Hacking Book | Free Online Hacking Learning


hacker "brother yuan": seeking the original strength and holding the sword of justice

Posted by verstraete at 2020-04-05

Yuan Renguang, known as brother yuan, has been engaged in the research of vulnerability mining and vulnerability attack and defense for nearly 20 years, and is recognized as the top white hat hacker in China. I like mathematics since childhood. I graduated from Shandong University in 1997. In 1998, Win9x shared password verification vulnerability was found, which became famous. It was also the first person to find famous IIS Unicode system vulnerabilities. He was one of the founders of Lvmeng technology, a well-known network security company in China. In 2008, he was invited as an information security expert in Beijing Olympic Games. He joined Tencent in March 2016 and is now the head of Tencent security Zhanlu laboratory.

Three years ago, Microsoft announced the list of 100 people who contributed the most to Microsoft's security in the world. Yuan Renguang was on the list, and more people called him "brother yuan". Although yuan Renguang is not in the top of the list according to the number of vulnerabilities found, the vulnerabilities he found in Microsoft's windows sharing and IIS system are known as "the technological discovery that surprises and shames Microsoft, the world's software giant, and then helps countless enterprises and individual users avoid major network security risks". It is also because of this, Yuan Ge is known as "the first person of Microsoft operating system security."

However, yuan Renguang, who is well-known as "big rabbit" on the Internet, was described as "kind and reticent" by reporters. His colleagues often worry that they can't fully understand the Mandarin with his hometown accent.

In Yuan Renguang's eyes, the field of computer security can be divided into three times: the era of virus before 2000, the era of loopholes between 2000 and 2010, and the era of confrontation after 2010.

His story starts from the earliest virus era.

Manual code cracking virus

Yuan Renguang once summarized himself on Weibo: "I grew up to love mathematics and dream of becoming a mathematician. I also like computers and dream of becoming a security expert. In the end, we chose network security. "

In 1993, yuan Renguang, a native of Chongqing, was admitted to the Mathematics Department of Shandong University. Before he went to university, he was a math fan. Only in high school, he taught himself the math theory of the university all the time, and even studied some graduate courses. At one time, yuan Renguang thought that he would become a mathematician. Later, he found a new hobby: thoroughly understand computer viruses.

In Yuan Renguang's time of reading, the Internet has not been popularized. It was not until 1994 that China was fully connected to the Internet. At that time, computer viruses were usually transmitted from one computer to another via floppy disks, involving the most advanced concepts and technologies.

It's amazing that viruses can spread in computers, which makes yuan Renguang think it's amazing. He taught himself computer principles, assembly language, operating system and other courses from the beginning of his freshman year. He often found some popular viruses at that time and analyzed their disassembly code line by line.

According to yuan Renguang, famous viruses at that time, including ghost viruses, could break through the rules of relying on virus signature to kill, and dir viruses, which could not only bypass the anti-virus card mechanism, but also create a new way of infection. At that time, the most popular anti-virus software was "kv300". It was also a great pleasure for yuan Renguang to continuously crack it. Interestingly, other people's cracking disks will be blocked by the manufacturer for some time, but they can be used normally all the time.

In four years of University, yuan Renguang is more like a student of computer department. He often copies a line of assembly code by hand in the computer room, and masters a large number of techniques of virus detection and attack, encryption and decryption. He is more skilled in tracking and debugging programs. From math fans to computers, this kind of transformation seems to be a little big to many people, but for yuan Renguang, it's a natural thing, "because it's all supported by interest."

Thanks to the strict logical thinking formed by learning mathematics, yuan Renguang's research on the virus spread by the underlying logic of the computer is also more in-depth. In the field of computer, there is an abstract concept - cyberspace, which refers to the virtual world in computer and network. In that era when the Internet was not yet popular, the basic knowledge and skills mastered during the university period laid a solid foundation for yuan Renguang to gallop in cyberspace.

After graduating from University, yuan Renguang entered Hisense Group to develop a single-chip software for TV in the technology center. It is also at this time that he first contacted the Internet. After work, he began to learn internet protocol by himself. The more in-depth research, the more fun he felt about security and the idea of becoming a security expert.

