Upgrade to Pro — share decks privately, control downloads, hide ads and more …

私の大好きなFormat String Attack

Yuki Saito
April 29, 2018
Programming
2
730

私の大好きなFormat String Attack

すみだセキュリティ 2018/04/30

Yuki Saito

April 29, 2018
Tweet

More Decks by Yuki Saito

See All by Yuki Saito
Black Hatで話題になったGyoiThonを使ってみた!
saiyuki1919
1
1k
Spectreについて
saiyuki1919
2
1.6k

Other Decks in Programming

See All in Programming
Kotlin Multiplatform Library 배포하기
fornewid
0
200
Parsing RBS
soutaro
0
510
Load gem from browser
ledsun
2
530
サイト信頼性を高める前に開発チームからの信頼性を高めよう
syossan27
9
2.2k
The Resurrection of 
the Fast Parallel Test Runner
koic
1
3.5k
Multiverse Ruby
shioyama
2
2.5k
SpringIO_19-05-2023.pdf
ancaghenade
0
120
次なるルーターパッケージ選定のしざまと決め手について
yuzuy
2
270
LLMによるプロット生成の試み(スターウォーズ)
hitokun
0
1.2k
Webエンジニアに転生したらCSS魔導士になった件
satoshi7190
2
2.3k
サーバーレスJavaの今 ~SnapStartとWeb Adapterを寄せて~
xblood
3
690
新人PHPer向け 圧倒的に差をつける仕事の進め方 #phpstudy
77web
2
560

Featured

See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
Into the Great Unknown - MozCon
thekraken
6
480
Documentation Writing (for coders)
carmenintech
53
3.1k
Product Roadmaps are Hard
iamctodd
39
8.2k
Thoughts on Productivity
jonyablonski
52
2.9k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
214
12k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
9
780
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.3k
Gamification - CAS2011
davidbonilla
75
4.2k
Fantastic passwords and where to find them - at NoRuKo
philnash
33
2k

Transcript

  1. ࢲͷେ޷͖ͳ

    'PSNBU4USJOH"UUBDL
    2018/04/30
    ͢ΈͩηΩϡϦςΟษڧձ
    @saiyuki1919 (ᴡ౻ ༔ر)

    View Slide

  2. * 'PSNBU4USJOH"UUBDLͷ࢓૊Έ
    ** 'PSNBU4USJOH"UUBDLͰ&YQMPJU࡞੒
    *** 'PSNBU4USJOH"UUBDLͰ&YQMPJUͷԠ༻

    View Slide

  3. *'PSNBU4USJOH"UUBDLͷ࢓૊Έ

    View Slide

  4. 'PSNBU4USJOH"UUBDLͱ͸
    Format String Attack(จࣈྻॻࣜܕ߈ܸ)͸ɺprintf() ΍ syslog() ౳ͷ
    ॻࣜࢦఆͷͰ͖Δؔ਺Λѱ༻͠ɺ %s ΍ %x ͱ͍ͬͨॻࣜτʔΫϯΛ
    ࢖͍ɺελοΫ΍ͦͷଞͷϝϞϦҐஔͷ಺༰Λσʔλͱͯ͠ग़ྗ͞
    ͤͨΓɺ%n τʔΫϯΛ࢖ͬͯ೚ҙͷΞυϨεҐஔʹ೚ҙͷσʔλΛ
    ॻ͖ࠐ·ͤΔ͜ͱ͕Ͱ͖Δɻ
    ߈ܸ͕੒ޭ͢Ε͹࠷ѱͷ৔߹ɺίϯϐϡʔλͷ੍ޚΛୣΘΕΔɻ

    ͦ͏Ͱͳͯ͘΋ϓϩηε͕ҟৗऴྃ͢Δ౳ͷো֐͕ى͜ΓಘΔɻ

    View Slide

  5. ੬ऑੑͷ͋ΔϓϩάϥϜ
    JODMVEFTUEJPI
    JODMVEFTUSJOHI
    JOUNBJO JOUBSHD DIBSBSHW<>

    \
    DIBSCVG<>
    QSJOUG <>CVGQaO CVG

    TUSODQZ CVG BSHW<>

    QSJOUG CVG

    QVUDIBS aO

    SFUVSO
    ^
    ࢀরɿ

    ΋΋͍ΖςΫϊϩδʔ

    GPSNBUTUSJOHBUUBDLʹΑΔ(05PWFSXSJUFΛ΍ͬͯΈΔ

    QSJOUG T CVG

    View Slide

  6. ίϯύΠϧ࣌ͷ஫ҙ
    w 441 4UBDL4NBTI1SPUFDUJPO
    ༗ޮ

    ؔ਺ͷݺͼग़࣌͠ʹελοΫʹDBOBSZ ΧφϦΞ
    ͱݺ͹ΕΔ஋
    ͕ஔ͔Εɺ͜Ε͕ॻ͖׵͑ΒΕͨͱ͖ڧ੍ऴྃ͢ΔΑ͏ʹͳΔɻ
    w "4-3 "EESFTT4QBDF-BZPVU3BOEPNJ[BUJPO
    ແޮ

