Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OSSの脆弱性を探すためにやったこと

 OSSの脆弱性を探すためにやったこと

第19回セキュリティさくらの資料(前半だけ)です。

Teppei Fukuda

December 02, 2017
Tweet

More Decks by Teppei Fukuda

Other Decks in Programming

Transcript

  1. OSSͷ੬ऑੑΛ୳ͨ͢Ίʹ
    ΍ͬͨ͜ͱ
    ୈ19ճηΩϡϦςΟ͘͞Β
    Teppei Fukuda

    View full-size slide

  2. ൃද಺༰
    • ࣗ෼͕OSSͷ੬ऑੑΛ୳ͨ͢Ίʹ΍ͬͨ͜ͱ
    • ٳ೔ͷ໷தʹٸʹDoSͷ੬ऑੑΛݟ͚ͭͨ
    ͘ͳͬͯɺே·Ͱ͔͚ͯ୳ͨ͠ͱ͖ͷ࿩
    • ͜Ε͔Β΍ͬͯΈ͍ͨਓ޲͚ͷ࿩

    View full-size slide

  3. ࣗݾ঺հ
    • ෱ా మฏʢ@knqyf263ʣ
    • ޷͖ͳ΋ͷ
    • ωοτϫʔΫ
    • ηΩϡϦςΟ
    • ອը
    • ߪಡࡶࢽ
    • िץগ೥δϟϯϓ
    • िץগ೥ϚΨδϯ
    • िץগ೥αϯσʔ
    • िץϠϯάδϟϯϓ
    • δϟϯϓSQ
    • ผ࡭গ೥ϚΨδϯ
    • ଞɺ୯ߦຊଟ਺

    View full-size slide

  4. OSSͷ੬ऑੑΛ୳ͯ͠Έͨ

    View full-size slide

  5. ηΩϡϦςΟΤϯδχΞͷҿΈձ
    ޷͖ͳ੬ऑੑ͸ʁ
    ޷͖ͳϓϩτίϧ͸ʁ
    ޷͖ͳϨΠϠʔ͸ʁ

    ޷͖ͳೋ࿠͸Կళʁ

    View full-size slide

  6. ޷͖ͳ੬ऑੑ͸ʁ

    View full-size slide

  7. ޷͖ͳ੬ऑੑʹ͍ͭͯߟ͑Δ
    • ৗʹ੬ऑੑ৘ใΛ௥͏
    • IPA, JPCERT/CC, JVN, NVD
    • RSSʢ֤छχϡʔεαΠτ΍ϒϩάʣ
    • Twitter, Facebook, etc.

    View full-size slide

  8. ੬ऑੑ਺͕ଟ͗͢Δ
    ํ޲ੑΛߜΔ

    View full-size slide

  9. ੬ऑੑͷϨΠϠʔ
    • WebΞϓϦέʔγϣϯ
    • CGI, PHP, Java, etc
    • ϛυϧ΢ΣΞ
    • OpenSSH
    • Postfix, etc.
    • OS ʢWindows, LinuxͳͲʣ
    • Linux Kernel

    View full-size slide

  10. ੬ऑੑͷछྨ
    • WebΞϓϦέʔγϣϯ
    • XSS, SQLi, CSRF, etc.
    • ϛυϧ΢ΣΞ
    • ೚ҙίʔυ࣮ߦ, ೝূճආ, etc.
    • OS ʢWindows, LinuxͳͲʣ
    • ݖݶঢ֨, DoS, etc.

    View full-size slide

  11. $43'ʹڵຯ͕͋Δʂ
    • CSRFͷख๏ʹ͍ͭͯௐ΂Δ
    • ೔ʑͷ੬ऑੑ৘ใΛ௥͏
    ςϯγϣϯ
    ্͕Βͳ͔ͬͨ
    • ௐ΂ͨΒ͋Μ·Γͳ࣌΋͋Δ
    • ผͷ੬ऑੑΛௐ΂Δ

    View full-size slide

  12. 3$&ʹڵຯ͕͋Δʂ
    • RCEͷख๏ʹ͍ͭͯௐ΂Δ
    • ೔ʑͷ੬ऑੑ৘ใΛ௥͏
    ޷͖ͩʂ
    • Ͳ͏͍͏ιϑτ΢ΣΞͰͷ
    ɹRCE͕޷͖͔ߟ͑Δ