In 2000, green alliance technology, known as "Chinese hacker Whampoa Military Academy", was established. Yuan Renguang joined in as the founder, and really embarked on the path of professional vulnerability excavation and Research on vulnerability attack and prevention. Since then, he has been working for nearly 20 years.

"Every loophole has a story, which can't be finished in a few days"

Yuan Renguang was very excited when he found the loophole for the first time It was at the end of 1998 that yuan Renguang discovered the Win9x shared password verification vulnerability that made him famous.

At that time, in the network neighborhood of Win95, Win98 and later winme systems, the password can be set for the shared file, but the password verification length is based on the password length sent by the other client. If the server is told to verify only one byte, it will do the same. There are only 256 possibilities to verify a byte, which leads to the password can be cracked quickly and violently.

Yuan Renguang, who was aware of something wrong, immediately wrote a code test. He modified one of his Win9x's client segment codes, and as expected verified his conjecture. Even if there is a password for accessing the Win9x's shared directory, as long as you press and hold the Enter key, you can crack it in a few seconds.

Later, yuan Renguang emailed Microsoft several times to report the vulnerability, but no reply was received. The bug was not patched until yuan Renguang, who joined Green Alliance Technology, reported to Microsoft again about two years later.

At the end of 1999, yuan Renguang found another loophole ms08-068. When a Windows system accesses a shared file, it automatically connects with the current user and password. This will result in the user name and password being compromised without the user's confirmation.

Based on this vulnerability, the middleman can launch a direct attack and remotely control the user's computer without cracking the password. Yuan Renguang wrote a tool software and sent an email to the user. As long as the tester previews the email or visits the phishing website designed by the attacker, the user's computer is automatically installed with a Trojan horse.

When reporting the vulnerability to Microsoft, yuan Renguang said that Microsoft did not admit the vulnerability, but said it was a function designed by them. It was not until 2008 that someone abroad wrote the same way to exploit the vulnerability that Microsoft realized the harm of the vulnerability and released ms08-068 vulnerability patch.

Microsoft's windows system covers the vast majority of PC terminals, so it has become the target of cyber criminals. Some insiders told Nandu that hackers at that time liked to dig Microsoft's loopholes, not to destroy it, but simply to prove themselves. And the top hackers like yuan Renguang are all serious.

At first, many companies, including Microsoft, were relatively indifferent to the hackers who disclosed the loopholes, which also damped the enthusiasm of many hackers to submit loopholes.

Around 2008, Microsoft began to gradually introduce vulnerability mitigation measures. Using buffer vulnerabilities to attack is the mainstream means of attack. This measure is like a wall, separating vulnerabilities and hackers.

It turns out that the wall doesn't seem to stop yuan Renguang. In 2009, he discovered the DVE data virtual execution anti exploit mitigation technology, which he called "hand of God" technology, can break any system.

One year later, Microsoft proposed to buy this technology for 350000 US dollars, but yuan Renguang thought that Microsoft didn't fully realize the value of DVE. Until 2013, a set of confrontation technology submitted by yuan Renguang's friend and top hacker, tombkeeper (called TK master, whose real name is min), which involved DVE technology, blocked the "hand of God" to some extent.

As more and more attention is paid to security, Microsoft and other companies have become friendly towards white hat hackers. They will not only thank the vulnerability submitters from all over the world, but also provide huge vulnerability rewards.

In 2015, the world black hat festival was held in the United States. At the conference site, Microsoft listed 100 people and groups who contributed the most to Microsoft's security in the world with the way of background wall on the exhibition stand. Among them, yuan Renguang reported 5 Microsoft loopholes and was listed on the list.

TK, who also appeared on the list, said, "Microsoft has been a representative of the whole industry's attitude change towards security researchers in the past decade, from hostile confrontation to cooperative respect." It is worth mentioning that many of the security contribution lists disclosed by big companies such as Microsoft, Google and apple every year are Chinese white hat hackers. China's cyber security forces cannot be underestimated around the world.