    ॏཁͳσʔλྖҬͷҐஔʢ௨ৗɺϓϩηεͷΞυϨεۭؒʹ͓͚Δ࣮ߦϑΝ
    ΠϧͷجఈͱϥΠϒϥϦɺώʔϓɺ͓ΑͼελοΫͷҐஔؚ͕·ΕΔʣΛແ࡞
    ҝʹ഑ஔ͢ΔίϯϐϡʔληΩϡϦςΟͷٕज़
    w %&1 %BUB&YFDVUJPO1SFWFOUJPO
    ແޮ

    %&1Λ༗ޮʹ͢Δͱ࣮ߦෆՄೳͳϝϞϦྖҬ͔ΒίʔυΛ࣮ߦ͢Δ͜ͱͷ๷
    ࢭ͞ΕΔɻ

    View Slide

  7. ॻࣜࢦఆ
    w ൪໨ͷελοΫͷ಺༰Λ֬ೝ͍ͨ͠৔߹͸YͰ֬ೝͰ͖Δɻ Φϑηοτ

    BPVU""""YYYYYYYYYYY
    <>CVGYC⒎GF⒎

    """"C⒎⒎FEGC⒎C⒎⒎FDC⒎⒎C⒎⒎FC⒎⒎


    w OΛࢦఆ͢Δ͜ͱͰݱ࣌఺·ͰʹετϦʔϜ·ͨ͸όοϑΝʔʹਖ਼ৗʹॻ͖ࠐ·Εͨจ
    ࣈ਺ΛϝϞϦόΠτͷΞυϨεʹॻ͖׵͑Δ͜ͱ͕Ͱ͖Δɻ
    w DͰࢦఆͨ͠਺͕ग़ྗ͞ΕΔɻ
    YBBCCDDEE͔ΒͷόΠτͷΞυϨεΛ
    ʹॻ͖׵͑Δ

    BPVUbaYEEaYDDaYCCaYBBDO`
    """"Y

    View Slide

  8. ೚ҙͷΞυϨεΛॻ͖׵͑Δ
    YBBCCDDEEΛ̍όΠτͣͭYʹॻ͖׵͑Δ Φϑηοτ͕ͷ৔߹

    laYEEaYDDaYCCaYBBaYEFaYDDaYCCaYBBaYEGaYDDaYCCaYBBaYFaYDDaYCCaYBBa
    YBBCCDDEEY Y
    IIO

    YBBCCDDEFYYY Y&'
    IIO

    YBBCCDDEGYYY Y&'
    IIO

    YBBCCDDFYYY Y&'
    IIO

    ˞όΠτͣͭॻ͖׵͑Δ৔߹͸IOɺόΠτͣͭॻ͖׵͍͑ͨ৔߹͸IIO

    View Slide

  9. (MPCBM0⒎TFU5BCMF
    ίϯύΠϧ࣌ʹڞ༗ϥΠϒϥϦΛμΠφϛοΫϦϯΫͨ͠৔߹ɺڞ༗ϥΠϒϥϦͷؔ਺͸(05 (MPCBM
    0⒎TFU5BCMF
    ͱݺ͹ΕΔδϟϯϓςʔϒϧΛհͯ͠ݺͼग़͞ΕΔɻ
    YG QVTIYF
    YGF DBMMYQSJOUG!QMU
    Y BEEFTQ Y
    Y NPWFBY %803%153
    Y BEEFBY Y
    YD NPWFBY %803%153
    YF TVCFTQ Y
    Y QVTIY
    Y QVTIFBY
    Y MFBFBY
    Y QVTIFBY
    Y DBMMYCTUSODQZ!QMU
    YE BEEFTQ Y
    Y TVCFTQ YD
    Y MFBFBY
    Y QVTIFBY
    Y DBMMYQSJOUG!QMU
    YD BEEFTQ Y
    YG TVCFTQ YD
    YQVTIYB
    YDBMMYBQVUDIBS!QMU
    YBEEFTQ Y
    EJTBTY
    %VNQPGBTTFNCMFSDPEFGPSGVODUJPOQSJOUG!QMU
    YKNQ%803%153ETYBD
    YQVTIY
    YCKNQY
    &OEPGBTTFNCMFSEVNQ
    SFBEFMG4BPVU