    View full-size slide

  13. ޷͖ͳιϑτ΢ΣΞʹ͍ͭͯߟ͑Δ
    • ීஈ࢖͍ͬͯΔ΋ͷ͔Βߟ͑Δ
    • WebΞϓϦέʔγϣϯϑϨʔϜϫʔΫ
    • ίϚϯυϥΠϯπʔϧ
    • Office, Adobe, etc.
    • ৭ʑ࢖ͬͯΈΔ
    • GitHubͷTrendingʹ͕͋ͬͨπʔϧͳͲ

    View full-size slide

  14. ޷͖ͳϓϩτίϧɾن֨ʹ͍ͭͯߟ͑Δ
    • HTTP
    • ϔομ
    • ೝূʢBasicೝূɺDigestೝূʣ
    • SSL/TLS
    • DNS
    • WEP/WPA2
    • Bluetooth, etc.

    View full-size slide

  15. ৭ʑͳํ޲͔Β޷͖ͳ΋ͷΛߟ͑Δ
    • ޷͖ͳ੬ऑੑʹ͍ͭͯߟ͑Δ
    • ޷͖ͳιϑτ΢ΣΞʹ͍ͭͯߟ͑Δ
    • ޷͖ͳϓϩτίϧʹ͍ͭͯߟ͑Δ
    ΍Δؾ͕ग़Δͷ͕Ұ൪େࣄʂʂ
    ࣠͸৭ʑ

    ʢ͓ۚ޷͖ͳΒใ঑ۚͷଟՉͱ͔ʣ

    View full-size slide

  16. ࣗ෼ͷ৔߹
    • ޷͖ͳϓϩτίϧ
    • DNS
    • ޷͖ͳιϑτ΢ΣΞ
    • BIND
    • ޷͖ͳ੬ऑੑ
    • DoS
    BINDͷDoS
    ୯७ͳ%P4ͳͷʹ
    க໋తͳײ͕͡޷͖

    View full-size slide

  17. ·ͣաڈͷ੬ऑੑ͔ΒֶͿ

    View full-size slide

  18. طଘͷ੬ऑੑΛݕূ͢Δ
    • ެ։͞Ε͍ͯΔPoCΛࢼ͢
    • KRACK (WPA2ͷ੬ऑੑʣ
    • https://github.com/vanhoefm/krackattacks-scripts
    • ίϛοτΛݟͯ੬ऑੑͷݪҼΛཧղ͢Δ
    • https://w1.fi/cgit/hostap/commit/?
    id=a00e946c1c9a1f9cc65c72900d2a444ceb1f872e
    • ࣗ෼ͰPoCΛॻ͍ͯΈΔ

    View full-size slide

  19. DoSͷ੬ऑੑ
    • ͲΜͳ৔߹ʹDoS͕ى͖Δ͔ʁ
    • CWE-129 ഑ྻࢦඪͷෆద੾ͳݕূ
    • CWE-131 ޡͬͨόοϑΝʔɾαΠζͷܭࢉ
    • ଞʹ΋ଟ਺

    View full-size slide

  20. ର৅ΛܾΊΔ

    View full-size slide

  21. ޷͖ͳ΋ͷ͔Β୳࢝͠ΊΔ

    • ޷͖ͳϓϩτίϧ
    • SSL/TLS
    • ޷͖ͳιϑτ΢ΣΞ
    • OpenSSL
    • ޷͖ͳ੬ऑੑ
    • ೚ҙίʔυ࣮ߦʢRCE)
    աڈͷ੬ऑੑͱ
    ࣅͨ΋ͷ͕ͳ͍͔

    View full-size slide

  22. ޷͖ͳ΋ͷ͔Β୳࢝͠ΊΔ

    • ޷͖ͳϓϩτίϧ
    • SSL/TLS
    • ޷͖ͳιϑτ΢ΣΞ
    • OpenSSL
    • ޷͖ͳ੬ऑੑ
    • ଞͷ੬ऑੑ΋୳ͯ͠ΈΔ
    • DoS΍҉߸ͷ࣮૷ෆඋ΋աڈʹݟ͔͍ͭͬͯΔ

