A Pwn2Own 2023 sun sami nasarar nuna 5 hacks Ubuntu

Darkcrizt

4 minti

Pwn2Own 2023

An gudanar da Pwn2Own 2033 a Vancouver

Kwanan nan sakamakon kwanaki uku na gasar Pwn2Own 2023, wanda ake gudanarwa kowace shekara a matsayin wani ɓangare na taron CanSecWest a Vancouver.

A cikin wannan sabon bugu an nuna fasahohin don yin aiki don amfani da raunin rauni wanda ba a san shi ba don Ubuntu, Apple macOS, Oracle VirtualBox, VMWare Workstation, Microsoft Windows 11, Microsoft Teams, Microsoft SharePoint da motocin Tesla.

An nuna jimillar hare-hare 27 cikin nasara wanda yayi amfani da raunin da ba a san shi ba.

Ga wadanda ba su da masaniya da Pwn2Own, ya kamata ku sani cewa wannan taron hacking ne na duniya wanda Trend Micro Zero-Day Initiative (ZDI) ta shirya, wanda ke faruwa tun 2005. A cikin sa, wasu daga cikin mafi kyawun ƙungiyoyin kutse suna gasa da makasudin fasaha. rashin kuskure da juna, ta hanyar amfani da 'kwanakin sifili'.

Waɗannan ƙwararrun mafarautan hackers da masu binciken tsaro suna da ƙayyadaddun ƙayyadaddun lokaci don samun nasarar 'ɓata' abubuwan da ake tambaya. Ana ba da nasara duka biyu tare da ƙara maki zuwa Jagoran Jagora na Pwn, kuma bai kamata a yi la'akari da godiya ga Pwn2Own ba saboda yanayin gasa yana da ƙarfi a nan, da kuma fa'ida mai ban sha'awa. Gabaɗaya, Pwn2Own Vancouver 2023 yana da asusun kyauta sama da dala miliyan 1.

Wanda ya fara faɗuwa shine Adobe Reader a cikin nau'in aikace-aikacen kasuwanci bayan Abdul Aziz Hariri (@abdhariri) daga Haboob SA yayi amfani da sarkar exploits suna niyya sarkar dabaru guda 6-bug wacce ke cin zarafin faci da yawa waɗanda suka tsere daga Sandbox kuma suka keta jerin abubuwan APIs da aka haramta a cikin macOS don cin nasarar $50.000.

A gasar ya nuna nasarar yunƙurin fashewa guda biyar raunin da ba a san shi ba a baya Ubuntu Desktop, ƙungiyoyi daban-daban na mahalarta suka yi.

Matsalolin sun faru ne ta hanyar 'yantar da ƙwaƙwalwar ajiya sau biyu (kyauta $30k), da damar ƙwaƙwalwar ajiya bayan kyauta (Kyautar $30k), sarrafa ma'anar da ba daidai ba (kyauta $30k). A cikin demos guda biyu, wanda aka riga aka sani, amma ba a gyara ba, an yi amfani da raunin rauni (kyauta biyu na dala dubu 15). Bugu da kari, an yi yunkurin kai hari na shida a Ubuntu, amma cin gajiyar bai yi tasiri ba.

Game da abubuwan da ke tattare da matsalar har yanzu ba a ba da rahoton ba, bisa ga sharuɗɗan gasar, za a buga cikakken bayani game da duk rashin lahani na ranar sifili kawai bayan kwanaki 90, waɗanda aka bayar don shirye-shiryen sabuntawa ta masana'antun don kawar da raunin rauni.

Game da sauran demos An ambaci hare-haren da aka yi nasara kamar haka:

  • Uku Oracle VirtualBox hacks suna cin gajiyar raunin da ya haifar da Samun Ƙwaƙwalwar Ƙwaƙwalwar Ƙwaƙwalwar Kyauta Bayan Lalacewar Kyauta, Buffer Overflow, da Read Out of Buffer (kyauta $40k biyu da $ 80k bonus don cin gajiyar raunin 3 waɗanda ke ba da izinin aiwatar da lambar a gefen mai masaukin baki).
  • Apple's MacOS Elevation ($ 40K Premium).
  • Hare-hare guda biyu akan Microsoft Windows 11 wanda ya basu damar haɓaka gatansu ($ 30.000 kari).
  • An haifar da lahanin ta hanyar samun damar ƙwaƙwalwar ajiya kyauta da ingantaccen shigar da ba daidai ba.
  • Kai hari akan Ƙungiyoyin Microsoft ta amfani da sarkar kwari biyu a cikin cin gajiyar ($75,000).
  • Kai hari akan Microsoft SharePoint ($ 100,000 bonus).
  • Kai hari kan wurin aiki na VMWare ta hanyar samun damar ƙwaƙwalwar ajiya kyauta da madaidaicin ƙima ($80).
  • Kisa lambar yayin yin abun ciki a cikin Adobe Reader. An yi amfani da sarƙar sarƙaƙƙiya na kurakurai 6 don kai hari, ketare akwatin yashi, da samun dama ga haramtaccen API ($ 50,000).

Hare-hare guda biyu akan tsarin bayanan motar Tesla da Tesla Gateway, suna ba da damar samun tushen tushen. Kyauta ta farko ita ce $100,000 da motar Tesla Model 3, kyauta ta biyu kuma ita ce $250,000.

Hare-haren sun yi amfani da sabbin juzu'an aikace-aikace, masu bincike, da tsarin aiki tare da duk abubuwan sabuntawa da saitunan tsoho. Jimlar adadin diyya da aka biya $1,035,000 da mota. Ƙungiyar da ta fi yawan maki ta sami $530,000 da Tesla Model 3.

A ƙarshe, idan kuna sha'awar ƙarin sani game da shi, zaku iya tuntuɓar cikakkun bayanai A cikin mahaɗin mai zuwa.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.