    4FDUJPO)FBEFST

    /BNF5ZQF"EES0⒎4J[F&4'MH

    <>HPUQMU130(#*54B8"


    ,FZUP'MBHT

    8 XSJUF
    " BMMPD
    9 FYFDVUF
    . NFSHF
    4 TUSJOHT

    * JOGP
    - MJOLPSEFS
    ( HSPVQ
    5 5-4
    & FYDMVEF
    Y
    VOLOPXO

    0 FYUSB04QSPDFTTJOHSFRVJSFE
    P 04TQFDJpD
    Q QSPDFTTPS
    TQFDJpD

    View Slide

  10. ** 'PSNBU4USJOH"UUBDLͰ&YQMPJU࡞੒

    View Slide

  11. JNQPSUʜ

    [email protected] TZTBSHW<>

    [email protected] TZTBSHW<>

    JOEFYJOU TZTBSHW<>

    CVǦ

    CJOTIͰγΣϧىಈ͢Δ
    TIFMMDPEFaYaYEaYaYaYGaYGaYaYaYaYG

    aYaYaYFaYaYFaYaYaYaYFaYEaYaYCaYDEaY
    GPSJJOSBOHF

    CVGTUSVDUQBDL * [email protected]

    CVGTIFMMDPEF
    BNBQ PSE TUSVDUQBDL * [email protected]


    B<> B<>B<>
    Y

    B<> B<>B<>
    Y

    B<> B<>B<>
    Y

    B<> B<>MFO CVG

    Y

    GPSJJOSBOHF

    CVGEDEIIO B JOEFYJ

    Q1PQFO <BPVU CVG>

    QXBJU

    ೚ҙͷΞυϨεʹॻ͖׵͑Δ
    (05ͷΞυϨε
    CVGͷΞυϨε
    ࢀরɿ

    ΋΋͍ΖςΫϊϩδʔ

    GPSNBUTUSJOHBUUBDLʹΑΔ(05PWFSXSJUFΛ΍ͬͯΈΔ

    View Slide

  12. ΤΫεϓϩΠτͷશମͷྲྀΕ
    ॻ͖׵͍͑ͨ(05ͷΞυϨεΛܾΊΔ
    (05ͷ஋ΛTIFMMDPEF͕֨ೲ͞Ε͍ͯΔΞυϨεʹॻ͖׵͑Δ
    (05ͷΞυϨε͕ݺ͹ΕΔͱTIFMMDPEFͷॻ͔Ε͍ͯΔΞυϨεʹ
    ඈ͹͞ΕͯɺTIFMMDPEF͕࣮ߦ͢Δ

    View Slide

  13. ࣮ࢪ
    QVUDIBSؔ਺͕ݺ͹Εͨ࣌ʹTIFMMDPEFΛ࣮ߦ͍ͨ͠ͱࢥ͍·͢ɻ
    BPVU""""YYYYYYYYYYY
    <>CVGYC⒎GF⒎
    """"C⒎⒎FEGC⒎C⒎⒎FDC⒎⒎C⒎⒎FC⒎⒎
    PCKEVNQEKQMUBPVU
    %JTBTTFNCMZPGTFDUJPOQMU
    BQVUDIBS!QMU
    B ⒎B KNQYB
    B QVTIY
    BC FC⒎⒎⒎ [email protected]
    γΣϧ͕ىಈ͢Δ (05ΞυϨε CVGΞυϨε JOEFY

    QZUIPOFYQQZYB9C⒎GFGC

    <>CVGYC⒎GFGC


    View Slide

  14. ࣍ͷεςοϓ
    w %&1Λ༗ޮʹͨ͠৔߹Ͳ͏͢Δʁ

    ෮श
    %&1Λ༗ޮʹ͢Δͱ࣮ߦෆՄೳͳϝϞϦྖҬ͔ΒίʔυΛ࣮ߦ͢Δ
    ͜ͱͷ๷ࢭ͞Ε·͢ɻ

    ͱ͍͏͜ͱ͸ʂγΣϧίʔυ͕࣮ߦͰ͖ͳ͍ɻ
    w 3FUVSOUPMJCD

    ϓϩηε͕࣮ߦ͞ΕΔͱڞ༗ϥΠϒϥϦ͕ΞυϨεʹϩʔυ͞ΕΔɻ
    ͦͷϩʔυ͞ΕͨΞυϨεͷϕʔεΞυϨε͔ΒΦϑηοτΛݩʹؔ਺
    Λݺͼग़ͤ·͢ɻ จࣈྻͳͲ΋Մೳ

