Upgrade to Pro — share decks privately, control downloads, hide ads and more …

私の大好きなFormat String Attack

Yuki Saito
April 29, 2018
Programming
2
820

私の大好きなFormat String Attack

すみだセキュリティ 2018/04/30

Yuki Saito

April 29, 2018
Tweet

More Decks by Yuki Saito

See All by Yuki Saito
Black Hatで話題になったGyoiThonを使ってみた!
saiyuki1919
1
1.2k
Spectreについて
saiyuki1919
2
1.7k

Other Decks in Programming

See All in Programming
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
250
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
300
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
1.1k
Javaエンジニアのための Nodejs/Nuxt3入門
hidekatsu_izuno
0
280
スクラムチームと認知負荷 - ニフティのスクラムトーク Vol2. / NIFTY Tech Talk #18
niftycorp
PRO
1
120
App Router への移行は「改善」となり得るのか?/ Can migration to App Router be an improvement
takefumiyoshii
8
2.1k
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
25
7.8k
Folding Cheat Sheet #3
philipschwarz
PRO
0
110
What We Can Learn From OSS
inouehi
0
400
try!Swift Tokyo 2024 参加報告 LT
akidon0000
1
190
今の SmartHR にエンジニアで入社するとどうなるの?
daisukeshinoku
5
4.6k
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
39
18k

Featured

See All Featured
Into the Great Unknown - MozCon
thekraken
10
980
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
243
20k
Teambox: Starting and Learning
jrom
128
8.4k
Statistics for Hackers
jakevdp
789
220k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
356
22k
StorybookのUI Testing Handbookを読んだ
zakiyama
11
4.6k
Become a Pro
speakerdeck
PRO
10
4.5k
Scaling GitHub
holman
457
140k
The Power of CSS Pseudo Elements
geoffreycrofte
59
5k
Designing the Hi-DPI Web
ddemaree
276
33k
Side Projects
sachag
451
41k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k

Transcript

  1. ࢲͷେ޷͖ͳ
 'PSNBU4USJOH"UUBDL 2018/04/30 ͢ΈͩηΩϡϦςΟษڧձ @saiyuki1919 (ᴡ౻ ༔ر)

  2. * 'PSNBU4USJOH"UUBDLͷ࢓૊Έ ** 'PSNBU4USJOH"UUBDLͰ&YQMPJU࡞੒ *** 'PSNBU4USJOH"UUBDLͰ&YQMPJUͷԠ༻

  3. *'PSNBU4USJOH"UUBDLͷ࢓૊Έ

  4. 'PSNBU4USJOH"UUBDLͱ͸ Format String Attack(จࣈྻॻࣜܕ߈ܸ)͸ɺprintf() ΍ syslog() ౳ͷ ॻࣜࢦఆͷͰ͖Δؔ਺Λѱ༻͠ɺ %s ΍

    %x ͱ͍ͬͨॻࣜτʔΫϯΛ ࢖͍ɺελοΫ΍ͦͷଞͷϝϞϦҐஔͷ಺༰Λσʔλͱͯ͠ग़ྗ͞ ͤͨΓɺ%n τʔΫϯΛ࢖ͬͯ೚ҙͷΞυϨεҐஔʹ೚ҙͷσʔλΛ ॻ͖ࠐ·ͤΔ͜ͱ͕Ͱ͖Δɻ ߈ܸ͕੒ޭ͢Ε͹࠷ѱͷ৔߹ɺίϯϐϡʔλͷ੍ޚΛୣΘΕΔɻ
 ͦ͏Ͱͳͯ͘΋ϓϩηε͕ҟৗऴྃ͢Δ౳ͷো֐͕ى͜ΓಘΔɻ

  5. ੬ऑੑͷ͋ΔϓϩάϥϜ JODMVEFTUEJPI JODMVEFTUSJOHI JOUNBJO JOUBSHD DIBS BSHW<>  \ DIBSCVG<>

    QSJOUG < >CVGQaO CVG  TUSODQZ CVG BSHW<>   QSJOUG CVG  QVUDIBS aO  SFUVSO ^ ࢀরɿ
 ΋΋͍ΖςΫϊϩδʔ
 GPSNBUTUSJOHBUUBDLʹΑΔ(05PWFSXSJUFΛ΍ͬͯΈΔ QSJOUG T CVG 