In the past 20 years of vulnerability research, yuan Renguang has also found the famous IIS Unicode. In the eyes of ordinary people, they may just don't know the name of their serious loopholes, but for yuan Renguang, "every loophole has its story, which can be told for several days."

Categorically refuse to seduce the illegal production

Due to the early study of loopholes, the report mended many serious loopholes, and Yuan Renguang was well-known in the security circle, which also affected many people to join in the research of loopholes.

Referring to brother yuan, an information security worker who has worked for seven years, he called out: "God level person!" "I've been studying hard for ten years, but I can't reach his level.". He told Nandu that unless there is technological change, few people can surpass yuan GE's ability in the research of loopholes in the short term.

In Yuan Renguang's view, the development of vulnerability attack and defense technology to a certain extent is like a double-edged sword, which can be used to protect network security, and can also be used to do harm to the black industry. In recent years, the Internet black ash industry chain, such as personal information trading and telecommunication fraud, has developed. According to the data, the scale of black production in 2015 is estimated to be over 100 billion, and the number of employees has reached 400000, including many hackers who trade data for sports cars.

Some domestic black products and even foreign apt (advanced persistent threat) organizations have asked him to offer a huge amount of conditional exchange technology, but he has refused. One of his daily tasks now is to fight against the Mafia.

In March 2016, yuan Renguang joined Tencent as the head of Tencent security Zhanlu laboratory. He named the laboratory "Zhanlu". This is a famous sword forged by ouyezi, a famous craftsman in the spring and Autumn period. It is called "the sword of benevolence and righteousness". He hopes that the research in the laboratory will be like Zhanlu sword, and protect the security of network infrastructure.

Tencent's "brain burning 24 hours - battlefield without gunsmoke" records part of Yuan's daily work. In the movie, the system vulnerability of a software manufacturer who neglects the vulnerability protection is being fully overcome by two hackers. Yuan Renguang and his team members not only fixed the loophole before the black manufacturer obtained the manufacturer's data, but also successfully locked the loophole IP address and informed the police.

In Yuan Renguang's view, hackers are a group of people who like computers and try to break through the restrictions of computers and networks. They are based on the research and discovery of attack technologies, rather than using these technologies to carry out attacks or even engage in mafia. Most of these hackers are just primary tool users, not real hackers.

Based on the long-term contact with computer security, yuan Renguang divides computer security into three times: the virus era before 2000, the loophole era from 2000 to 2010, and the confrontation era since 2010.

"This kind of security confrontation includes two aspects: the confrontation between organizations in different regions and the attack and defense confrontation with pure security technology, which are ultimately attributed to the confrontation of talents." Yuan Renguang explained that now major software and chip manufacturers spend a lot of money to hire some high-level hackers to create various security protection and vulnerability utilization mitigation technologies, and vulnerability utilization is becoming more and more difficult. The exploitation of loopholes has entered a new era of confrontation, which is no longer the traditional confrontation between people and computers, but the era of confrontation between people. Moreover, any advanced confrontation technology, the ultimate direction of development will be inseparable from national and regional organizations and other levels of confrontation.

As the first batch of benchmarked hackers in China, yuan Renguang has been engaged in network security research for nearly 20 years, and his growth experience reflects the changes of the whole Internet era. Nowadays, with the development of computer and network technology, the security field is more and more extensive, including the Internet of things, industrial control network, etc. At present, all walks of life need stable security forces.

In an exclusive interview with a reporter from Nandu, he called on the state to really attach importance to network security talents, solve some practical problems of these talents, such as household registration and children's enrollment, so that they can really concentrate on network security research.

No matter how the times changed, yuan Renguang thought his original intention remained unchanged. He praised the most powerful and real hackers. He shuttled freely in the cyberspace world, looking for the original motivation and interest of hacker research. "I wish every security builder has a sword of justice in his heart."

Caiwriter: Li Ling, reporter of Nandu

Editor: Jiang Lin

Nandu news can't be reproduced without authorization. Authorized contact: [email protected], 020-87006626.