    View Slide

  15. ࣍ͷεςοϓ
    w "4-3Λ༗ޮʹͨ͠৔߹Ͳ͏͢Δʁ

    ෮श
    ॏཁͳσʔλྖҬͷҐஔʢ௨ৗɺϓϩηεͷΞυϨεۭؒʹ͓͚Δ
    ࣮ߦϑΝΠϧͷجఈͱϥΠϒϥϦɺώʔϓɺ͓ΑͼελοΫͷҐஔؚ͕·
    ΕΔʣΛແ࡞ҝʹ഑ஔ͢ΔίϯϐϡʔληΩϡϦςΟͷٕज़ XJLJ͔Β

    w ϒϧʔτϑΥʔε

    ໨తͷΞυϨεʹͳΔ·ͰϒϧʔϑΥʔε͢Δ
    w /PQTMFE

    "4-3ͷϥϯμϜ഑ஔʹ͸͋Δఔ౓ൣғ͕ܾ·͍ͬͯΔͷͰɺγΣϧ
    ίʔυલʹ/01Λͨ͘͞ΜڬΉ͜ͱͰϒϧʔτϑΥʔεΛ੒ޭͤ͞Δ

    View Slide

  16. *** 'PSNBU4USJOH"UUBDLͰ&YQMPJUͷԠ༻

    View Slide

  17. 3FUVSOUPMJCD
    [email protected]@CVGP⒎[email protected]
    CVGTUSVDUQBDL * [email protected]

    CVGTUSVDUQBDL * [email protected]

    CVGTUSVDUQBDL * [email protected]

    CVGTUSVDUQBDL * [email protected]

    CVGTUSVDUQBDL * [email protected]

    CVGTUSVDUQBDL * [email protected]

    CVGTUSVDUQBDL * [email protected]

    CVGTUSVDUQBDL * [email protected]

    CNBQ PSE TUSVDUQBDL * [email protected][email protected]


    BNBQ PSE TUSVDUQBDL * [email protected][email protected]


    C<> C<>C<>
    Y

    C<> C<>C<>
    Y

    C<> C<>C<>
    Y

    C<> C<>B<>
    Y

    B<> B<>B<>
    Y

    B<> B<>B<>
    Y

    B<> B<>B<>
    Y

    B<> B<>MFO CVG

    Y
    ࢀরɿ

    ΋΋͍ΖςΫϊϩδʔ

    3&-30ͱGPSNBUTUSJOHBUUBDLʹΑΔϦλʔϯΞυϨεॻ͖׵͑

    YC⒎⒎
    Y TBWFEFCQ
    FCQ
    ɹYCFE NBJO͔ΒͷϦλʔϯΞυϨε

    Y BSHD

    YC⒎⒎G BSHW<>

    YC⒎⒎
    Y TBWFEFCQ
    FCQ
    ɹYCFC 4ZTUFNؔ਺

    Y SFUVSOΞυϨε

    YC⒎⒎G ୈҰҾ਺

    View Slide

  18. ·ͱΊ
    * 'PSNBU4USJOH"UUBDLͷ࢓૊Έ

    ɾQSJOUG TZTMPHͳͲͷؔ਺ͷॻࣜτʔΫϯΛ࢖ͬͯ೚ҙͷΞυϨεҐஔ
    ʹ೚ҙͷσʔλΛॻ͖ࠐ·ͤΔ͜ͱ͕Ͱ͖Δɻ


    ** 'PSNBU4USJOH"UUBDLͰ&YQMPJU࡞੒

    ɾCVGʹTIFMMDPEFΛૠೖ͢Δ

    ɾ(05ʹ͋Δؔ਺ͷΞυϨεΛݺͼग़͍ͨ͠ઌͷCVGͷΞυϨεʹ
    'PSNBU4USJOH"UUBDLͷ੬ऑੑΛ࢖ͬͯॻ͖׵͑Δɻ

    *** 'PSNBU4USJOH"UUBDLͰ&YQMPJUͷԠ༻

    ɾ3FUVSOUPMJCDΛ࢖ͬͨ&YQMPJUͷઆ໌

    View Slide