Ku-Pwn2Own 2022 5 ukukhubazeka kwaboniswa ku-Ubuntu

Darkcrizt

Imizuzu ye-4

Muva nje bazenza baziwa ngeposi lebhulogi imiphumela yezinsuku ezintathu zomncintiswano we-Pwn2Own 2022, ebanjwa minyaka yonke njengengxenye yengqungquthela yeCanSecWest.

Kushicilelo lwalo nyaka amasu abonisiwe ukuze asebenze ukuxhaphaza ubuthakathaka ebingaziwa phambilini ye-Ubuntu Desktop, Virtualbox, Safari, Windows 11, Amaqembu e-Microsoft kanye neFirefox. Sekukonke, ukuhlaselwa okuphumelelayo kwe-25 kukhonjisiwe kwathi imizamo emithathu yaphela ngokungaphumeleli. Ukuhlasela kusebenzise izinguqulo ezizinzile zakamuva zezinhlelo zokusebenza, iziphequluli namasistimu okusebenza anazo zonke izibuyekezo ezitholakalayo kanye nezilungiselelo ezizenzakalelayo. Isamba semali ekhokhiwe yi-US$1.155.000.

IPwn2Own Vancouver ngo-2022 iyaqhubeka, futhi unyaka we-15 womncintiswano usuvele wabona ucwaningo olumangalisayo oluboniswayo. Hlala ubukele le bhulogi ukuze uthole imiphumela ebuyekeziwe, izithombe, namavidiyo avela kumcimbi. Sizokuthumela konke lapha, okuhlanganisa ibhodi yabaphambili yakamuva ye-Master of Pwn.

Umncintiswano ibonise imizamo emihlanu eyimpumelelo yokusebenzisa ubungozi obungaziwa ngaphambilini ku-Ubuntu Desktop, eyenziwe ngamathimba ahlukene ababambiqhaza.

waklonyeliswa a $40,000 umklomelo wokukhombisa ukukhuphuka kwamalungelo endawo ku-Ubuntu Desktop ngokusebenzisa ukuchichima kwebhafa kanye nezinkinga zokukhishwa kabili. Amabhonasi amane, abiza u-$40,000 lilinye, akhokhwe ukuze abonise ukukhushulwa kwamalungelo ngokusebenzisa ubuthakathaka obuhlobene nokufinyelela inkumbulo ngemva kokukhululwa (Sebenzisa-Ngemva-Kwamahhala).

IMPUMELELO - U-Keith Yeo ( @kyeojy ) uwine u-$40K kanye namaphuzu angu-4 e-Master of Pwn ngokusizakala kwe-Use-After-Free ku-Ubuntu Desktop.

Yiziphi izingxenye zenkinga ezingakabikwa, ngokwemibandela yomncintiswano, ulwazi oluningiliziwe kukho konke ukukhubazeka kwezinsuku ezingu-0 ezibonisiwe kuzoshicilelwa kuphela ngemva kwezinsuku ezingu-90, ezinikezwa ukulungiswa kwezibuyekezo ngabakhiqizi ukususa ukukhubazeka.

IMPUMELELO - Emzamweni wokugcina woSuku lwe-2, u-Zhenpeng Lin (@Markak_), u-Yueqi Chen (@Lewis_Chen_), kanye no-Xinyu Xing (@xingxinyu) abavela eqenjini lase-Northwestern University's TUTELARY babonise ngempumelelo i- Use After Free bug eholele ekuphakanyisweni kwelungelo ku-Ubuntu. Ideskithophu. Lokhu kukunika u-$40,000 kanye namaphoyinti angu-4 e-Master of Pwn.

Ithimba le-Orca of Sea Security (security.sea.com) likwazile ukusebenzisa izimbungulu ezi-2 ku-Ubuntu Desktop: i-Out-of-Bounds Write (OOBW) kanye ne-Use-After-Free (UAF), yathola u-$40,000 kanye ne-4 Master of Pwn Points. .

IMPUMELELO: Ithimba le-Orca of Sea Security (security.sea.com) likwazile ukusebenzisa izimbungulu ezi-2 ku-Ubuntu Desktop: i-Out-of-Bounds Bhala (OOBW) kanye ne-Use-After-Free (UAF), yawina u-$40,000 kanye ne-4 Master of Amaphuzu we-Pwn.

Kokunye ukuhlasela okungenziwa ngempumelelo, singabala okulandelayo:

  • Izinkulungwane eziyi-100 zamadola ukuze kuthuthukiswe ukuxhashazwa kweFirefox, evumele, ngokuvula ikhasi eliklanywe ngokukhethekile, ukugwema ukuhlukaniswa kwebhokisi lesihlabathi kanye nokukhipha ikhodi ohlelweni.
  • $40,000 ngokubonisa ukuxhaphaza okusizakala ngokuchichima kwebhafa ku-Oracle Virtualbox ukuze ukhiphe isivakashi.
  • $50,000 ngokusebenzisa i-Apple Safari (ukuchichima kwebuffer).
  • I-$450,000 yama-hacks e-Microsoft Teams (amaqembu ahlukene abonise ama-hack amathathu ngomklomelo
  • $150,000 lilinye).
  • $80,000 (amabhonasi amabili e-$40,000) ukusizakala ngokuchichima kwe-buffer kanye nokwenyuka kwelungelo ku-Microsoft Windows 11.
  • $80,000 (amabhonasi amabili angu-$40,000) ukuze axhaphaze iphutha kukhodi yokuqinisekisa yokufinyelela ukuze ukhuphule amalungelo akho ku-Microsoft Windows 11.
  • $40k ukusebenzisa ukuchichima okuphelele ukuze ukhuphule amalungelo akho ku-Microsoft Windows 11.
  • $40,000 ngokusebenzisa ubungozi bokusebenzisa ngemva kwamahhala ku-Microsoft Windows 11.
  • $75,000 ngokubonisa ukuhlasela kwesistimu ye-infotainment yemoto ye-Tesla Model 3. Ukuxhashazwa kusetshenziswe ukuchichima kwe-buffer kanye nezimbungulu zamahhala eziphindwe kabili, kanye nendlela yokudlula ye-sandbox eyaziwa ngaphambilini.

Okokugcina, kushiwo ukuthi ezinsukwini ezimbili zokuncintisana ukwehluleka okwenzeka naphezu kwemizamo emithathu yokugebenga evunyelwe, yilokhu okulandelayo: I-Microsoft Windows 11 (ama-hacks angu-6 aphumelele kanye no-1 ahlulekile), i-Tesla (i-hack engu-1 iphumelele futhi i-1 yehlulekile ) kanye namaQembu e-Microsoft (ama-hacks ama-3 aphumelele no-1 ahlulekile). Bezingekho izicelo zokubonisa imisebenzi ku-Google Chrome kulo nyaka.

Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, Ungahlola imininingwane kokuthunyelwe kwangempela kokuthi isixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.