    View full-size slide

  23. ޷͖ͳ΋ͷ͔Β୳࢝͠ΊΔ

    • ޷͖ͳϓϩτίϧ
    • SSL/TLS
    • ޷͖ͳιϑτ΢ΣΞ
    • BoringSSL/LibreSSL͔Β୳ͯ͠ΈΔ
    • ޷͖ͳ੬ऑੑ
    • ೚ҙίʔυ࣮ߦ
    ྨࣅͷιϑτ΢ΣΞ

    View full-size slide

  24. ࣗ෼ͷ৔߹
    • ޷͖ͳϓϩτίϧ
    • DNS
    • ޷͖ͳιϑτ΢ΣΞ
    • DNSܥͷιϑτ΢ΣΞΛ୳ͯ͠ΈΔ
    • https://github.com/miekg/dns
    • https://github.com/kenshinx/godns
    • ޷͖ͳ੬ऑੑ
    • DoS
    ࠷ۙ(PΛॻ͘͜ͱ͕ଟ͍ͷͰ
    (PͰॻ͔Εͨ΋ͷ͔Β୳͢

    View full-size slide

  25. ࣗ෼ͷ৔߹
    • ޷͖ͳϓϩτίϧ
    • DNS
    • ޷͖ͳιϑτ΢ΣΞ
    • ωοτϫʔΫϞχλϦϯά͢Δπʔϧ΋޷͖
    • ޷͖ͳ੬ऑੑ
    • DoS

    View full-size slide

  26. ωοτϫʔΫ
    HPMBOH
    %P4

    View full-size slide

  27. Packetbeat
    • golangͰॻ͔ΕͨOSS
    • ϦΞϧλΠϜͰωοτϫʔΫ಺ͷτϥϑΟοΫΛղੳ
    • Logstash·ͨ͸ElasticsearchʹσʔλΛૹ৴͢ΔɺܰྔͳωοτϫʔΫύέοτ
    ΞφϥΠβʔ
    • ରԠϓϩτίϧ
    • HTTP
    • DNS
    • MySQL
    • PostgreSQL

    View full-size slide

  28. ୳࢝͠ΊΔલʹҰൠతͳ·ͱΊ

    View full-size slide

  29. ੬ऑੑ਍அ
    • ϒϥοΫϘοΫεܕ
    • ಈ࡞͍ͯ͠Δର৅γεςϜʹର͠ɺ࣮ࡍʹٖ
    ࣅతͳ৵ೖɾ߈ܸΛ࢓ֻ͚Δ
    • ϗϫΠτϘοΫεܕ
    • γεςϜͷߏ଄΍ιʔείʔυͳͲͷࡉ͔͍
    ৘ใͳͲΛ΋ͱʹ਍அ͢Δ

    View full-size slide

  30. OSSͷ৔߹
    • ϒϥοΫϘοΫεܕ
    • ಈ͔͠ํ͕ஸೡʹॻ͍ͯ͋Δʢ͜ͱ͕ଟ͍ʣͷͰ؆୯
    • ϗϫΠτϘοΫεܕ
    • ιʔείʔυ͸ެ։͞Ε͍ͯΔ
    ιʔείʔυΛमਖ਼ͯ͠ಈ͔͢͜ͱ͢ΒՄೳʂʂ

    View full-size slide

  31. ྲྀΕ
    1. υΩϡϝϯτΛಡΜͰ࢓༷Λ೺Ѳ
    2. ࣮ࡍʹಈ͔ͯ͠ڍಈΛ೺Ѳ
    3. աڈͷ੬ऑੑͳͲΛࢀߟʹ͋ͨΓΛ͚ͭΔ
    4. ιʔείʔυΛͪΒͬͱಡΉ
    5. ֎෦͔Βෆਖ਼ͳೖྗΛ༩͑ͯΈͨΓ͢Δ
    6. ίʔυΛमਖ਼ͯ͠ಈ͔ͨ͠ΓσόοΨ࢖ͬͨΓ

    View full-size slide

  32. υΩϡϝϯτΛಡΉ
    • ύέοτΛղੳͯ͠σʔλΛอଘͯ͘͠ΕΔ
    • Logstash΍ElasticsearchʹૹΔ
    • HTTPͷεςʔλείʔυ΍SQLͷΫΤϦͳͲΛ
    ύʔεͯ͠औಘͯ͘͠ΕΔ
    Internet
    ϛϥʔϦϯά
    Packetbeat
    Elasticsearch

