{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"美東時間 2021 年 8 月 4 日下午,PWNIE 大獎揭曉"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"美東當地時間 2021 年 8 月 4 日下午,"},{"type":"link","attrs":{"href":"https:\/\/pwnies.com\/nominations\/active\/","title":"xxx","type":null},"content":[{"type":"text","text":"美國黑帽大會(2020 屆)年度 PWNIE 頒獎典禮"}]},{"type":"text","text":"在曼德勒灣英孚舉行。爲多個企業和個人頒發包括“反響最差的供應商”,“史詩級安全研究成就”,“最佳權限提升漏洞”等在內的共十個獎項,引發來自全球科技媒體的關注及報道。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"從“最佳漏洞”到“史詩般失敗”,獲獎者來自各行各業"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這十大 PWNIE 獎項中,包含了九個漏洞獎項和一個與漏洞相關的頒獎典禮“最佳歌曲”獎。而獲獎對象既有天才般的研究員如 Enes Goktas、Kaveh Razavi、Georgios Portokalidis,也有包括微軟、NSA(美國國家安全局)在內的著名政府機構或企業,獎項涉獵範圍廣泛,獲獎人員背景豐富多樣。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"InfoQ 選取了其中五個具有代表性 PWINE 獎項進行說明,其獎項名稱,獲獎者以及獲獎緣由如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"最佳漏洞獎 --Sudo 中基於堆的緩衝區溢出。"},{"type":"text","text":"該獎項授予了 Qualys,表彰其識別了 Sudo 實用程序中的 CVE-2021-3156 漏洞,該漏洞允許攻擊者獲得 root 權限。值得一提的是,該漏洞在代碼中存在了大約 10 年,因爲它無法被模糊化,並且要發現該漏洞需要了解系統如何與 sudo 交互,使其成爲一個非常聰明的發現。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"最佳服務器端錯誤 --Microsoft Exchange Server。"},{"type":"text","text":"該獎項授予了 DevCore 首席安全研究員 Orange Tsai,表彰其檢測到 Microsoft Exchange 上的新向量攻擊。這次研究共發現了 7 個漏洞,其中 CVE-2021-26855 (ProxyLogon) 和 CVE-2021-27065 漏洞數據已經發布,前者允許攻擊者在未經身份驗證的情況下提取任意用戶的數據,後者使得攻擊者能夠以管理員權限在服務器上執行代碼。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"最佳密碼攻擊 --Windows Clients and Servers。"},{"type":"text","text":"該漏洞由 "},{"type":"link","attrs":{"href":"https:\/\/www.nsa.gov","title":"xxx","type":null},"content":[{"type":"text","text":"NSA(美國國家安全局)"}]},{"type":"text","text":"發現並披露。由於微軟在基於橢圓曲線的數字簽名技術方面的漏洞 (CVE-2020-0601),攻擊者可以根據公鑰生成私鑰,進而允許攻擊者爲 HTTPS 和在 Windows 中驗證爲可信的虛構數字簽名創建虛假 TLS 證書,破壞證書信任鏈。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"最具創新性的研究 --Blind ROP(BROP)。"},{"type":"text","text":"該獎項授予 VUSec 團隊成員 Enes Goktas、Kaveh Razavi、Georgios Portokalidis、Herbert Bos、Cristiano Giuffrida,他們提供盲側方法繞過基於尋址地址 (ASLR) 的保護,同時利用對處理器指令的推測執行而造成第三方渠道泄漏。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"史詩般的失敗(Most Epic Fail)-- 打印機系統的噩夢。"},{"type":"text","text":"該獎項授予微軟,表彰其多次發佈的打印機代碼執行漏洞 Printnightmare (CVE-2021-34527) 。在 Windows 的打印系統中,攻擊者可以自由執行代碼 -- 最初,微軟將問題標記爲本地問題,但後來發現攻擊者還可以遠程執行代碼。