  6. ίϯύΠϧ࣌ͷ஫ҙ w 441 4UBDL4NBTI1SPUFDUJPO ༗ޮ
 ؔ਺ͷݺͼग़࣌͠ʹελοΫʹDBOBSZ ΧφϦΞ ͱݺ͹ΕΔ஋ ͕ஔ͔Εɺ͜Ε͕ॻ͖׵͑ΒΕͨͱ͖ڧ੍ऴྃ͢ΔΑ͏ʹͳΔɻ w

    "4-3 "EESFTT4QBDF-BZPVU3BOEPNJ[BUJPO ແޮ
 ॏཁͳσʔλྖҬͷҐஔʢ௨ৗɺϓϩηεͷΞυϨεۭؒʹ͓͚Δ࣮ߦϑΝ ΠϧͷجఈͱϥΠϒϥϦɺώʔϓɺ͓ΑͼελοΫͷҐஔؚ͕·ΕΔʣΛແ࡞ ҝʹ഑ஔ͢ΔίϯϐϡʔληΩϡϦςΟͷٕज़ w %&1 %BUB&YFDVUJPO1SFWFOUJPO ແޮ
 %&1Λ༗ޮʹ͢Δͱ࣮ߦෆՄೳͳϝϞϦྖҬ͔ΒίʔυΛ࣮ߦ͢Δ͜ͱͷ๷ ࢭ͞ΕΔɻ

  7. ॻࣜࢦఆ w ൪໨ͷελοΫͷ಺༰Λ֬ೝ͍ͨ͠৔߹͸YͰ֬ೝͰ͖Δɻ Φϑηοτ  BPVU""""YYYYYYYYYYY < >CVGYC⒎GF⒎
 """"C⒎⒎FEGC⒎C⒎⒎FDC⒎⒎C⒎⒎FC⒎⒎ 


    
 w OΛࢦఆ͢Δ͜ͱͰݱ࣌఺·ͰʹετϦʔϜ·ͨ͸όοϑΝʔʹਖ਼ৗʹॻ͖ࠐ·Εͨจ ࣈ਺ΛϝϞϦόΠτͷΞυϨεʹॻ͖׵͑Δ͜ͱ͕Ͱ͖Δɻ w DͰࢦఆͨ͠਺͕ग़ྗ͞ΕΔɻ YBBCCDDEE͔ΒͷόΠτͷΞυϨεΛ  ʹॻ͖׵͑Δ    BPVUbaYEEaYDDaYCCaYBBDO` """"Y

  8. ೚ҙͷΞυϨεΛॻ͖׵͑Δ YBBCCDDEEΛ̍όΠτͣͭYʹॻ͖׵͑Δ Φϑηοτ͕ͷ৔߹  laYEEaYDDaYCCaYBB aYEFaYDDaYCCaYBB aYEGaYDDaYCCaYBB aYFaYDDaYCCaYBBa YBBCCDDEEY Y

     IIO
 YBBCCDDEFYY Y  Y&'  IIO
 YBBCCDDEGYY Y  Y&'  IIO
 YBBCCDDFYY Y  Y&'  IIO
 ˞όΠτͣͭॻ͖׵͑Δ৔߹͸IOɺόΠτͣͭॻ͖׵͍͑ͨ৔߹͸IIO

  9. (MPCBM0⒎TFU5BCMF ίϯύΠϧ࣌ʹڞ༗ϥΠϒϥϦΛμΠφϛοΫϦϯΫͨ͠৔߹ɺڞ༗ϥΠϒϥϦͷؔ਺͸(05 (MPCBM 0⒎TFU5BCMF ͱݺ͹ΕΔδϟϯϓςʔϒϧΛհͯ͠ݺͼग़͞ΕΔɻ YG  QVTIYF YGF 

    DBMMYQSJOUG!QMU Y  BEEFTQ Y Y  NPWFBY %803%153<FCQYD> Y  BEEFBY Y YD  NPWFBY %803%153<FBY> YF  TVCFTQ Y Y  QVTIY Y  QVTIFBY Y  MFBFBY <FCQY> Y  QVTIFBY Y  DBMMYCTUSODQZ!QMU YE  BEEFTQ Y Y  TVCFTQ YD Y  MFBFBY <FCQY> Y  QVTIFBY Y  DBMMYQSJOUG!QMU YD  BEEFTQ Y YG  TVCFTQ YD Y QVTIYB Y DBMMYBQVUDIBS!QMU Y BEEFTQ Y EJTBTY %VNQPGBTTFNCMFSDPEFGPSGVODUJPOQSJOUG!QMU Y KNQ%803%153ETYBD Y QVTIY YC KNQY &OEPGBTTFNCMFSEVNQ SFBEFMG4BPVU
 4FDUJPO)FBEFST
 </S>/BNF5ZQF"EES0⒎4J[F&4'MH
 <>HPUQMU130(#*54B8"
 
