Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WordPress保安検査ガイド〜運用可能なセキュリティを始めるために〜 / wpcamp_haneda_security

WordPress保安検査ガイド〜運用可能なセキュリティを始めるために〜 / wpcamp_haneda_security

yoshinori matsumoto

April 20, 2019
Tweet

More Decks by yoshinori matsumoto

Other Decks in Technology

Transcript

  1. View Slide

  2. et r
    pc B C A
    mo d
    K ilk y O h

    , 0 P W c
    aS sn

    , 5 6 2
    1 06 , 0

    View Slide

  3. Wcd h h
    S Wcd p I n J
    i ov d rP
    t SI A
    A +
    5 I 6 os
    h u
    b ae h u

    View Slide

  4. ) (
    ۭߓͰ͜Μͳ͜ͱ͋Γ·ͤΜ͔ʁ

    View Slide

  5. ৬৔Ͱ͜Μͳ͜ͱ͋Γ·ͤΜ͔
    8PSE1SFTT
    ͳΜ͔
    ةͳ͘Ͷ

    View Slide

  6. ! M 5
    S
    W C P

    View Slide

  7. ) (
    %SVQBM͸ةͳ͍ͱ͍͏ߟ͑΋ /(
    Ͳͷ$.4Ͱ΋੬ऑੑ͕͋Δ
    ੬ऑੑͷରԠ͸ඞཁ
    ָͨͩ͠ʹ͢Δ͜ͱ͸Մೳʁ

    Drupal

    https://www.itmedia.co.jp/enterprise/articles/1902/28/news077.html

    View Slide

  8. mi / A p
    . 1274 / A g tc j s
    7 A- 8 4381 2 4 4 8A4 1 82 4A 4 A ( 7
    e hfn dfkl
    7 A- 2 6 6 2 4 A 35 ) 06 0 608 :18 8 35
    r S a_
    r uo
    ͳΔ΂͘ૣ͘ରԠ
    ʢͰ͖ͨΒࣗಈԽ͍ͨ͠ʣ

    View Slide

  9. • 8PSE1SFTTͷϩάΠϯΛकΔ
    • ੬ऑੑ৘ใΛ֬ೝ͢Δ
    • ϓϥάΠϯͱςʔϚΛબͿ
    • 8PSE1SFTTͷؔ਺Λ࢖͏

    ؅ཧऀ
    ։ൃऀ޲͚
    ؅ཧऀ ฤूऀ ౤ߘऀ دߘऀ ߪಡऀ
    8PSE1SFTTΛ҆શʹ࢖͏ํ๏ʂ Ͱ͖Ε͹ָͳ΍ͭ
    શϢʔβ
    ʴЋ ࣄނ͕͓ͬͨ͜Β

    View Slide




  10. View Slide

  11. XML RPC
    wp-login.php


    ͜͜ͷϩάΠϯػೳ͕ૂΘΕ΍͍͢

    View Slide

  12. ΨνΨν
    σϑΥϧτ
    XQMPHJOQIQ౳ͷΞΫηε੍ݶʢ9.-31$΋ʣ
    ཁૉೝূɺΞΧ΢ϯτϩοΫ
    ύεϫʔυϙϦγʔͷ֬ೝ
    Ϣʔβ͸Ͳ͏࢖͏͔Λߟ͑ͳ͕Βઃఆ͢Δ
    *1ΞυϨε͕ݻఆՄೳ͔ʁ
    ηΩϡϦςΟ΁ͷzෛՙzʢ໘౗ࣄʣΛ͓ئ͍Ͱ͖Δ͔ʁ
    ӡӦऀ΁ͷෛ୲͸ͲΕ͘Β͍ڐ༰Ͱ͖Δ͔ʁ


    View Slide




  13. ΞΧ΢ϯτ໊΋ਪଌ͞Ε͍ͯΔ
    BVUIPSͰΞΧ΢ϯτ͕ਪଌ
    ˠ͜͜Λมߋ͢Δͷ͸໘౗͍͘͞
    ୠ͠ύεϫʔυ໊ʹΞΧ΢ϯτΛೖΕͳ͍͜ͱ΋ॏཁ

