KwaPwn2Own 2023 babonise ngempumelelo i-5 Ubuntu hacks

Pwn2Yenziwe ngo-2023

IPwn2Own 2033 yabanjwa eVancouver

Mva nje iziphumo ze iintsuku ezintathu zokhuphiswano Pwn2Yenziwe ngo-2023, ebanjwa minyaka le njengenxalenye yenkomfa yeCanSecWest eVancouver.

Kolu hlelo lutsha ubuchule bubonakaliswe ukusebenza ukuxhaphaza ubuthathaka ngaphambili ibingaziwa ngo-Ubuntu, i-Apple macOS, i-Oracle VirtualBox, i-VMWare Workstation, iMicrosoft Windows 11, iMicrosoft Teams, iMicrosoft SharePoint kunye nezithuthi zikaTesla.

Uhlaselo oluyimpumelelo lwe-27 luye lwaboniswa eye yasebenzisa ubuthathaka obungaziwa ngaphambili.

Kulabo abangaqhelananga ne-Pwn2Own, kufuneka ukwazi ukuba lo ngumcimbi we-hacking wehlabathi jikelele oququzelelwe yi-Trend Micro Zero-Day Initiative (ZDI), eyenzeka ukususela ngo-2005. Kuyo, amanye amaqela angcono kakhulu okukhwabanisa akhuphisana ngokujoliswe kuko kwezobuchwepheshe. .ezimiselweyo kunye nezinye, kusetyenziswa 'zero-day' ukuxhaphaza.

Aba bazingeli be-elite hacker bounty kunye nabaphandi bokhuseleko banomda wexesha elingqongqo 'pwn' ngempumelelo ekujoliswe kuyo ekuthethwa ngayo. Impumelelo ivuzwa zombini ngamanqaku adityanisiweyo kwibhodi yabaphambili yePwn, kwaye imbeko kwiPwn2Own ayifanelanga ijongelwe phantsi njengoko imeko yokhuphiswano yomelele apha, kunye neentlawulo ezinomtsalane. Lilonke, iPwn2Own Vancouver 2023 inebhaso lengxowa-mali engaphezulu kwesigidi seedola.

Eyokuqala ukuwa yayiyi-Adobe Reader kudidi lwezicelo zoshishino emva kuka-Abdul Aziz Hariri (@abdhariri) evela eHaboob SA isebenzise ikhonkco le ukuxhaphaza ijolise kwi-6-bug logic chain esebenzise kakubi amabala angaphumeleliyo amaninzi athe aphuncuka kwi-Sandbox kwaye yagqitha kuluhlu lwee-APIs ezivaliweyo kwi-macOS ukuphumelela i-$50.000.

Kukhuphiswano ubonise iinzame ezintlanu eziyimpumelelo zokudubula Ubuthathaka obungaziwa ngaphambili kwi Ubuntu Desktop, yenziwe ngamaqela ahlukeneyo abathathi-nxaxheba.

Iingxaki zenziwe kukukhululwa kabini kwememori (a $ 30k ibhonasi), i ukufikelela kwimemori emva kokuba simahla (ibhonasi ye-$ 30k), ukuphathwa kwesalathisi esingalunganga (ibhonasi ye-$ 30k). Kwiidemos ezimbini, esele ziyaziwa, kodwa zingaqini, ubuthathaka busetyenzisiwe (iibhonasi ezimbini ze-15 lamawaka eedola). Ukongeza, umzamo wesithandathu wokuhlasela Ubuntu wenziwa, kodwa ukuxhaphaza akuzange kusebenze.

Malunga namacandelo engxaki ayikaxelwa, ngokwemigaqo yokhuphiswano, ulwazi oluthe kratya malunga nabo bonke ubuthathaka obubonakalisiweyo bosuku lwe-zero luya kupapashwa kuphela emva kweentsuku ezingama-90, ezinikezelwa ukulungiselela uhlaziyo ngabavelisi ukuphelisa ubuthathaka.

Malunga nezinye iidemos kuhlaselo oluyimpumelelo kukhankanyiwe kulandelayo:

  • IiHacks ezintathu ze-Oracle VirtualBox zixhaphaza ubuthathaka obubangelwa kuFikelelo lweMemori emva koBusichenene obuMahala, ukuPhuphuma kweBuffer, kunye nokuFunda ngaphandle kweBuffer (iibhonasi ezimbini zeedola ezingama-40k kunye nebhonasi ye-80k yebhonasi yokuxhaphaza ubuthathaka obu-3 obuvumele ukwenziwa kwekhowudi kwicala lomkhosi).
  • I-Apple's macOS Elevation ($ 40K Premium).
  • Uhlaselo olubini kuMicrosoft Windows 11 ebavumela ukuba bongeze amalungelo abo (i-$30.000 yeebhonasi).
  • Ubuthathaka bubangelwe kukufikelela kwimemori ye-post-free kunye nokuqinisekiswa kwegalelo elingalunganga.
  • Uhlaselo kuQela likaMicrosoft usebenzisa ikhonkco leempazamo ezimbini kwi-exploit ($75,000 yeprimiyamu).
  • Uhlaselo kwi Microsoft SharePoint ($ 100,000 ibhonasi).
  • Ukuhlaselwa kwisikhululo sokusebenzela seVMWare ngokufikelela kwimemori yasimahla kunye nokuguquguquka okungasetyenziswanga (i-80 yeedola).
  • Ukuphunyezwa kwekhowudi ngelixa unikezela umxholo kwi-Adobe Reader. Ikhonkco eyinkimbinkimbi yeempazamo ze-6 yayisetyenziselwa ukuhlasela, ukudlula i-sandbox, kunye nokufikelela kwi-API evaliweyo (i-$ 50,000 prize).

Ukuhlaselwa kabini kwinkqubo ye-infotainment yemoto yeTesla kunye neTesla Gateway, evumela ukufumana ukufikelela kweengcambu. Ibhaso lokuqala laliyi-100,000 yeedola kunye nemoto yeTesla Model 3, kwaye ibhaso lesibini laliyi-250,000 yeedola.

Uhlaselo lusebenzise iinguqulelo ezizinzileyo zamva nje zezicelo, iiphequluli, kunye neenkqubo zokusebenza nazo zonke iinguqulelo ezikhoyo kunye nezicwangciso ezingagqibekanga. Iyonke imali yembuyekezo ehlawulweyo yayiyi-1,035,000 yeedola kunye nemoto. Iqela elinamanqaku amaninzi lifumene i-$ 530,000 kunye neTesla Model 3.

Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, unokujonga kwiinkcukacha Kule khonkco ilandelayo.


Yiba ngowokuqala ukuphawula

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.