    View full-size slide

  33. ࣮ࡍʹಈ͔ͯ͠ΈΔ
    $./packetbeat -N -e
    2017/12/01 04:03:08.679303 metrics.go:23: INFO Metrics logging every 30s
    2017/12/01 04:03:08.679117 beat.go:297: INFO Home path: [/root/
    packetbeat-5.6.3-linux-x86_64] Config path: [/root/packetbeat-5.6.3-linux-
    x86_64] Data path: [/root/packetbeat-5.6.3-linux-x86_64/data] Logs path: [/
    root/packetbeat-5.6.3-linux-x86_64/logs]
    2017/12/01 04:03:08.680873 beat.go:192: INFO Setup Beat: packetbeat; Version:
    5.6.3
    2017/12/01 04:03:08.680879 publish.go:217: INFO Dry run mode. All output types
    except the file based one are disabled.
    ... (தུʣ...
    2017/12/01 04:03:08.681143 protos.go:89: INFO registered protocol plugin: mysql
    2017/12/01 04:03:08.681145 protos.go:89: INFO registered protocol plugin: nfs
    2017/12/01 04:03:08.681148 protos.go:89: INFO registered protocol plugin: pgsql
    2017/12/01 04:03:08.681165 protos.go:89: INFO registered protocol plugin: redis
    2017/12/01 04:03:08.707989 beat.go:233: INFO packetbeat start running.

    View full-size slide

  34. աڈͷ੬ऑੑͳͲΛࢀߟʹ͋ͨΓΛ͚ͭΔ
    • https://www.elastic.co/jp/community/security
    Packetbeatͷաڈͷ੬ऑੑ͸0݅ͩͬͨ

    View full-size slide

  35. աڈͷ੬ऑੑͳͲΛࢀߟʹ͋ͨΓΛ͚ͭΔ
    ྨࣅOSSͰ͸ύέοτղੳՕॴͰDoS͕ى͖΍͍͢
    ύʔαͷιʔείʔυΛಡΜͰΈΔ

    View full-size slide

  36. աڈͷ੬ऑੑͳͲΛࢀߟʹ͋ͨΓΛ͚ͭΔ
    ո͍͠

    View full-size slide

  37. ιʔείʔυΛಡΜͰ͍͘

    View full-size slide

  38. PostgreSQLϓϩτίϧͷύʔεॲཧ
    func pgsqlFieldsParser(s *pgsqlStream, buf []byte) error {
    ...ʢதུʣ...
    // read Type OID (int32)
    off += 4
    // read column length (int16)
    off += 2
    // read type modifier (int32)
    off += 4
    // read format (int16)
    format := common.BytesNtohs(buf[off : off+2])
    off += 2
    fieldsFormat = append(fieldsFormat, byte(format))
    }
    ഑ྻͷΠϯσοΫεͷ
    ࢦఆ͕ؾʹͳΔ
    bufʹ͸Կ͕ೖΔʁ

    View full-size slide

  39. ιʔείʔυͷྲྀΕΛ௥͏
    QHTRM'JFMET1BSTFS
    QBSTF3PX%FTDSJQUJPO
    QBSTF$PNNBOE
    func (pgsql *pgsqlPlugin) parseCommand(s *pgsqlStream) (bool, bool) {
    // read type
    typ := byte(s.data[s.parseOffset])
    ...
    switch typ {
    case 'Q':
    return pgsql.parseSimpleQuery(s, length)
    case 'T':
    return pgsql.parseRowDescription(s, length)
    ...
    }
    ύέοτͷCZUF໨͕
    `5ͷͱ͖ʹݺ͹ΕΔॲཧ

    View full-size slide

  40. testdb=# SELECT * FROM test;
    id | body
    ----+------
    1 | test
    (1 row)
    RowDescription
    3PX%FTDSJQUJPO
    • parseRowDescription
    • ͦ΋ͦ΋RowDescriptionͱ͸ʁ

