Upgrade to Pro — share decks privately, control downloads, hide ads and more …

私の大好きなFormat String Attack

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Yuki Saito Yuki Saito
April 29, 2018
Programming
1k
2

私の大好きなFormat String Attack

すみだセキュリティ 2018/04/30

Avatar for Yuki Saito

Yuki Saito

April 29, 2018

More Decks by Yuki Saito

See All by Yuki Saito
Black Hatで話題になったGyoiThonを使ってみた!
Avatar for Yuki Saito saiyuki1919
1
1.5k
Spectreについて
Avatar for Yuki Saito saiyuki1919
2
1.9k

Other Decks in Programming

See All in Programming
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
Avatar for ギークプラス ソフトウェア事業部 geekplus_tech
0
310
The NotImplementedError Problem in Ruby
Avatar for Koichi ITO koic
1
610
Composerを使ったサプライチェーン攻撃の様子を眺めてみる #phpstudy
Avatar for hideki kinjyo o0h
PRO
2
220
Language Server 使ってる? 〜VSCode と Zed の場合〜 / Are you using a Language Server? ~For VS Code and Zed~
Avatar for NAGATA Hiroaki handlename
0
760
tsserverとは何だったのか、これからどうなるのか
Avatar for Ryota Nakamura nowaki28
1
450
AutonomyとControlのあいだ:Graflowで記述するAIエージェント協調
Avatar for Makoto Yui myui
0
110
Stage 3 Decorators でできること / できないこと / TSKaigi 2026
Avatar for Susisu susisu
1
1.6k
New "Type" system on PicoRuby
Avatar for pocke pocke
1
480
柔軟なPDFレイアウトエディタを支える型システム設計 — Discriminated UnionとConditional Typeの実践
Avatar for minako-ph minako__ph
4
1.4k
ふつうのFeature Flag実践入門
Avatar for irof irof
7
3.6k
Signal Forms: Beyond the Basics @ngBaguette 2026 in Paris
Avatar for Manfred Steyer manfredsteyer
PRO
0
230
プロパティの順序で型推論が壊れる!? TypeScript6.0の修正からContext-Sensitivityの仕組みを追う
Avatar for おおいし bicstone
2
1.3k

Featured

See All Featured
Tell your own story through comics
Avatar for letsgokoyo letsgokoyo
1
950
[SF Ruby Conf 2025] Rails X
Avatar for Vladimir Dementyev palkan
2
1.1k
Impact Scores and Hybrid Strategies: The future of link building
Avatar for Tamara Novitovic tamaranovitovic
0
300
Believing is Seeing
Avatar for Spiro Bolos oripsolob
1
140
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.9k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
12k
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
Avatar for AKADEMIYA2063 akademiya2063
PRO
1
130
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
247
13k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
270
14k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
304
22k
Leadership Guide Workshop - DevTernity 2021
Avatar for David Neal reverentgeek
1
300
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
51
52k

Transcript

  1. ࢲͷେ޷͖ͳ
 'PSNBU4USJOH"UUBDL 2018/04/30 ͢ΈͩηΩϡϦςΟษڧձ @saiyuki1919 (ᴡ౻ ༔ر)

  2. * 'PSNBU4USJOH"UUBDLͷ࢓૊Έ ** 'PSNBU4USJOH"UUBDLͰ&YQMPJU࡞੒ *** 'PSNBU4USJOH"UUBDLͰ&YQMPJUͷԠ༻

  3. *'PSNBU4USJOH"UUBDLͷ࢓૊Έ

  4. 'PSNBU4USJOH"UUBDLͱ͸ Format String Attack(จࣈྻॻࣜܕ߈ܸ)͸ɺprintf() ΍ syslog() ౳ͷ ॻࣜࢦఆͷͰ͖Δؔ਺Λѱ༻͠ɺ %s ΍

    %x ͱ͍ͬͨॻࣜτʔΫϯΛ ࢖͍ɺελοΫ΍ͦͷଞͷϝϞϦҐஔͷ಺༰Λσʔλͱͯ͠ग़ྗ͞ ͤͨΓɺ%n τʔΫϯΛ࢖ͬͯ೚ҙͷΞυϨεҐஔʹ೚ҙͷσʔλΛ ॻ͖ࠐ·ͤΔ͜ͱ͕Ͱ͖Δɻ ߈ܸ͕੒ޭ͢Ε͹࠷ѱͷ৔߹ɺίϯϐϡʔλͷ੍ޚΛୣΘΕΔɻ
 ͦ͏Ͱͳͯ͘΋ϓϩηε͕ҟৗऴྃ͢Δ౳ͷো֐͕ى͜ΓಘΔɻ

