顯示廣告
隱藏 ✕
※ 本文為 layzer 轉寄自 ptt.cc 更新時間: 2012-03-11 16:09:35
看板 C_Chat
作者 Pietro (☞金肅πετροσ)
標題 [新聞] Pinkie Pie 破解了Chrome的漏洞
時間 Sun Mar 11 01:11:27 2012


Google之前舉辦了一場邀請各路駭客來破解他們的瀏覽器的比賽
http://www.ettoday.net/news/20120310/30726.htm
Google懸賞100萬美元 Chrome終遭駭客破解 | ETtoday國際新聞 | ETtoday 新聞雲
[圖]
前3年在駭客大賽中全身而退的Google Chrome瀏覽器,讓Google自信滿滿,今年2月底時甚至對駭客社群發出總獎金高達100萬美元的懸賞令,希望有人來破解Chrome。結果鉅額獎金當頭,Chrome小命也難保,8日在加拿大溫哥華舉辦的瀏覽器破解大賽(Pwn2Own)中,第一天就有團隊找出Chrome漏洞。 ...
 


這場比賽還有個插曲
一個暱稱叫Pinkie Pie的駭客藉由三個漏洞自行破解了Chrome
不過因為他沒有經過雇主的同意參賽
所以他的本名沒被公布

不過對於一個能打破第四道牆的人物而言
打破個瀏覽器沙箱也不奇怪
是吧?

http://www.zdnet.com/blog/security/te...ree-0day-vulnerabilities/10649
Teenager hacks Google Chrome with three 0day vulnerabilities | ZDNet
[圖]
“Pinkie Pie,” who asked to remain anonymous because he had not been authorized by his employer to participate in the contest, said he chai ...
 
http://zd.net/wHT3eY
Teenager hacks Google Chrome with three 0day vulnerabilities | ZDNet
[圖]
“Pinkie Pie,” who asked to remain anonymous because he had not been authorized by his employer to participate in the contest, said he chai ...
 

============================================================================
翻得有點糟請見諒
Teenager hacks Google Chrome with three 0day vulnerabilities
少年駭客破解了Google Chrome的三個零時漏洞

A teenage hacker who goes by the “Pinkie Pie” handle has hacked into Google
Chrome using three distinct zero-day vulnerabilities to evade the browser’s
protective sandbox.

一個青少年駭客PinkiePie駭入了Google瀏覽器Chrome,透過三個零時漏洞跳過了瀏覽器
自保沙盒.

The exploit was used as part of Google’s Pwnium hacker contest and earned
the researcher the maximum $60,000 cash prize.

入侵程式被作為Google的Pwnium大賽的一部份,且研發者能獲得了60000刀的最高獎金

A Google spokesman on site confirmed the winning exploit.

一個Google發言人公開證實了這個壯舉

“We have a team standing by waiting for this.We have three different teams
 working on putting together the fix, building a patch and releasing it for
our customers,” he said.

"我們有個團隊正為此待命,我們有三個小組正在合力製作補丁並提供給我們的用戶"他說

While “Pinkie Pie” was previously unknown to onlookers here, Googlers
described him as a “known and respected security researcher.”

雖然 "Pinkie Pie"在此之前是默默無聞,Googler卻形容他是個"知名且可敬的安全研究員

In an interview after successfully launching the drive-by download exploit,
Pinkie Pie said he worked for about one-and-a-half weeks to find the
vulnerabilities and write a reliable exploit.

在成功啟動漏洞攻擊程式後的採訪中,PinkiePie說他花上一個半星期去找出漏洞,並寫出一
個可用的漏洞攻擊程式

The exploit worked on a fully patched Windows 7 machine (64-bit) and did not
require any user action beyond normal web browsing.

這個程式運作在一個有全面補丁的Windows7下,且沒有超出任何正常的網路瀏覽器的操作行


Pinkie Pie has never submitted a vulnerability report to Google and created
this multi-stage attack specially for the Pwnium contest.

Pinkie Pie之前從來沒有向Google提過漏洞提報或是專門為了參加這比賽而預先設計這項
多段攻擊程序

He said he never considered selling the vulnerability to third-party brokers.
”I've never sold a vulnerability before.”

他說他從未考慮透過第三者出售這項漏洞。"我從未賣出漏洞"

Strangely, which sandbox escapes are rare, Pinkie Pie said the easiest part
of his attack was jumping out of the Chrome sandbox after the initial exploit.

稀奇的是,這是一項很罕見的跳過沙箱行動,Pinkie Pie說最簡單的部分就是在第一次攻擊
後跳過沙箱

“I got lucky because I found a way [to jump out of the sandbox] very early.
I figured it out by looking at it carefully,” he added.