    View full-size slide

  41. RowDescription
    • Byte1('T')
    • ϝοηʔδ͕ߦͷهड़Ͱ͋Δ͜ͱΛࣝผ͠·͢ɻ
    • Int32
    • ࣗ਎ΛؚΉɺϝοηʔδ಺༰ͷ௕͞ʢόΠτ୯Ґʣɻ
    • Int16
    • ߦ಺ͷϑΟʔϧυ਺Λࢦఆ͠·͢ ʢθϩͱ͢Δ͜ͱ͕Ͱ͖·͢ʣɻ
    • ͦͷޙɺ֤ϑΟʔϧυʹରͯ͠ҎԼ͕ଓ͖·͢ɻ
    • String
    • ϑΟʔϧυ໊Ͱ͢ɻ
    • Int32
    • ϑΟʔϧυ͕ಛఆͷςʔϒϧͷྻͱͯࣝ͠ผͰ͖Δ৔߹ɺςʔϒϧͷΦϒδΣΫτIDͰ͢ɻ ͞΋ͳ͘͹θϩͰ͢ɻ
    • Int16
    • ϑΟʔϧυ͕ಛఆͷςʔϒϧͷྻͱͯࣝ͠ผͰ͖Δ৔߹ɺྻͷଐੑ൪߸Ͱ͢ɻ ͞΋ͳ͘͹θϩͰ͢ɻ
    • Int32
    • ϑΟʔϧυͷσʔλܕͷΦϒδΣΫτIDͰ͢ɻ
    • Int16
    • σʔλܕͷେ͖͞ʢpg_type.typlenΛࢀরʣͰ͢ɻ ෛͷ஋͕Մม௕ͷܕΛද͢͜ͱʹ஫ҙ͍ͯͩ͘͠͞ɻ
    • Int32
    • ܕम০ࢠʢpg_attribute.atttypmodΛࢀরʣͰ͢ɻ म০ࢠͷҙຯ͸ܕʹݻ༗Ͱ͢ɻ
    • Int16
    • ϑΟʔϧυʹ࢖༻͞ΕΔॻࣜίʔυͰ͢ɻݱࡏɺ0ʢςΩετʣ·ͨ͸1ʢόΠφϦʣͷ͍ͣΕ͔ʹͳΓ·͢ɻ
    https://www.postgresql.jp/document/9.6/html/protocol-message-formats.htm

    View full-size slide

  42. testdb=# SELECT * FROM test;
    id | body
    ----+------
    1 | test
    ---
    54 00 00 00 32 00 02 69 64 00 00 00 45 0e 00 01 00 00 00 17 00 04 ff ff ff ff
    00 00 62 6f 64 79 00 00 00 45 0e 00 02 00 00 00 19 ff ff ff ff ff ff 00 00
    ---
    54 ! 'T'ͳͷͰRowDescription
    00 00 00 32 ! ௕͞=50Λҙຯ͢Δ
    00 02 ! ϑΟʔϧυ਺=2Λҙຯ͢Δ
    69 64 00 ! "id"
    00 00 45 0e ! ςʔϒϧͷΦϒδΣΫτID(17678)
    00 01 ! ྻͷଐੑ൪߸
    ...
    00 00 ! ϑΟʔϧυʹ࢖༻͞ΕΔॻࣜίʔυʢςΩετͷ৔߹͸0ʣ
    RowDescription
    CVG
    ͷॲཧ͸͜͜ʂ

    View full-size slide

  43. OSSͳΒͰ͸ͷ୳͠ํ
    • σόοΨΛར༻͢Δ
    • printfσόοά͢Δ
    • ςετίʔυΛར༻͢Δ
    ςετίʔυ͸ؾܰʹҟৗͳೖྗ஋Λ
    ༩͑ΒΕΔͷͰΦεεϝ

    View full-size slide

  44. // Test parsing a response with data attached
    func TestPgsqlParser_dataResponse(t *testing.T) {
    if testing.Verbose() {
    logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"pgsql", "pgsqldetailed"})
    }
    pgsql := pgsqlModForTests()
    data := []byte(
    “5400000033000269640000008fc40001000000170004ffffffff000076616c75650000008fc400020000001
    9ffffffffffff0000" +
    "44000000130002000000013100000004746f746f" +
    "440000001500020000000133000000066d617274696e" +
    "440000001300020000000134000000046a65616e" +
    "430000000b53454c45435400" +
    "5a0000000549")
    message, err := hex.DecodeString(string(data))
    if err != nil {
    t.Error("Failed to decode hex string")
    }
    stream := &pgsqlStream{data: message, message: new(pgsqlMessage)}
    ok, complete := pgsql.pgsqlMessageParser(stream)
    ςετίʔυ
    ͜͜Λ͍ͬͯ͡ΈΔ