  5. ੬ऑੑͷ͋ΔϓϩάϥϜ JODMVEFTUEJPI JODMVEFTUSJOHI JOUNBJO JOUBSHD DIBS BSHW<>  \ DIBSCVG<>

    QSJOUG < >CVGQaO CVG  TUSODQZ CVG BSHW<>   QSJOUG CVG  QVUDIBS aO  SFUVSO ^ ࢀরɿ
 ΋΋͍ΖςΫϊϩδʔ
 GPSNBUTUSJOHBUUBDLʹΑΔ(05PWFSXSJUFΛ΍ͬͯΈΔ QSJOUG T CVG 

  6. ίϯύΠϧ࣌ͷ஫ҙ w 441 4UBDL4NBTI1SPUFDUJPO ༗ޮ
 ؔ਺ͷݺͼग़࣌͠ʹελοΫʹDBOBSZ ΧφϦΞ ͱݺ͹ΕΔ஋ ͕ஔ͔Εɺ͜Ε͕ॻ͖׵͑ΒΕͨͱ͖ڧ੍ऴྃ͢ΔΑ͏ʹͳΔɻ w

    "4-3 "EESFTT4QBDF-BZPVU3BOEPNJ[BUJPO ແޮ
 ॏཁͳσʔλྖҬͷҐஔʢ௨ৗɺϓϩηεͷΞυϨεۭؒʹ͓͚Δ࣮ߦϑΝ ΠϧͷجఈͱϥΠϒϥϦɺώʔϓɺ͓ΑͼελοΫͷҐஔؚ͕·ΕΔʣΛແ࡞ ҝʹ഑ஔ͢ΔίϯϐϡʔληΩϡϦςΟͷٕज़ w %&1 %BUB&YFDVUJPO1SFWFOUJPO ແޮ
 %&1Λ༗ޮʹ͢Δͱ࣮ߦෆՄೳͳϝϞϦྖҬ͔ΒίʔυΛ࣮ߦ͢Δ͜ͱͷ๷ ࢭ͞ΕΔɻ

  7. ॻࣜࢦఆ w ൪໨ͷελοΫͷ಺༰Λ֬ೝ͍ͨ͠৔߹͸YͰ֬ೝͰ͖Δɻ Φϑηοτ  BPVU""""YYYYYYYYYYY < >CVGYC⒎GF⒎
 """"C⒎⒎FEGC⒎C⒎⒎FDC⒎⒎C⒎⒎FC⒎⒎ 


    
 w OΛࢦఆ͢Δ͜ͱͰݱ࣌఺·ͰʹετϦʔϜ·ͨ͸όοϑΝʔʹਖ਼ৗʹॻ͖ࠐ·Εͨจ ࣈ਺ΛϝϞϦόΠτͷΞυϨεʹॻ͖׵͑Δ͜ͱ͕Ͱ͖Δɻ w DͰࢦఆͨ͠਺͕ग़ྗ͞ΕΔɻ YBBCCDDEE͔ΒͷόΠτͷΞυϨεΛ  ʹॻ͖׵͑Δ    BPVUbaYEEaYDDaYCCaYBBDO` """"Y

  8. ೚ҙͷΞυϨεΛॻ͖׵͑Δ YBBCCDDEEΛ̍όΠτͣͭYʹॻ͖׵͑Δ Φϑηοτ͕ͷ৔߹  laYEEaYDDaYCCaYBB aYEFaYDDaYCCaYBB aYEGaYDDaYCCaYBB aYFaYDDaYCCaYBBa YBBCCDDEEY Y

     IIO
 YBBCCDDEFYY Y  Y&'  IIO
 YBBCCDDEGYY Y  Y&'  IIO
 YBBCCDDFYY Y  Y&'  IIO
 ˞όΠτͣͭॻ͖׵͑Δ৔߹͸IOɺόΠτͣͭॻ͖׵͍͑ͨ৔߹͸IIO

  9. (MPCBM0⒎TFU5BCMF ίϯύΠϧ࣌ʹڞ༗ϥΠϒϥϦΛμΠφϛοΫϦϯΫͨ͠৔߹ɺڞ༗ϥΠϒϥϦͷؔ਺͸(05 (MPCBM 0⒎TFU5BCMF ͱݺ͹ΕΔδϟϯϓςʔϒϧΛհͯ͠ݺͼग़͞ΕΔɻ YG  QVTIYF YGF 

