Bathole amaphakheji anonya ayi-11 kuPyPI

Darkcrizt

Imizuzu ye-4

Ezinsukwini ezimbalwa ezedlule isaziso sokuthi Amaphakheji angu-11 aqukethe ikhodi engalungile akhonjwe ohlwini lwemibhalo lwe-PyPI (Inkomba yephakheji ye-Python).

Ngaphambi kokuthi kubonakale izinkinga, amaphakheji alandwe cishe izikhathi eziyizinkulungwane ezingama-38 esewonke Kufanele kuqashelwe ukuthi amaphakethe anonya atholiwe aphawuleka ngokusetshenziswa kwezindlela eziyinkimbinkimbi zokufihla iziteshi zokuxhumana ngamaseva abahlaseli.

Amaphakheji atholakele yilawa alandelayo:

  • iphakheji ebalulekile (6305 okulandwayo) e okubalulekile-iphakheji (12897): la maphakheji sungula uxhumano kwiseva yangaphandle ngaphansi kwesithunzi sokuxhuma ku-pypi.python.org ukunikeza ukufinyelela kwegobolondo ohlelweni (reverse shell) bese usebenzisa uhlelo lwe-trevorc2 ukufihla ishaneli yokuxhumana.
  • i-pptest (10001) no ama-ipboards (946): isebenzise i-DNS njengesiteshi sokuxhumana ukudlulisa ulwazi mayelana nesistimu (ephaketheni lokuqala, igama lomethuleli, uhla lwemibhalo olusebenzayo, i-IP yangaphakathi nengaphandle, kwesibili, igama lomsebenzisi kanye negama lomethuleli).
  • isikhova (3285), I-DiscordSafety (557) futhi yiffparty (1859) - Khomba ithokheni yesevisi ye-Discord kusistimu bese uyithumela kumsingathi wangaphandle.
  • trrfab (287): Ithumela isihlonzi, igama lomethuleli, nokuqukethwe kokuthi / njll / passwd, / njll / abasingathi, / ekhaya kumsingathi wangaphandle.
  • 10cent10 (490) - Isungule uxhumano lwegobolondo lokuhlehla kumsingathi wangaphandle.
    yandex-yt (4183): ibonise umlayezo omayelana nesistimu eyonakalisiwe futhi iqondiswe kabusha ekhasini elinolwazi olwengeziwe mayelana nezenzo ezengeziwe, ezikhishwe nge-nda.ya.ru (api.ya.cc).

Ngokunikezwa lokhu, kushiwo ukuthi ukunakwa okukhethekile kufanele kukhokhwe endleleni yokufinyelela ababungazi bangaphandle abasetshenziswa emaphaketheni iphakheji ebalulekile kanye nephakheji ebalulekile, esebenzisa inethiwekhi yokulethwa kwe-Fastly content esetshenziswa kukhathalogi ye-PyPI ukufihla umsebenzi wabo.

Eqinisweni, izicelo zithunyelwe kuseva ye-pypi.python.org (okuhlanganisa nokucacisa igama le-python.org ku-SNI ngaphakathi kwesicelo se-HTTPS), kodwa igama leseva elilawulwa umhlaseli labekwa kusihloko se-HTTP esithi "Host ». Inethiwekhi yokulethwa kokuqukethwe ithumele isicelo esifanayo kuseva yomhlaseli, isebenzisa imingcele yoxhumano lwe-TLS ku-pypi.python.org lapho ithumela idatha.

Ingqalasizinda ye I-PyPI inikwa amandla i-Fastly Content Delivery Network, esebenzisa ummeleli osobala we-Varnish ukufaka kunqolobane izicelo ezijwayelekile, futhi isebenzisa ukucutshungulwa kwesitifiketi se-TLS sezinga le-CDN, kuneziphakeli zephoyinti lokugcina, ukudlulisa izicelo ze-HTTPS ngommeleli. Kungakhathalekile ukuthi imuphi umsingathi wendawo, izicelo zithunyelwa kummeleli, okhomba umsingathi ofunwayo ngesihloko esithi "Usokhaya" we-HTTP, futhi amagama osokhaya wesizinda axhunywe kumakheli e-IP ebhalansi womthwalo we-CDN avamile kuwo wonke amaklayenti e-Fastly .

Iseva yabahlaseli iphinde ibhalise ne-CDN Fastly, ehlinzeka wonke umuntu ngezinhlelo zesilinganiso samahhala futhi ivumela nokubhaliswa okungaziwa. Ngokuphawulekayo uhlelo luphinde lusetshenziswe ukuthumela izicelo kulowo ohlukunyezwayo lapho udala "igobolondo elihlanekezelwe", kodwa kuqalwe ngosokhaya womhlaseli. Ngaphandle, ukusebenzisana nesiphakeli somhlaseli kubukeka njengeseshini esemthethweni ngohla lwemibhalo lwe-PyPI, olubethelwe ngesitifiketi se-PyPI TLS. Indlela efanayo, eyaziwa ngokuthi "isizinda sangaphambili", yasetshenziswa ngaphambilini ukufihla igama lomethuleli ngokweqa izingidi, kusetshenziswa inketho ye-HTTPS enikezwe kwamanye amanethiwekhi e-CDN, icacisa umsingathi we-dummy ku-SNI nokudlulisa igama lomsingathi. iceliwe umsingathi. kusihloko sosokhaya we-HTTP ngaphakathi kweseshini ye-TLS.

Ukufihla umsebenzi omubi, iphakheji ye-TrevorC2 iphinde yasetshenziswa, okwenza ukuxhumana neseva kufane nokuphequlula iwebhu okuvamile.

Amaphakethe we-pptest nama-ipboards asebenzise indlela ehlukile yokufihla umsebenzi wenethiwekhi, ngokusekelwe ekubhaleni ngekhodi ulwazi oluwusizo ezicelweni zeseva ye-DNS. Isofthiwe enobungozi idlulisa ulwazi ngokwenza imibuzo ye-DNS, lapho idatha idluliswa kumyalo kanye neseva yokulawula ibhalwa ngekhodi kusetshenziswa ifomethi ye-base64 egameni lesizinda esincane. Umhlaseli wamukela le milayezo ngokulawula iseva ye-DNS yesizinda.

Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho, ungaxhumana nemininingwane Kulesi sixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.