    View full-size slide

  45. // Test parsing a response with data attached
    func TestPgsqlParser_dataResponse(t *testing.T) {
    if testing.Verbose() {
    logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"pgsql",
    "pgsqldetailed"})
    }
    pgsql := pgsqlModForTests()
    data := []byte(
    "540000001b00016964000000450e0001000000170004ffffffff0000")
    message, err := hex.DecodeString(string(data))
    if err != nil {
    t.Error("Failed to decode hex string")
    }
    stream := &pgsqlStream{data: message, message: new(pgsqlMessage)}
    ok, complete := pgsql.pgsqlMessageParser(stream)
    ςετίʔυ
    ਖ਼ৗͳ஋ΛೖΕͯΈΔ

    View full-size slide

  46. // Test parsing a response with data attached
    func TestPgsqlParser_dataResponse(t *testing.T) {
    if testing.Verbose() {
    logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"pgsql",
    "pgsqldetailed"})
    }
    pgsql := pgsqlModForTests()
    data := []byte(
    "540000001b00016964000000450e0001000000170004ffffffff0000")
    message, err := hex.DecodeString(string(data))
    if err != nil {
    t.Error("Failed to decode hex string")
    }
    stream := &pgsqlStream{data: message, message: new(pgsqlMessage)}
    ok, complete := pgsql.pgsqlMessageParser(stream)
    ෆਖ਼ͳೖྗ஋ʹม͑Δ
    CVG͸
    CZUFલఏͳͷͰ
    ࡟ͬͨΒམͪͦ͏

    View full-size slide

  47. $ cd ~/go/src/github.com/elastic/beats/packetbeat/protos/pgsql
    $ go test -run TestPgsqlParser_dataResponse
    PASS
    ok github.com/elastic/beats/packetbeat/protos/pgsql
    0.085s
    མͪͳ͔ͬͨ
    ςετίʔυΛ࣮ߦͯ͠ΈΔ

    View full-size slide

  48. ͜ͷՕॴ͸ݺ͹Ε͍ͯͳ͔ͬͨ
    printfσόοάͯ͠ΈΔ
    func (pgsql *pgsqlPlugin) parseCommand(s *pgsqlStream) (bool, bool) {
    // read type
    typ := byte(s.data[s.parseOffset])
    ...
    case 'T':
    + fmt.Printf("%d\n", length)
    return pgsql.parseRowDescription(s, length)
    ...
    }
    ଞͷՕॴͷΤϥʔॲཧͰ஄͔Ε͍ͯΔ

    View full-size slide

  49. ௕͞ͷൺֱ
    if len(s.data[s.parseOffset:]) <= length {
    detailedf("Wait for more data")
    return true, false
    }
    σʔλͷ࣮ࡍͷ௕͞
    cc
    CZUF
    ύέοτ಺ͷهड़
    cc
    CZUF
    54 00 00 00 1b ...
    • ҎԼͷνΣοΫͰ஄͔Ε͍ͯͨ

    View full-size slide

  50. // Test parsing a response with data attached
    func TestPgsqlParser_dataResponse(t *testing.T) {
    if testing.Verbose() {
    logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"pgsql",
    "pgsqldetailed"})
    }
    pgsql := pgsqlModForTests()
    data := []byte(
    "540000001b00016964000000450e0001000000170004ffffffff0000")
    message, err := hex.DecodeString(string(data))
    if err != nil {
    t.Error("Failed to decode hex string")
    }
    stream := &pgsqlStream{data: message, message: new(pgsqlMessage)}
    ok, complete := pgsql.pgsqlMessageParser(stream)
    ௕͞Λἧ͑Δ
    ࡟Δ
    CZUFݮΒ͢ B

