Kwanan nan sun bayyana kansu ta hanyar blog post sakamakon kwanaki uku na gasar Pwn2Own 2022, wanda aka gudanar kowace shekara a matsayin wani ɓangare na taron CanSecWest.
A cikin bugu na wannan shekara an nuna fasahohin don yin aiki don amfani da raunin rauni ba a sani ba a baya don Desktop Ubuntu, Virtualbox, Safari, Windows 11, Microsoft Teams da Firefox. Gabaɗaya, an sami nasarar kai hare-hare guda 25 kuma yunƙurin uku ya ƙare ba a yi nasara ba. Hare-haren sun yi amfani da sabbin juzu'an aikace-aikace, masu bincike da tsarin aiki tare da duk sabbin abubuwan da aka samu kuma a cikin saitunan tsoho. Jimlar kuɗin da aka biya shine dalar Amurka 1.155.000.
Pwn2Own Vancouver ta 2022 yana gudana, kuma an riga an ga bikin cika shekaru 15 na gasar an ga wasu bincike mai ban mamaki akan nuni. Kasance da wannan shafin don samun sabbin sakamako, hotuna, da bidiyoyi daga taron. Za mu buga shi duka anan, gami da sabon jagorar Jagora na Pwn.
Wasan ya nuna yunƙuri biyar na nasara na cin gajiyar raunin da ba a san su ba a cikin Ubuntu Desktop, wanda ƙungiyoyin mahalarta daban-daban suka yi.
aka bayar a Kyautar $ 40,000 don nuna haɓaka gata na gida a cikin Desktop Ubuntu ta hanyar yin amfani da ɓoyayyen buffer biyu da al'amurran sakin biyu. An biya kari huɗu, darajar $40,000 kowanne, don nuna haɓaka gata ta hanyar amfani da raunin da ya shafi damar ƙwaƙwalwar ajiya bayan an sake shi (Amfani-Bayan-Free).
Nasara - Keith Yeo (@kyeojy) ya lashe $ 40K da 4 Master na Pwn maki don Amfani-Bayan-Free amfani akan Desktop Ubuntu.
Waɗanne ɓangarori na matsalar ba a ba da rahoton ba tukuna, bisa ga sharuɗɗan gasar, cikakken bayani game da duk abubuwan da aka nuna na rashin lahani na kwanaki 0 za a buga su ne kawai bayan kwanaki 90, waɗanda aka bayar don shirye-shiryen sabuntawa ta masana'antun don cire lahani.
NASARA - A cikin ƙoƙari na ƙarshe a ranar 2, Zhenpeng Lin (@Markak_), Yueqi Chen (@Lewis_Chen_), da Xinyu Xing (@xingxinyu) daga ƙungiyar TUTELARY ta Jami'ar Arewa maso yamma sun sami nasarar nuna Amfani Bayan Kwaro Kyauta wanda ya haifar da haɓaka gata a Ubuntu Desktop. Wannan yana ba ku $40,000 da 4 Master na maki Pwn.
Kungiyar Orca na Tsaron Teku (security.sea.com) ya sami damar gudanar da bugu 2 akan Desktop Ubuntu: Rubutun Ƙa'ida (OOBW) da Amfani-Bayan-Free (UAF), yana samun $40,000 da 4 Master of Pwn Points .
Nasara: Team Orca na Tsaron Teku (security.sea.com) ya sami damar gudanar da buguwa guda 2 akan Desktop Ubuntu: Rubutun Ƙirar-Ƙananan Ƙira (OOBW) da Amfani-Bayan-Free (UAF), wanda ya ci $40,000 da 4 Master of Pwn maki.
Daga cikin sauran hare-haren da za a iya kai su cikin nasara, muna iya ambata kamar haka:
- Dala dubu 100 don haɓaka amfani da Firefox, wanda ya ba da izini, ta hanyar buɗe wani shafi na musamman, don ƙetare keɓantawar akwatin sandbox da aiwatar da lamba a cikin tsarin.
- $40,000 don nuna cin zarafi wanda ke amfani da fa'idar buffer ambaliya a cikin Oracle Virtualbox don fita baƙo.
- $50,000 don gudanar da Apple Safari (buffer overflow).
- $450,000 na Microsoft Teams hacks (kungiyoyi daban-daban sun nuna hacks uku tare da lada
- $150,000 kowanne).
- $80,000 (kyakkyawan $40,000 guda biyu) don cin gajiyar cin gajiyar buffer ambaliya da haɓaka gata a cikin Microsoft Windows 11.
- $80,000 (kyauta $40,000 biyu) don amfani da kwaro a cikin lambar tabbatarwa don haɓaka gata a cikin Microsoft Windows 11.
- $40k don yin amfani da yawan adadin lamba don haɓaka gata a cikin Microsoft Windows 11.
- $40,000 don cin gajiyar rashin amfani-Bayan-Free a cikin Microsoft Windows 11.
- $75,000 don nuna hari akan tsarin bayanan bayanai na motar Tesla Model 3. Amfanin da aka yi amfani da shi ya cika buffer da buffer sau biyu kyauta, tare da fasahar kewayawa ta akwatin sandbox a baya.
A ƙarshe amma ba kalla ba, an ambaci cewa a cikin kwanaki biyu na gasar cin nasarar da aka samu duk da ƙoƙarin hacking uku da aka yarda, sune kamar haka: Microsoft Windows 11 (6 nasara hacks da 1 ya kasa), Tesla (1 hack nasara da 1 ya kasa). ) da Ƙungiyoyin Microsoft (Hacks masu nasara 3 da 1 sun kasa). Babu buƙatun nuna fa'idodi a cikin Google Chrome a wannan shekara.
Finalmente idan kuna sha'awar ƙarin sani game da shi, Kuna iya duba cikakkun bayanai a cikin ainihin sakon a mahada mai zuwa.