Pwn2Own wasan hacking ne wanda ake gudanarwa kowace shekara a taron tsaro na CanSecWest, farawa a 2007. Mahalarta suna fuskantar ƙalubalen amfani da software da na'urorin hannu Ana amfani dashi sosai tare da yanayin rashin lafiyar da har yanzu ba a sani ba.
Waɗanda suka yi nasara a gasa suna karɓar na’urar da suka yi amfani da ita, da kyautar kuɗi, da kuma “MastersBikin shekarar nasararsa. Sunan "Pwn2Own" ya samo asali ne daga gaskiyar cewa mahalarta dole ne su "pwn" ko kuma su shiga na'urar ta hanyar "mallaka" ko kuma su ci ta.
Gasar Pwn2Own yana aiki ne don nuna raunin na'urorin da aka saba amfani dasu da software sannan kuma ya samar da abun dubawa kan cigaban da aka samu a harkar tsaro tun shekarar da ta gabata.
Game da Pwn2Own 2020
A cikin wannan sabon bugu na Pwn2Own 2020, a cikin wannan shekara an gudanar da gasa kusan kuma an nuna hare-hare ta kan layi, saboda matsalolin da aka samo asali ta hanyar yaduwar kwayar cutar ta Cornonavirus (Covid-19), kasancewar wannan shine karo na farko da mai shirya ka Initiative na Zero Day Initiative (ZDI), sun yanke shawarar shirya taron kyale mahalarta su nuna mugun amfani da shi.
Yayin gasar an gabatar da dabaru daban-daban na aiki don amfani da rauni ba a sani ba a baya a cikin Ubuntu Desktop (Linux kwaya), Windows, macOS, Safari, VirtualBox da Adobe Reader.
Jimlar kudaden sun kai dala dubu 270 (Jimlar kyautar kyautar ta haura dalar Amurka miliyan 4).
A takaice, sakamakon kwana biyu na gasar Pwn2Own 2020 da ake gudanarwa kowace shekara a taron CanSecWest sune kamar haka:
-
- A lokacin ranar farko ta Pwn2Own 2020, wata tawaga daga Georgia Software da Lab Labarin Tsaro Tsarin Tech (@Rariyajarida) Safari hack tare da haɓaka ƙimar matakin kernel kuma fara kalkuleta da tushen gata. Jerin harin ya hada da rauni guda shida kuma ya bawa kungiyar damar samun $ 70,000.
- A yayin taron Manfred Paul daga "RedRocket" ne ke kula da nuna haɓakar gatan gida a cikin Desktop na Ubuntu ta hanyar amfani da yanayin rauni a cikin kernel na Linux wanda ke da alaƙa da tabbaci mara kyau na ƙimar shigarwa. Wannan ya haifar masa da lashe kyautar $ 30.
- Hakanan zanga-zangar an yi ta ne ta barin muhallin bako a cikin VirtualBox da aiwatar da lambar tare da haƙƙin mai kula da hypervisorTa hanyar amfani da raunin biyu: ikon karanta bayanai daga wani yanki a waje da abin da aka ware da kuma kuskure yayin aiki tare da masu canjin da ba a san su ba, kyautar don tabbatar da wannan aibin ta kasance $ 40. A waje da gasar, wakilai daga Zero Day Initiative suma sun nuna wata dabara ta VirtualBox, wacce ke ba da damar isa ga tsarin masu karbar bakuncin ta hanyar magudi a cikin yanayin baƙon.
- Zanga-zanga biyu na haɓaka gatan gida a cikin Windows ta hanyar amfani da rauni wanda ke haifar da samun damar zuwa yankin ƙwaƙwalwar da aka riga aka saki, tare da wannan kyaututtuka biyu na dala dubu 40 kowannensu aka bayar.
- Samu damar gudanarwa a cikin Windows yayin buɗe takaddar PDF musamman aka tsara a Adobe Reader. Harin ya shafi lahani a cikin Acrobat kuma a cikin kernel na Windows mai alaƙa da samun damar yankunan ƙwaƙwalwar da aka riga aka saki (kyautar $ 50).
Sauran nade-naden da ba a bayyana ba an mayar da su ne don yin kutse kan Chrome, Firefox, Edge, Microsoft Hyper-V Client, Microsoft Office, da Microsoft Windows RDP.
Hakanan akwai ƙoƙari na ɓatar da VMware Workstation, amma yunƙurin bai yi nasara ba. Kamar yadda yake a shekarar da ta gabata, satar shiga galibin ayyukan buɗe ido (nginx, OpenSSL, Apache httpd) bai shiga cikin rukunin kyautar ba.
Na dabam, zamu iya kallon batun satar shiga tsarin bayanan motar Tesla.
Babu wani yunƙuri na satar Tesla a cikin gasar.a, duk da matsakaicin matsakaicin $ 700 dubu, amma akwai keɓaɓɓen bayani game da gano yanayin rauni na DoS (CVE-2020-10558) a cikin Tesla Model 3, wanda ke ba da damar musaki wani shafi da aka tsara na musamman a cikin sanarwar kai tsaye ta autopilot da kuma katse aikin abubuwa kamar na saurin awo, mai kula da jirgi, kwandishan, yanayin kewayawa, da sauransu.
Source: https://www.thezdi.com/