 ,FZUP'MBHT
 8 XSJUF " BMMPD 9 FYFDVUF . NFSHF 4 TUSJOHT 
 * JOGP - MJOLPSEFS ( HSPVQ 5 5-4 & FYDMVEF Y VOLOPXO 
 0 FYUSB04QSPDFTTJOHSFRVJSFE P 04TQFDJpD Q QSPDFTTPS TQFDJpD

  10. ** 'PSNBU4USJOH"UUBDLͰ&YQMPJU࡞੒

  11. JNQPSUʜ
 BEES@HPUJOU TZTBSHW<>   BEES@CVGJOU TZTBSHW<>   JOEFYJOU

    TZTBSHW<>  CVǦ
 CJOTIͰγΣϧىಈ͢Δ TIFMMDPEFaYaYEaYaYaYGaYGaYaYaYaYG
 aYaYaYFaYaYFaYaYaYaYFaYEaYaYCaYDEaY GPSJJOSBOHF    CVG TUSVDUQBDL * BEES@HPU J  CVG TIFMMDPEF BNBQ PSE TUSVDUQBDL * BEES@CVG   B<> B<>B<> Y  B<> B<>B<> Y  B<> B<>B<> Y  B<> B<>MFO CVG Y  GPSJJOSBOHF    CVG EDEIIO B<J> JOEFY J  Q1PQFO <BPVU CVG>  QXBJU ೚ҙͷΞυϨεʹॻ͖׵͑Δ (05ͷΞυϨε CVGͷΞυϨε ࢀরɿ
 ΋΋͍ΖςΫϊϩδʔ
 GPSNBUTUSJOHBUUBDLʹΑΔ(05PWFSXSJUFΛ΍ͬͯΈΔ

  12. ΤΫεϓϩΠτͷશମͷྲྀΕ  ॻ͖׵͍͑ͨ(05ͷΞυϨεΛܾΊΔ  (05ͷ஋ΛTIFMMDPEF͕֨ೲ͞Ε͍ͯΔΞυϨεʹॻ͖׵͑Δ  (05ͷΞυϨε͕ݺ͹ΕΔͱTIFMMDPEFͷॻ͔Ε͍ͯΔΞυϨεʹ ඈ͹͞ΕͯɺTIFMMDPEF͕࣮ߦ͢Δ

  13. ࣮ࢪ QVUDIBSؔ਺͕ݺ͹Εͨ࣌ʹTIFMMDPEFΛ࣮ߦ͍ͨ͠ͱࢥ͍·͢ɻ BPVU""""YYYYYYYYYYY < >CVGYC⒎GF⒎ """"C⒎⒎FEGC⒎C⒎⒎FDC⒎⒎C⒎⒎FC⒎⒎ PCKEVNQEKQMUBPVU %JTBTTFNCMZPGTFDUJPOQMU BQVUDIBS!QMU B

    ⒎B KNQ YB B  QVTIY BC FC⒎⒎⒎ KNQ@JOJU YD γΣϧ͕ىಈ͢Δ (05ΞυϨε CVGΞυϨε JOEFY 
 QZUIPOFYQQZYB9C⒎GFGC
 < >CVGYC⒎GFGC
 

  14. ࣍ͷεςοϓ w %&1Λ༗ޮʹͨ͠৔߹Ͳ͏͢Δʁ
 ෮श %&1Λ༗ޮʹ͢Δͱ࣮ߦෆՄೳͳϝϞϦྖҬ͔ΒίʔυΛ࣮ߦ͢Δ ͜ͱͷ๷ࢭ͞Ε·͢ɻ
 ͱ͍͏͜ͱ͸ʂγΣϧίʔυ͕࣮ߦͰ͖ͳ͍ɻ w 3FUVSOUPMJCD
 ϓϩηε͕࣮ߦ͞ΕΔͱڞ༗ϥΠϒϥϦ͕ΞυϨεʹϩʔυ͞ΕΔɻ