於是微軟爲此發佈更新,在前後多達四次的更新中,微軟每次更新都只關閉了一個特例(總共有四個),這使得研究人員在每次更新後都能找到新的攻擊方式,導致微軟不得不繼續進行下一次更新。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上述列舉的獎項代表了一部分頒獎方向和當下的安全漏洞行業進展。不難看出,微軟系統是漏洞重災區,Linux也有相關漏洞;這一方面凸顯了微軟的系統的受衆面之廣,另一方面也在給相關企業\/社區不斷敲響警鐘--漏洞攻擊防範非一朝一夕之功,只要有網絡系統存在的地方,就有網絡安全\/系統安全的隱患,作爲計算機技術行業的從業者,應該多多關注,爲漏洞安全盡一份自己的力量。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"“奧斯卡”與“金草莓”共存的黑客大獎"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"美國黑帽(Black Hat)大會的年度 PWNIE 獎旨在表彰過去 12 個月內對網絡安全行業產生某種影響的安全研究人員、供應商和其他人(包括媒體機構)。獎項提名來自整個安全社區,由一個受人尊敬的安全研究人員組成的小組審查提名。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"PWNIE 的獎項代表着社區成員的崇敬。一直以來,PWNIE 都是社區給有意義的實踐者們頒發的行業級大獎,但同時也被用來譴責那些因安全故障而產生相反效果的人或者企業,例如上述的史詩般的失敗(Most Epic Fail)大獎。也因此,PWINE 獎項被稱爲網絡安全界的“奧斯卡”和“金草莓”獎。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021 年,PWNIE 呼籲更多核安全相關的技術組織和研究人員來解決安全問題,推動他們在這一年中的對安全漏洞的正確利用和錯誤發現成爲新聞,同時激勵其在工作中爲漏洞研究和攻擊技術提供新的見解。該獎項持續關注安全領域的新發現,可能連續第二年表彰沒有得到應有關注的研究。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"參考鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/pwnies.com\/winners"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/www.altusintel.com\/public-yy425x"}]}]}
安全界的“奧斯卡”獎揭曉,微軟系統漏洞被列爲“史詩般的失敗”
{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"美東時間 2021 年 8 月 4 日下午,PWNIE 大獎揭曉"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"美東當地時間 2021 年 8 月 4 日下午,"},{"type":"link","attrs":{"href":"https:\/\/pwnies.com\/nominations\/active\/","title":"xxx","type":null},"content":[{"type":"text","text":"美國黑帽大會(2020 屆)年度 PWNIE 頒獎典禮"}]},{"type":"text","text":"在曼德勒灣英孚舉行。爲多個企業和個人頒發包括“反響最差的供應商”,“史詩級安全研究成就”,“最佳權限提升漏洞”等在內的共十個獎項,引發來自全球科技媒體的關注及報道。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"從“最佳漏洞”到“史詩般失敗”,獲獎者來自各行各業"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這十大 PWNIE 獎項中,包含了九個漏洞獎項和一個與漏洞相關的頒獎典禮“最佳歌曲”獎。而獲獎對象既有天才般的研究員如 Enes Goktas、Kaveh Razavi、Georgios Portokalidis,也有包括微軟、NSA(美國國家安全局)在內的著名政府機構或企業,獎項涉獵範圍廣泛,獲獎人員背景豐富多樣。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"InfoQ 選取了其中五個具有代表性 PWINE 獎項進行說明,其獎項名稱,獲獎者以及獲獎緣由如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"最佳漏洞獎 --Sudo 中基於堆的緩衝區溢出。"},{"type":"text","text":"該獎項授予了 Qualys,表彰其識別了 Sudo 實用程序中的 CVE-2021-3156 漏洞,該漏洞允許攻擊者獲得 root 權限。值得一提的是,該漏洞在代碼中存在了大約 10 年,因爲它無法被模糊化,並且要發現該漏洞需要了解系統如何與 sudo 交互,使其成爲一個非常聰明的發現。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"最佳服務器端錯誤 --Microsoft Exchange Server。"