    DBMMYQSJOUG!QMU Y  BEEFTQ Y Y  NPWFBY %803%153<FCQYD> Y  BEEFBY Y YD  NPWFBY %803%153<FBY> YF  TVCFTQ Y Y  QVTIY Y  QVTIFBY Y  MFBFBY <FCQY> Y  QVTIFBY Y  DBMMYCTUSODQZ!QMU YE  BEEFTQ Y Y  TVCFTQ YD Y  MFBFBY <FCQY> Y  QVTIFBY Y  DBMMYQSJOUG!QMU YD  BEEFTQ Y YG  TVCFTQ YD Y QVTIYB Y DBMMYBQVUDIBS!QMU Y BEEFTQ Y EJTBTY %VNQPGBTTFNCMFSDPEFGPSGVODUJPOQSJOUG!QMU Y KNQ%803%153ETYBD Y QVTIY YC KNQY &OEPGBTTFNCMFSEVNQ SFBEFMG4BPVU
 4FDUJPO)FBEFST
 </S>/BNF5ZQF"EES0⒎4J[F&4'MH
 <>HPUQMU130(#*54B8"
 
 ,FZUP'MBHT
 8 XSJUF " BMMPD 9 FYFDVUF . NFSHF 4 TUSJOHT 
 * JOGP - MJOLPSEFS ( HSPVQ 5 5-4 & FYDMVEF Y VOLOPXO 
 0 FYUSB04QSPDFTTJOHSFRVJSFE P 04TQFDJpD Q QSPDFTTPS TQFDJpD

  10. ** 'PSNBU4USJOH"UUBDLͰ&YQMPJU࡞੒

  11. JNQPSUʜ
 BEES@HPUJOU TZTBSHW<>   BEES@CVGJOU TZTBSHW<>   JOEFYJOU

    TZTBSHW<>  CVǦ
 CJOTIͰγΣϧىಈ͢Δ TIFMMDPEFaYaYEaYaYaYGaYGaYaYaYaYG
 aYaYaYFaYaYFaYaYaYaYFaYEaYaYCaYDEaY GPSJJOSBOHF    CVG TUSVDUQBDL * BEES@HPU J  CVG TIFMMDPEF BNBQ PSE TUSVDUQBDL * BEES@CVG   B<> B<>B<> Y  B<> B<>B<> Y  B<> B<>B<> Y  B<> B<>MFO CVG Y  GPSJJOSBOHF    CVG EDEIIO B<J> JOEFY J  Q1PQFO <BPVU CVG>  QXBJU ೚ҙͷΞυϨεʹॻ͖׵͑Δ (05ͷΞυϨε CVGͷΞυϨε ࢀরɿ
 ΋΋͍ΖςΫϊϩδʔ
 GPSNBUTUSJOHBUUBDLʹΑΔ(05PWFSXSJUFΛ΍ͬͯΈΔ

  12. ΤΫεϓϩΠτͷશମͷྲྀΕ  ॻ͖׵͍͑ͨ(05ͷΞυϨεΛܾΊΔ  (05ͷ஋ΛTIFMMDPEF͕֨ೲ͞Ε͍ͯΔΞυϨεʹॻ͖׵͑Δ  (05ͷΞυϨε͕ݺ͹ΕΔͱTIFMMDPEFͷॻ͔Ε͍ͯΔΞυϨεʹ ඈ͹͞ΕͯɺTIFMMDPEF͕࣮ߦ͢Δ

  13. ࣮ࢪ QVUDIBSؔ਺͕ݺ͹Εͨ࣌ʹTIFMMDPEFΛ࣮ߦ͍ͨ͠ͱࢥ͍·͢ɻ BPVU""""YYYYYYYYYYY < >CVGYC⒎GF⒎ """"C⒎⒎FEGC⒎C⒎⒎FDC⒎⒎C⒎⒎FC⒎⒎ PCKEVNQEKQMUBPVU %JTBTTFNCMZPGTFDUJPOQMU BQVUDIBS!QMU B

    ⒎B KNQ YB B  QVTIY BC FC⒎⒎⒎ KNQ@JOJU YD γΣϧ͕ىಈ͢Δ (05ΞυϨε CVGΞυϨε JOEFY 
 QZUIPOFYQQZYB9C⒎GFGC
 < >CVGYC⒎GFGC
 

  14. ࣍ͷεςοϓ w %&1Λ༗ޮʹͨ͠৔߹Ͳ͏͢Δʁ
 ෮श %&1Λ༗ޮʹ͢Δͱ࣮ߦෆՄೳͳϝϞϦྖҬ͔ΒίʔυΛ࣮ߦ͢Δ ͜ͱͷ๷ࢭ͞Ε·͢ɻ
 ͱ͍͏͜ͱ͸ʂγΣϧίʔυ͕࣮ߦͰ͖ͳ͍ɻ w 3FUVSOUPMJCD
 ϓϩηε͕࣮ߦ͞ΕΔͱڞ༗ϥΠϒϥϦ͕ΞυϨεʹϩʔυ͞ΕΔɻ