    ͦͷϩʔυ͞ΕͨΞυϨεͷϕʔεΞυϨε͔ΒΦϑηοτΛݩʹؔ਺ Λݺͼग़ͤ·͢ɻ จࣈྻͳͲ΋Մೳ

  15. ࣍ͷεςοϓ w "4-3Λ༗ޮʹͨ͠৔߹Ͳ͏͢Δʁ
 ෮श ॏཁͳσʔλྖҬͷҐஔʢ௨ৗɺϓϩηεͷΞυϨεۭؒʹ͓͚Δ ࣮ߦϑΝΠϧͷجఈͱϥΠϒϥϦɺώʔϓɺ͓ΑͼελοΫͷҐஔؚ͕· ΕΔʣΛແ࡞ҝʹ഑ஔ͢ΔίϯϐϡʔληΩϡϦςΟͷٕज़ XJLJ͔Β  w

    ϒϧʔτϑΥʔε
 ໨తͷΞυϨεʹͳΔ·ͰϒϧʔϑΥʔε͢Δ w /PQTMFE
 "4-3ͷϥϯμϜ഑ஔʹ͸͋Δఔ౓ൣғ͕ܾ·͍ͬͯΔͷͰɺγΣϧ ίʔυલʹ/01Λͨ͘͞ΜڬΉ͜ͱͰϒϧʔτϑΥʔεΛ੒ޭͤ͞Δ

  16. *** 'PSNBU4USJOH"UUBDLͰ&YQMPJUͷԠ༻

  17. 3FUVSOUPMJCD BEES@SFUBEESBEES@CVG P⒎TFU@SFUBEES CVGTUSVDUQBDL * BEES@SFUBEES  CVG TUSVDUQBDL *

    BEES@SFUBEES   CVG TUSVDUQBDL * BEES@SFUBEES   CVG TUSVDUQBDL * BEES@SFUBEES   CVG TUSVDUQBDL * BEES@SFUBEES   CVG TUSVDUQBDL * BEES@SFUBEES   CVG TUSVDUQBDL * BEES@SFUBEES   CVG TUSVDUQBDL * BEES@SFUBEES   CNBQ PSE TUSVDUQBDL * MJCD@CBTF P⒎TFU@CJOTI  BNBQ PSE TUSVDUQBDL * MJCD@CBTF P⒎TFU@TZTUFN  C<> C<>C<> Y  C<> C<>C<> Y  C<> C<>C<> Y  C<> C<>B<> Y  B<> B<>B<> Y  B<> B<>B<> Y  B<> B<>B<> Y  B<> B<>MFO CVG  Y ࢀরɿ
 ΋΋͍ΖςΫϊϩδʔ
 3&-30ͱGPSNBUTUSJOHBUUBDLʹΑΔϦλʔϯΞυϨεॻ͖׵͑ YC⒎⒎ Y TBWFEFCQ FCQ ɹYCFE NBJO͔ΒͷϦλʔϯΞυϨε  Y BSHD  YC⒎⒎G BSHW<> YC⒎⒎ Y TBWFEFCQ FCQ ɹYCFC 4ZTUFNؔ਺  Y SFUVSOΞυϨε  YC⒎⒎G ୈҰҾ਺

  18. ·ͱΊ * 'PSNBU4USJOH"UUBDLͷ࢓૊Έ
 ɾQSJOUG TZTMPHͳͲͷؔ਺ͷॻࣜτʔΫϯΛ࢖ͬͯ೚ҙͷΞυϨεҐஔ ʹ೚ҙͷσʔλΛॻ͖ࠐ·ͤΔ͜ͱ͕Ͱ͖Δɻ
 
 ** 'PSNBU4USJOH"UUBDLͰ&YQMPJU࡞੒
 ɾCVGʹTIFMMDPEFΛૠೖ͢Δ


    ɾ(05ʹ͋Δؔ਺ͷΞυϨεΛݺͼग़͍ͨ͠ઌͷCVGͷΞυϨεʹ 'PSNBU4USJOH"UUBDLͷ੬ऑੑΛ࢖ͬͯॻ͖׵͑Δɻ
 *** 'PSNBU4USJOH"UUBDLͰ&YQMPJUͷԠ༻
 ɾ3FUVSOUPMJCDΛ࢖ͬͨ&YQMPJUͷઆ໌