"我運氣不錯,我很早就發現了這個方法(指跳過沙箱),我想通這部分並仔細的觀查"他補充

He declined to discuss specifics of the vulnerabilities or the exploit
techniques, deferring comments to Google representatives.

他拒絕討論漏洞及攻擊手法的細節,延期到Google的代表提出意見



--
      ◣    ●    ◣  ◢██
  ‧ ‧     ‧     █‧‧    ξ︵ ︵◎●   ◤ σ σ ▌   ︵ ︵
 ●█     ﹂  ◤    ▼  ●  /    ▌  ︿︿    
                           -
ψ πετροσ


--
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 111.242.7.139
floyyed:Pinkie有三種口味 開車 無聊 吃Pinkpie1F 03/11 00:35
jackie60728:FlutterShy才是王道2F 03/11 00:37
fenir:發現了讓子彈飛梗3F 03/11 00:37
yyc1217:這才是駭客做的事 花上很多時間去找出一個漏洞4F 03/11 00:38
yyc1217:才不是在電腦前打很多字然後就突然駭進系統
startlequiet:二樓知道梗XD......6F 03/11 00:38
sese5566:且獲得了60000刀的最高獎金     丸把刀表示7F 03/11 00:38
sese5566:梗是啥 蒙馬眼?
HDT:屁啦 Derpy才是王道 目前唯二可以破第四道牆的10F 03/11 00:46
Pietro:這篇是靠Google大神翻譯的11F 03/11 00:46

※ 發信站: 批踢踢實業坊(ptt.cc)
※ 轉錄者: Pietro (111.242.7.139), 時間: 03/11/2012 01:11:27
evincebook:耶?! 這篇是?1F 03/11 01:12
※ 編輯: Pietro          來自: 111.242.7.139        (03/11 01:14)
synparabola:\Applebloom/2F 03/11 01:14
biglafu:????3F 03/11 01:15
evincebook:囧 我看不太懂點在哪 能解釋一下嗎@@? 謝謝4F 03/11 01:15
willkill:MLP5F 03/11 01:16
QBian:╱人●ω●人╲:?6F 03/11 01:16
no4:洨馬7F 03/11 01:16
hoyunxian:我也覺得這應該要去Browser版才對......8F 03/11 01:16
Pietro:PinkiePie是My Little Pony: Friendship Is Magic 的角色9F 03/11 01:18
jeans1020:彩虹小馬10F 03/11 01:18
scvb:牽強11F 03/11 01:19
LADKUO56:點頗薄弱12F 03/11 01:19
biglafu:My Little Porny!?13F 03/11 01:19
HDT:不牽強喔 那駭客的頭像真的就是pinkie pie14F 03/11 01:19
kkessherry:PinkiePie你贏了15F 03/11 01:20
sixpoint:My Little Porny是什麼鬼.......16F 03/11 01:24
kira925:果然是大拉芙17F 03/11 01:25
Xavy:我覺得是因為附錄的內文太多所以相對點就薄弱了 XD18F 03/11 01:25
Pietro:在過半小時實況就要開始了19F 03/11 01:26
Pietro:再
xxx60709:MY little porny三小wwwwwwwwwwwwwwwwww21F 03/11 01:36
realion:PornyXDD22F 03/11 01:42
xxx60709:淦打My little porny會找到怪怪的東西...23F 03/11 01:43
ox12345xo:小馬超棒的!!!!  雖然我只看過一集~~24F 03/11 02:00
biglafu:ox看My Little Porny!?25F 03/11 02:03
a150237:小馬超棒的啊!!!看了四集就中毒了ww26F 03/11 02:07
biglafu:Little Pony-->綠豆碰27F 03/11 02:10
synparabola:綠豆椪wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww28F 03/11 02:18
tsunamimk2:fluttershy是我的!29F 03/11 02:18
HDT:樓上拿Futashy就好 Fluttershy是我的30F 03/11 02:21
a150237:那Luna我帶走了!31F 03/11 02:31
angol1337:MLP ftw!32F 03/11 03:05
※ 編輯: Pietro          來自: 111.242.0.186        (03/11 08:24)
undeathelf:MY little porny 靠要XDDDDD33F 03/11 09:53
jujustine83:好厲害34F 03/11 10:24
ASDIGA:看到梗我就笑了35F 03/11 13:03

--
※ 看板: layzer 文章推薦值: 0 目前人氣: 0 累積人氣: 422 
作者 Pietro 的最新發文:
點此顯示更多發文記錄
分享網址: 複製 已複製
r)回覆 e)編輯 d)刪除 M)收藏 ^x)轉錄 同主題: =)首篇 [)上篇 ])下篇