    ͦͷϩʔυ͞ΕͨΞυϨεͷϕʔεΞυϨε͔ΒΦϑηοτΛݩʹؔ਺ Λݺͼग़ͤ·͢ɻ จࣈྻͳͲ΋Մೳ

  15. ࣍ͷεςοϓ w "4-3Λ༗ޮʹͨ͠৔߹Ͳ͏͢Δʁ
 ෮श ॏཁͳσʔλྖҬͷҐஔʢ௨ৗɺϓϩηεͷΞυϨεۭؒʹ͓͚Δ ࣮ߦϑΝΠϧͷجఈͱϥΠϒϥϦɺώʔϓɺ͓ΑͼελοΫͷҐஔؚ͕· ΕΔʣΛແ࡞ҝʹ഑ஔ͢ΔίϯϐϡʔληΩϡϦςΟͷٕज़ XJLJ͔Β  w

    ϒϧʔτϑΥʔε
 ໨తͷΞυϨεʹͳΔ·ͰϒϧʔϑΥʔε͢Δ w /PQTMFE
 "4-3ͷϥϯμϜ഑ஔʹ͸͋Δఔ౓ൣғ͕ܾ·͍ͬͯΔͷͰɺγΣϧ ίʔυલʹ/01Λͨ͘͞ΜڬΉ͜ͱͰϒϧʔτϑΥʔεΛ੒ޭͤ͞Δ

  16. *** 'PSNBU4USJOH"UUBDLͰ&YQMPJUͷԠ༻

  17. 3FUVSOUPMJCD BEES@SFUBEESBEES@CVG P⒎TFU@SFUBEES CVGTUSVDUQBDL * BEES@SFUBEES  CVG TUSVDUQBDL *

    BEES@SFUBEES   CVG TUSVDUQBDL * BEES@SFUBEES   CVG TUSVDUQBDL * BEES@SFUBEES   CVG TUSVDUQBDL * BEES@SFUBEES   CVG TUSVDUQBDL * BEES@SFUBEES   CVG TUSVDUQBDL * BEES@SFUBEES   CVG TUSVDUQBDL * BEES@SFUBEES   CNBQ PSE TUSVDUQBDL * MJCD@CBTF P⒎TFU@CJOTI  BNBQ PSE TUSVDUQBDL * MJCD@CBTF P⒎TFU@TZTUFN  C<> C<>C<> Y  C<> C<>C<> Y  C<> C<>C<> Y  C<> C<>B<> Y  B<> B<>B<> Y  B<> B<>B<> Y  B<> B<>B<> Y  B<> B<>MFO CVG  Y ࢀরɿ
 ΋΋͍ΖςΫϊϩδʔ
 3&-30ͱGPSNBUTUSJOHBUUBDLʹΑΔϦλʔϯΞυϨεॻ͖׵͑ YC⒎⒎ Y TBWFEFCQ FCQ ɹYCFE NBJO͔ΒͷϦλʔϯΞυϨε  Y BSHD  YC⒎⒎G BSHW<> YC⒎⒎ Y TBWFEFCQ FCQ ɹYCFC 4ZTUFNؔ਺  Y SFUVSOΞυϨε  YC⒎⒎G ୈҰҾ਺

  18. ·ͱΊ * 'PSNBU4USJOH"UUBDLͷ࢓૊Έ
 ɾQSJOUG TZTMPHͳͲͷؔ਺ͷॻࣜτʔΫϯΛ࢖ͬͯ೚ҙͷΞυϨεҐஔ ʹ೚ҙͷσʔλΛॻ͖ࠐ·ͤΔ͜ͱ͕Ͱ͖Δɻ
 
 ** 'PSNBU4USJOH"UUBDLͰ&YQMPJU࡞੒
 ɾCVGʹTIFMMDPEFΛૠೖ͢Δ


    ɾ(05ʹ͋Δؔ਺ͷΞυϨεΛݺͼग़͍ͨ͠ઌͷCVGͷΞυϨεʹ 'PSNBU4USJOH"UUBDLͷ੬ऑੑΛ࢖ͬͯॻ͖׵͑Δɻ
 *** 'PSNBU4USJOH"UUBDLͰ&YQMPJUͷԠ༻
 ɾ3FUVSOUPMJCDΛ࢖ͬͨ&YQMPJUͷઆ໌