{"id":17770,"date":"2022-04-28T00:36:05","date_gmt":"2022-04-27T21:36:05","guid":{"rendered":"https:\/\/kutaybilen.com.tr\/?p=17770"},"modified":"2022-04-28T00:36:05","modified_gmt":"2022-04-27T21:36:05","slug":"tesla-sunucularindaki-bir-yanilgiyi-bulana-10-000-dolar-verdi","status":"publish","type":"post","link":"https:\/\/kutaybilen.com.tr\/?p=17770","title":{"rendered":"Tesla, Sunucular\u0131ndaki Bir Yan\u0131lg\u0131y\u0131 Bulana 10.000 Dolar Verdi"},"content":{"rendered":"<p>ABD\u2019li elektrikli araba \u00fcreticisi <strong>Tesla<\/strong>, ge\u00e7ti\u011fimiz vakitlerde <strong>Microsoft SQL Server Reporting Services\u2019ta<\/strong>\u00a0(SRSS) kar\u015f\u0131la\u015ft\u0131\u011f\u0131 bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 nedeniyle \u015firket i\u00e7in epey az say\u0131labilecek bir \u00f6l\u00e7\u00fc \u00f6demede bulundu. \u00d6deme, g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 ke\u015ffeden \u015fahsa aktar\u0131ld\u0131.<\/p>\n<p>SRSS, bahsedece\u011fimiz g\u00fcvenlik a\u00e7\u0131\u011f\u0131 ortaya \u00e7\u0131kmadan sadece be\u015f g\u00fcn evvel bir g\u00fcncelleme ald\u0131. Ortaya \u00e7\u0131kan g\u00fcvenlik a\u00e7\u0131\u011f\u0131, sunucuda olu\u015fan bir yan\u0131lg\u0131 sonucunda <strong>uzaktan kod d\u00fczenlemelerine<\/strong> m\u00fcsaade veriyordu. Alman yan\u0131lg\u0131 avc\u0131s\u0131 \u201c<strong>parzel<\/strong>\u201d taraf\u0131ndan ke\u015ffedilen kusur, Tesla\u2019n\u0131n partnerleri i\u00e7in olan sunucuda kendisini g\u00f6sterdi.<\/p>\n<p><b>SRSS&#39;teki g\u00fcvenlik a\u00e7\u0131\u011f\u0131 daha evvel de \u00f6teki birisi taraf\u0131ndan payla\u015f\u0131lm\u0131\u015ft\u0131:<\/b><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.webtekno.com\/images\/editor\/default\/0002\/46\/7c4513de76e7d8a6ebc361cbf15690a35b19adaa.jpeg\"\/><\/p>\n<p><strong>CVE-2020-0618<\/strong> olarak isimlendirilen g\u00fcvenlik a\u00e7\u0131\u011f\u0131,14 \u015eubat\u2019ta bir g\u00fcncelleme alm\u0131\u015ft\u0131. Alman avc\u0131 parzel ise bu g\u00fcncellemeden d\u00f6rt g\u00fcn sonra ke\u015ffetti\u011fi g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131, g\u00fcvenlik platformu olan <strong>Bugcrowd <\/strong>\u00fczerinden payla\u015ft\u0131. parzel, bu a\u00e7\u0131\u011f\u0131 Tesla\u2019n\u0131n domain&#39;lerini dola\u015farak ke\u015ffetti.<\/p>\n<p>Yan\u0131lg\u0131 avc\u0131s\u0131, bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 ke\u015ffettikten sonra parmak izi olarak kullan\u0131labilecek kimi dizgileri kaynak koddan \u00e7\u0131kard\u0131. Daha sonra bu dizgilerin Tesla\u2019n\u0131n domain&#39;leriyle uyu\u015fup uyu\u015fmad\u0131\u011f\u0131n\u0131 denetim etti. Tesla, parzel\u2019in bildirisine g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 kabul ederek ve onu <strong>10.000 dolarla \u00f6d\u00fcllendirerek<\/strong> cevap verdi. Tesla, g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n ortaya \u00e7\u0131kmas\u0131yla birlikte kusurlu SQL servisini \u00e7evrimd\u0131\u015f\u0131 yapt\u0131.<\/p>\n<p>MDSec ara\u015ft\u0131rmac\u0131s\u0131 Soroush Dalili, <strong>CVE-2020-0618<\/strong> isimli g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 daha evvel Microsoft\u2019a bildirmi\u015fti. Dalili, 11 \u015eubat g\u00fcn\u00fc, yani Microsoft\u2019un g\u00fcncellemesinden \u00fc\u00e7 g\u00fcn sonra bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131 hakk\u0131nda birtak\u0131m teknik ayr\u0131nt\u0131lar\u0131 payla\u015farak bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan nas\u0131l yararlanabilece\u011fini de aktarm\u0131\u015ft\u0131.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.webtekno.com\/images\/editor\/default\/0002\/46\/560ffb4599729d64f84e4f46e800a3f1f1dec651.jpeg\"\/><\/p>\n<p>MDSec ara\u015ft\u0131rmac\u0131s\u0131 taraf\u0131ndan yay\u0131nlanan raporlar, parzel i\u00e7in epey kullan\u0131\u015fl\u0131 oldu ve Tesla\u2019n\u0131n sunucusundaki bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 bulmas\u0131na <strong>yard\u0131m etti<\/strong>. Asl\u0131nda kendisi de Twitter \u00fczerinden yapt\u0131\u011f\u0131 bir payla\u015f\u0131mda Dalili\u2019nin payla\u015ft\u0131\u011f\u0131 rapor i\u00e7in kendisine te\u015fekk\u00fcrlerini de iletti.<\/p>\n<p>G\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan kurtulan Tesla, \u015firketin b\u00fcy\u00fckl\u00fc\u011f\u00fc d\u00fc\u015f\u00fcn\u00fcl\u00fcnce asl\u0131nda parzel\u2019e biraz d\u00fc\u015f\u00fck \u00f6l\u00e7\u00fcde \u00f6d\u00fcl vermi\u015f diyebiliriz. Lakin bu a\u00e7\u0131\u011f\u0131n bulunmas\u0131ndaki zorlu\u011fu ve ayr\u0131nt\u0131lar\u0131n zati daha evvel payla\u015f\u0131lm\u0131\u015f oldu\u011funu d\u00fc\u015f\u00fcn\u00fcnce \u00f6d\u00fcl \u00f6l\u00e7\u00fcs\u00fcn\u00fcn k\u00e2fi oldu\u011funu s\u00f6yleyebiliriz.<\/p>\n<div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>ABD\u2019li elektrikli araba \u00fcreticisi Tesla, ge\u00e7ti\u011fimiz vakitlerde Microsoft SQL Server Reporting Services\u2019ta\u00a0(SRSS) kar\u015f\u0131la\u015ft\u0131\u011f\u0131 bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 &#8230;<\/p>\n","protected":false},"author":1,"featured_media":17771,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[854],"tags":[1251,1533,1950],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/posts\/17770"}],"collection":[{"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=17770"}],"version-history":[{"count":1,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/posts\/17770\/revisions"}],"predecessor-version":[{"id":17772,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/posts\/17770\/revisions\/17772"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/media\/17771"}],"wp:attachment":[{"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=17770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=17770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=17770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}