},{"type":"text","text":"該獎項授予了 DevCore 首席安全研究員 Orange Tsai,表彰其檢測到 Microsoft Exchange 上的新向量攻擊。這次研究共發現了 7 個漏洞,其中 CVE-2021-26855 (ProxyLogon) 和 CVE-2021-27065 漏洞數據已經發布,前者允許攻擊者在未經身份驗證的情況下提取任意用戶的數據,後者使得攻擊者能夠以管理員權限在服務器上執行代碼。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"最佳密碼攻擊 --Windows Clients and Servers。"},{"type":"text","text":"該漏洞由 "},{"type":"link","attrs":{"href":"https:\/\/www.nsa.gov","title":"xxx","type":null},"content":[{"type":"text","text":"NSA(美國國家安全局)"}]},{"type":"text","text":"發現並披露。由於微軟在基於橢圓曲線的數字簽名技術方面的漏洞 (CVE-2020-0601),攻擊者可以根據公鑰生成私鑰,進而允許攻擊者爲 HTTPS 和在 Windows 中驗證爲可信的虛構數字簽名創建虛假 TLS 證書,破壞證書信任鏈。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"最具創新性的研究 --Blind ROP(BROP)。"},{"type":"text","text":"該獎項授予 VUSec 團隊成員 Enes Goktas、Kaveh Razavi、Georgios Portokalidis、Herbert Bos、Cristiano Giuffrida,他們提供盲側方法繞過基於尋址地址 (ASLR) 的保護,同時利用對處理器指令的推測執行而造成第三方渠道泄漏。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"史詩般的失敗(Most Epic Fail)-- 打印機系統的噩夢。"},{"type":"text","text":"該獎項授予微軟,表彰其多次發佈的打印機代碼執行漏洞 Printnightmare (CVE-2021-34527) 。在 Windows 的打印系統中,攻擊者可以自由執行代碼 -- 最初,微軟將問題標記爲本地問題,但後來發現攻擊者還可以遠程執行代碼。於是微軟爲此發佈更新,在前後多達四次的更新中,微軟每次更新都只關閉了一個特例(總共有四個),這使得研究人員在每次更新後都能找到新的攻擊方式,導致微軟不得不繼續進行下一次更新。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上述列舉的獎項代表了一部分頒獎方向和當下的安全漏洞行業進展。不難看出,微軟系統是漏洞重災區,Linux也有相關漏洞;這一方面凸顯了微軟的系統的受衆面之廣,另一方面也在給相關企業\/社區不斷敲響警鐘--漏洞攻擊防範非一朝一夕之功,只要有網絡系統存在的地方,就有網絡安全\/系統安全的隱患,作爲計算機技術行業的從業者,應該多多關注,爲漏洞安全盡一份自己的力量。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"“奧斯卡”與“金草莓”共存的黑客大獎"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"美國黑帽(Black Hat)大會的年度 PWNIE 獎旨在表彰過去 12 個月內對網絡安全行業產生某種影響的安全研究人員、供應商和其他人(包括媒體機構)。獎項提名來自整個安全社區,由一個受人尊敬的安全研究人員組成的小組審查提名。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"PWNIE 的獎項代表着社區成員的崇敬。一直以來,PWNIE 都是社區給有意義的實踐者們頒發的行業級大獎,但同時也被用來譴責那些因安全故障而產生相反效果的人或者企業,例如上述的史詩般的失敗(Most Epic Fail)大獎。也因此,PWINE 獎項被稱爲網絡安全界的“奧斯卡”和“金草莓”獎。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021 年,PWNIE 呼籲更多核安全相關的技術組織和研究人員來解決安全問題,推動他們在這一年中的對安全漏洞的正確利用和錯誤發現成爲新聞,同時激勵其在工作中爲漏洞研究和攻擊技術提供新的見解。該獎項持續關注安全領域的新發現,可能連續第二年表彰沒有得到應有關注的研究。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"參考鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/pwnies.com\/winners"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/www.altusintel.com\/public-yy425x"}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章