    View full-size slide

  51. $ go test -run TestPgsqlParser_dataResponse
    panic: runtime error: slice bounds out of range [recovered]
    panic: runtime error: slice bounds out of range
    goroutine 20 [running]:
    testing.tRunner.func1(0xc420068820)
    /usr/lib/go-1.8/src/testing/testing.go:622 +0x29d
    panic(0x9bc500, 0xe46af0)
    /usr/lib/go-1.8/src/runtime/panic.go:489 +0x2cf
    github.com/elastic/beats/packetbeat/protos/pgsql.pgsqlFieldsParser(0xc420035f60, 0xc421164f05,
    0x16, 0x16, 0x0, 0x0)
    /root/go/src/github.com/elastic/beats/packetbeat/protos/pgsql/parse.go:384 +0x6c6
    ... (தུ) ...
    created by testing.(*T).Run
    /usr/lib/go-1.8/src/testing/testing.go:697 +0x2ca
    exit status 2
    FAIL github.com/elastic/beats/packetbeat/protos/pgsql 0.084s
    མͪͨʂʂ
    ςετίʔυΛ࣮ߦͯ͠ΈΔ

    View full-size slide

  52. ಉ༷ʹ͍͔ͯͭ͘͠ͷ
    ΤϥʔॲཧΛ͢Γൈ͚Δͱ...

    View full-size slide

  53. $ echo -e "T\x00\x00\x00\x1a\(ࣗॗʣxff\xff\xff\xff\x00" | nc 127.0.0.1 5432
    ؆୯
    ύέοτΛ1ͭ౤͛Δ͚ͩͰམͪΔ
    # ./packetbeat -N -e
    ...
    2017/12/04 04:45:22.465965 log.go:145: ERR Stacktrace: goroutine 13 [running]:
    runtime/debug.Stack(0xbd68c4, 0x2b, 0xc421249560)
    /usr/local/go/src/runtime/debug/stack.go:24 +0x79
    github.com/elastic/beats/libbeat/logp.Recover(0xbc366f, 0x14)
    /go/src/github.com/elastic/beats/libbeat/logp/log.go:145 +0x138
    panic(0xada5c0, 0xc4200100f0)
    /usr/local/go/src/runtime/panic.go:458 +0x243
    github.com/elastic/beats/packetbeat/protos/pgsql.pgsqlFieldsParser(0xc4211e8b00, 0xc421210749, 0x2f,
    0x36, 0xbba4b1, 0xd)
    /go/src/github.com/elastic/beats/packetbeat/protos/pgsql/parse.go:382 +0x53c
    ...

    View full-size slide

  54. मਖ਼Օॴ
    ௕͞ͷ֬ೝΛ͢Δ͚ͩ
    https://github.com/elastic/beats/pull/5457

    View full-size slide

  55. ஫ҙ఺
    • ੬ऑੑΛݟ͚ͭͯ΋͍͖ͳΓPull RequestΛ౤͛Δͷ͸΍Ί
    ·͠ΐ͏
    • ଞͷਓ΋ݟ͑ΔͷͰɺθϩσΠ߈ܸʹͳͬͯ͠·͍·͢
    • ద੾ͳܦ࿏Ͱใࠂ͠·͠ΐ͏
    • ϝʔϧʢϝʔϧͰௐ੔͔ͯ͠ΒPRΛ౤͛ͨΓʣ
    • ػؔΛ௨͢ʢIPA΍JPCERT/CCͳͲʣ

    View full-size slide

  56. Security update
    https://discuss.elastic.co/t/beats-5-6-4-security-update/106739

    View full-size slide

  57. ·ͱΊ
    OSSͷ੬ऑੑΛ୳࣌͢ʹ΍ͬͨ͜ͱ
    • ޷͖ͳ΋ͷʹࢥ͍Λ஘ͤΔ
    • ੬ऑੑɾιϑτ΢ΣΞɾϓϩτίϧɾ͓ۚɹ౳
    • ޷͖ͳ΋ͷʹؔ࿈͢Διϑτ΢ΣΞɾ੬ऑੑ͋ͨΓ͔Β୳ͯ͠ΈΔ
    • աڈͷ੬ऑੑ͔ΒֶͿʢࣅͨ΋ͷ͕ݟ͔ͭΓ΍͍͢ʣ
    • OSSͳΒͰ͸ͷํ๏Λར༻͢Δ
    • ςετίʔυ΍σόοΨ
    • ࠓճ͸DoSʹ͍ͭͯൃද͠·͕ͨ͠ɺಉ༷ͷํ๏Ͱଞʹ΋
    ز͔ͭใࠂ͠·ͨ͠

    View full-size slide