Bafumene iipakethe ezinobungozi ezili-11 kwiPyPI

Kwiintsuku ezimbalwa ezidlulileyo isaziso sokuba Iiphakheji ezili-11 eziqulethe ikhowudi enobungozi zichongiwe kuluhlu lwePyPI (Python package index).

Ngaphambi kokuba kuchongwe iingxaki, iipakethe zakhutshelwa malunga namawaka angama-38 amaxesha ewonke Kufuneka kuqatshelwe ukuba iipakethi ezinobungozi ezifunyenweyo ziphawuleka ekusebenziseni iindlela eziyinkimbinkimbi zokufihla iziteshi zonxibelelwano kunye nabahlaseli abahlaseli.

Iipakethe eziye zafunyanwa zezi zilandelayo:

  • umqulu obalulekileyo (6305 ukhuphelo) e ebalulekileyo-iphakheji (12897): ezi phakheji misela umdibaniso kumncedisi wangaphandle phantsi kwengubo yokudibanisa kwi-pypi.python.org ukunika ufikelelo lweqokobhe kwindlela (reverse shell) kwaye usebenzise inkqubo ye trevorc2 ukufihla umjelo wonxibelelwano.
  • ptest (10001) kunye iipboards (946): isetyenziswe i-DNS njengejelo lonxibelelwano lokudlulisa ulwazi malunga nenkqubo (kwipakethe yokuqala, igama lomninimzi, ulawulo olusebenzayo, i-IP yangaphakathi nangaphandle, okwesibini, igama lomsebenzisi kunye negama lomninimzi).
  • isikhova (3285) DiscordSafety (557) kunye yiffparty (1859) -Chonga ithokheni yenkonzo yeDiscord kwisistim kwaye uyithumele kumamkeli wangaphandle.
  • trrfab (287): Ithumela isazisi, igama lomamkeli, kunye nomxholo we / etc / passwd, / etc / iinginginya, / ekhaya kumamkeli wangaphandle.
  • 10cent10 (490) - Kusekwe uqhagamshelo lweqokobhe elingasemva kumamkeli wangaphandle.
    yandex-yt (4183): ubonise umyalezo malunga nenkqubo ephazamisekileyo kwaye uqondiswe kwakhona kwiphepha ngolwazi olongezelelweyo malunga nezenzo ezongezelelweyo, ezikhutshwe nge-nda.ya.ru (api.ya.cc).

Kunikwe oku, kukhankanyiwe ukuba ingqalelo ekhethekileyo kufuneka ihlawulwe kwindlela yokufikelela kwimikhosi yangaphandle esetyenziswa kwiipakethi i-package ebalulekileyo kunye ne-package ebalulekileyo, esebenzisa i-Fastly content delivery network esetyenziswe kwikhathalogu ye-PyPI ukufihla umsebenzi wabo.

Enyanisweni, izicelo zithunyelwe kwi-pypi.python.org iseva (kuquka ukucacisa igama le-python.org kwi-SNI ngaphakathi kwesicelo se-HTTPS), kodwa igama lomncedisi olawulwa ngumhlaseli wamiselwa kwi-header ye-HTTP "Inginginya ». Inethiwekhi yokuhanjiswa komxholo ithumele isicelo esifanayo kumncedisi womhlaseli, isebenzisa iiparitha zoqhagamshelwano lwe-TLS kwi-pypi.python.org xa uhambisa idatha.

Iziseko zophuhliso ze I-PyPI inikwe amandla yi-Fastly Content Delivery Network, esebenzisa ummeleli ocacileyo weVarnish ukugcina izicelo eziqhelekileyo, kwaye isebenzisa iCDN-level ye TLS ukuqhubekekiswa kwesatifikethi, kuneeseva zesiphelo, ukudlulisa izicelo zeHTTPS ngeproxy. Nokuba yeyiphi indawo ekuyiwa kuyo, izicelo zithunyelwa kummeli, ochonga umamkeli ofunwayo nge-HTTP "Inginginya" ngasentla, kunye namagama omamkeli wesizinda adityaniswe kwi-CDN yomthwalo we-balancer iidilesi ze-IP eziqhelekileyo kubo bonke abaxumi abakhawulezayo .

Umncedisi wabahlaseli naye ubhalisa nge-CDN ngokukhawuleza, ebonelela wonke umntu ngezicwangciso zexabiso lasimahla kwaye ivumela nobhaliso olungachazwanga. Ngokucacileyo iskimu sikwasetyenziselwa ukuthumela izicelo kwixhoba xa usenza "iqokobhe elibuyisela umva", kodwa iqalwe ngumamkeli womhlaseli. Ukusuka ngaphandle, ukusebenzisana kunye nomncedisi womhlaseli kukhangeleka njengeseshoni esemthethweni kunye ne-PyPI directory, efihliweyo kunye nesatifikethi se-PyPI TLS. Ubuchule obufanayo, obaziwa ngokuba yi "domain fronting", ngaphambili yayisetyenziswa ngokukhutheleyo ukufihla igama lenginginya ngokugqithisa izitshixo, usebenzisa i HTTPS ukhetho olunikezelweyo kwezinye iinethiwekhi zeCDN, ichaza inginginya eyidummy kwi SNI kwaye igqithisa igama lenginginya eceliweyo. kwi-header yenginginya yeHTTP ngaphakathi kweseshoni yeTLS.

Ukufihla umsebenzi okhohlakeleyo, iphakheji ye-TrevorC2 yaphinda yasetyenziswa, eyenza ukunxibelelana nomncedisi kufane nokukhangela kwiwebhu okuqhelekileyo.

Iipakethi ze-pptest kunye nee-ipboards zisebenzisa indlela eyahlukileyo yokufihla umsebenzi womnatha, ngokusekelwe kwi-encoding yolwazi oluluncedo kwizicelo kwiseva ye-DNS. Isoftware enobungozi idlulisela ulwazi ngokwenza imibuzo ye-DNS, apho idatha idluliselwe kumyalelo kunye neseva yolawulo ifakwe ngekhowudi isebenzisa ifomathi ye-base64 kwigama lesizinda. Umhlaseli wamkela le miyalezo ngokulawula iseva yeDNS yendawo.

Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, unokujonga iinkcukacha Kule khonkco ilandelayo.


Umxholo wenqaku uyabambelela kwimigaqo yethu imigaqo yokuziphatha yokuhlela. Ukuxela impazamo cofa apha.

Yiba ngowokuqala ukuphawula

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa.

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.