo olucokisekileyo lwengqondo yesixhobo.

Eyona mpazamo yeseva: enye Inikezelwe ngokuchonga kunye nokuxhaphaza eyona bug inzima kakhulu kwaye inomdla kwinkonzo yenethiwekhi. Uloyiso lanikezelwa ngokuchonga vector entsha yokuhlaselwa kweMicrosoft Exchange. Ulwazi malunga nabo bonke ubungozi kule klasi alukakhululwa, kodwa ulwazi sele lukhutshiwe malunga nokuba semngciphekweni kwe-CVE-2021-26855 (ProxyLogon), ekuvumela ukuba ufumane idatha kumsebenzisi ongenamthetho ngaphandle kokungqinisisa, kunye neCVE-2021-27065, ekuvumela ukuba usebenze ikhowudi yakho kwiserver enamalungelo olawulo.

Olona hlaselo luhle lwe-crypto: yanikwa Ukuchonga ezona ntsilelo ziphambili kwiinkqubo, iiprotocol kunye ne-encryption algorithms yokwenyani. Ibhaso fIkhutshwe kwiMicrosoft ngobungozi (CVE-2020-0601) ekuphunyezweni kwesiginesha ye-elliptic curve esayiniweyo evumela ukwenziwa kwezitshixo zabucala ngokusekwe kumaqhosha oluntu. Umcimbi wavumela ukwenziwa kwezatifikethi zomgunyathi ze-TLS ze-HTTPS kunye nokutyikitywa kobuxoki kwidijithali, eqinisekiswe yiWindows njengokuthenjwa.

Uninzi lophando olutsha: Ibhaso inikwe abaphandi abacebise indlela ye-BlindSide ukuthintela ukhuseleko lwedilesi ye-randomisation (ASLR) usebenzisa ukuvuza kwamacandelo asecaleni okubangelwa kukuphunyezwa kwemiyalelo yenkqubo.

Uninzi lweempazamo ze-Epic FAIL: unikwe iMicrosoft ngokukhutshwa okuninzi kwesiqwengana esingasebenziyo Ubungozi bePrintNightmare (CVE-2021-34527) kwinkqubo yokuprinta yeWindows evumela ukuba ikhowudi yakho iqhubeke. IMicrosoft Ekuqaleni ikhuphe umba njengowasekhaya, kodwa kamva kwavela ukuba uhlaselo lunokwenziwa kude. UMicrosoft emva koko ukhuphe uhlaziyo amatyeli amane, kodwa sihlandlo ngasinye isisombululo sigubungela ityala elinye, kwaye abaphandi bafumana indlela entsha yokwenza uhlaselo.

Eyona bug kwi-software yomthengi: loo mbasa yayi inikwe umphandi ofumanise ukuba semngciphekweni kwe-CVE-2020-28341 kwi-cryptography ekhuselekileyo ye-Samsung, Ndifumene isiqinisekiso sokhuseleko seCC EAL 5+. Ukuba semngciphekweni kuye kwenza ukuba kugqitywe ngokupheleleyo kukhuseleko kwaye kufumaneke ikhowudi eqhuba kwi-chip kunye nedatha egcinwe kwi-enclave, ngokudlula kwiscreen sokugcina isikrini, kunye nokwenza utshintsho kwi-firmware ukwenza ucango olufihliweyo.

Owona mngcipheko uphantsi: ibhaso yayingu unikwe iiQualys zokuchongwa kwenani lama-21Nails okuba semngciphekweni kwiseva yeposi ye-Exim, I-10 yazo inokuxhaphazwa ukude. Abaphuhlisi be-Exim babenamathandabuzo malunga nokuxhaphaza imiba kwaye bachitha ngaphezulu kweenyanga ezi-6 befumana isisombululo.

Eyona mpendulo ibuthathaka evela kumenzi: Olu lonyulo ngeyona mpendulo ingalunganga kwingxelo yokuba sesichengeni kwimveliso yakho. Ophumeleleyo ibinguCellebrite, isicelo sobuchwephesha kwezomthetho kunye nedatha yokunyanzeliswa komthetho. UCellebrite akazange aphendule ngokwaneleyo kwingxelo yokuba sesichengeni epapashwe nguMoxie Marlinspike, umbhali we-Signal protocol. UMoxie waba nomdla kuCellebrite emva kokuthumela ibali leendaba malunga nokwenza itekhnoloji yokuqhekeza imiyalezo efihliweyo yeSignal, eyathi kamva yajika yangamanga, ngenxa yokuchazwa gwenxa kolwazi kwinqaku kwiwebhusayithi yeCellebrite., Eyathi kamva yasuswa (the "ukuhlaselwa" kufuna ukufikelela komzimba kwifowuni kunye nokukwazi ukuvula isikrini, oko kukuthi, kuncitshiswe ukujonga imiyalezo kwisithunywa, kodwa kungekhona ngesandla, kodwa usebenzisa isicelo esikhethekileyo esilinganisa izenzo zomsebenzisi).

U-Moxie wavavanya izicelo ze-Cellebrite kwaye wafumanisa ukuba sesichengeni kakhulu okuvumela ukuba kwenziwe ikhowudi xa kuzanywa ukuskena idatha eyilwe ngokukodwa. Inkqubo yeCellebrite ikwabonakalise inyani yokuba isebenzisa ilayibrari ye-ffmpeg ephelelwe lixesha engakhange ihlaziywe iminyaka eli-9 kwaye inenani elikhulu lobuthathaka obungafakwanga. Endaweni yokuvuma imicimbi kwaye uyilungise, uCellebrite wakhupha ingxelo yokuba iyakhathala malunga nokunyaniseka kwedatha yomsebenzisi, igcina ukhuseleko lweemveliso zayo kwinqanaba elifanelekileyo.

Gqibela Eyona mpumelelo iphezulu-Inikwe u-Ilfak Gilfanov, umbhali we-IDA disassembler kunye ne-Hex-Rays decompiler, ngegalelo lakhe kuphuhliso lwezixhobo zabaphandi bezokhuseleko kunye nokukwazi kwakhe ukugcina imveliso ikwiminyaka engama-30.

Umthombo: https://pwnies.com


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.