    View Slide

  14. αΠτͷอޢ ϗϫΠτϦετ
    8PSE1SFTTDPNͷ 440Λར༻


    View Slide



  15. ސ٬޲͚ͷΞΧ΢ϯτ؅ཧ͸8PSE1SFTTͷ
    ʮ$VTUPNFSʯݖݶʢ8$ಠࣗʣͱͯ͠࡞੒͞ΕΔ
    XQMPHJOQIQܦ༝Ͱ΋ϩάΠϯͰ͖Δ͕
    ؅ཧը໘ XQBENJOҎԼ
    ʹ͸ΞΫηεͰ͖ͳ͍
    • 8PSE1SFTTͷϩάΠϯϑΥʔϜͱಉ͡ڧ౓
    • ௨ৗϩάΠϯͱҧ͍ʮOPODFʯ͸͍͍ͭͯΔ͕ɺϫϯλΠϜͰ͸
    ͳ͍ͷͰϒϧʔτϑΥʔεରࡦʹ͸ඍົ
    • ϩάΠϯอޢܥͷϓϥάΠϯ͸ͦͷ··࢖͑Δ
    ʢ-PHJO-PDL%PXO $SB[ZCPOF ͳͲͰ͸ݕ஌Ͱ͖ͨʣ

    View Slide




  16. Ϩϯλϧαʔόͷ৔߹
    ଞαΠτ ଞαΠτ
    .Z
    8PSE1SFTT
    ͋ͳͨ
    '51αʔό
    ڞ༻αʔό
    '51ΞΧ΢ϯτ
    81ΞΧ΢ϯτ
    ίϯύω
    ΞΧ΢ϯτ
    αʔό
    ܖ໿৘ใ
    ϗεςΟϯάձࣾͷೋཁૉೝূΛ༗ޮʹ͢Δ
    ͦΕͧΕύεϫʔυΛ࢖͍·Θ͞ͳ͍
    '51ΫϥΠΞϯτ͸࠷৽൛Λ࢖͏
    ͳΔ΂͘'51͸࢖Θͳ͍
    ίϯύω

    View Slide




  17. 714Ϋϥ΢υαʔϏεͷ৔߹
    ͋ͳͨ
    714
    81ΞΧ΢ϯτ
    ίϯύω
    ΞΧ΢ϯτ
    αʔό
    ܖ໿৘ใ
    ϗεςΟϯάձࣾͷೋཁૉೝূΛ༗ޮʹ͢Δ
    αʔόͷ44)ϩάΠϯ͸ެ։伴ೝূ
    ʢύεϫʔυແޮʣʹ͢Δ
    ηΩϡϦςΟάϧʔϓͳͲ΋ઃఆ
    ίϯύω .Z
    8PSE1SFTT
    44)%
    αʔόΞΧ΢ϯτ

    View Slide




  18. 2աڈʹ XQMPHJOQIQ ʹΞΫηε͕͋ͬͨ*1ΞυϨεΛ
    ϒϩοΫ͍ͯ͠Δ͕ޮՌ͸͋Δͷ͔ʁ
    ΞΫηεϩά
    Attack IP
    .htaccess
    ϩάΠϯը໘ʹ޿͘ΞΫηε͍ͯ͠Δ*1͸ͦͷ౎౓มߋ͞ΕΔͨΊɺ
    *1ΞυϨεͷϒϥοΫϦετΛ؅ཧ͢Δͷ͸೉͍͠ɻ
    ·ͨɺݱঢ়ւ֎ͷ*1ΞυϨεଳҬʹଟ͍܏޲͸͋Δ͕ɺ
    ࠓޙࠃ಺*1ΞυϨεͰͷεΩϟϯ΋ߟ͑ΒΕΔͨΊɺ
    ࠃ͝ͱͷΞΫηε੍ݶΛա৴͠ͳ͍Α͏ʹ஫ҙ͕ඞཁɻ

    View Slide




  19. 2ϩάΠϯը໘ʹ#BTJDೝূ͍ΕΔ΂͖ʁ
    ೖΕͯ΋͍͍͚Ͳɺ໘౗ʹͯ͠·ͰͷϝϦοτ͸ͳ͍͔΋
    ʢಛʹฏจ௨৴Λߦ͍ͬͯΔαΠτ͸ةݥʣ
    81ͷػೳͰΧόʔͰ͖ΔͷͰϝϦοτΛڗडͰ͖ͳ͍
    σϝϦοτ͸ղܾ͍ͯ͠ͳ͍
    https://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/003.html

    View Slide




  20. View Slide


  21. μογϡϘʔυʹ͋Δߋ৽৘ใ͸ཁ֬ೝ
    • ຊମ
    • ςʔϚ
    • ϓϥάΠϯ

    View Slide



  22. ຊମ
    ςʔϚ
    ϓϥάΠϯ
    ΦʔτΞοϓσʔτͷର৅
    ϝδϟʔΞοϓσʔτ͸؅ཧը໘͔Β
    ΦʔτΞοϓσʔτͷର৅֎
    ؅ཧը໘͔Β
    ΦʔτΞοϓσʔτͷର৅֎
    ؅ཧը໘͔Β

    View Slide




  23. 8PSE1SFTT͔Βಋೖ
    σϑΥϧτͰ༗ޮ
    ϚΠφʔΞοϓσʔτʢηΩϡϦςΟΞοϓσʔτʣͷΈର৅
    ແޮʹ͢Δ͜ͱ΋Մೳ
    ˠΑͬΆͲͷཧ༝͕ͳ͍ݶΓແޮʹ͠ͳ͍


    2018/12 2019/3
    2019/2 2019/3
    ΦʔτΞοϓσʔτ
    खಈ
    Ξοϓσʔτ
    ΦʔτΞοϓσʔτ
    ݪଇతʹαϙʔτ͸࠷৽൛Ͱ͋Δ͕ɺ
    ηΩϡϦςΟύον͕ग़Δ͜ͱ΋͋Δ

    View Slide

  24. IUUQTXXXBTBIJDPNBSUJDMFT"4,#)4,#6-0#IUNM
    8PSE1SFTTͷ੬ऑੑରࡦʹ͍ͭͯ
    IUUQTXXXJQBHPKQTFDVSJUZDJBESWVMXPSEQSFTTIUNM
    ຊମ
    Өڹड͚Δόʔδϣϯ

    ܥ΋͘͠͸ͦΕҎԼ͸
    ର৅֎

    मਖ਼ࡁΈͷόʔδϣϯ

    ΦʔτΞοϓσʔτର৅

    View Slide



  25. ެతػؔ
    +1$&35$$஫ҙשى
    IUUQXXXKQDFSUPSKQBU
    +7/
    IUUQTKWOKQ
    ϗεςΟϯάձࣾ
    ஫ҙשى΍ϝʔϧ
    ͜ͷ͋ͨΓʹग़ݱ͢Δ
    ৘ใʹ͸ཁ஫ҙʂ

    View Slide



  26. Ή͔͍ͣ͠࿩ΑʔΘ͔ΒΜͱ͍͏ํͷͨΊʹ
    • ೝূͳ͠ʢԕִͷɺୈࡾऀʹΑΔʙʣ
    • ֎෦͔ΒʢϦϞʔτ͔Βʣ
    • ίʔυ࣮ߦʢ3$&3FNPUF$PEF&YFDVUJPOʣ
    ͳͲ͕ଗ͏ͱཁ஫ҙ
    ͪ͜Βͷ߲໨Ͱ߈ܸ͕؆୯͔Ͳ͏͔ͳͲΛ֬ೝ͢Δ
    ·ͨΦʔτΞοϓσʔτͰରԠͰ͖͍ͯΔ͔Ͳ͏͔

    View Slide



  27. • 1)1ͷόʔδϣϯ͕ݹ͗͢ͳ͍͔
    ˠ ͦ΋ͦ΋8PSE1SFTT΋ಈ͔ͳ͘ͳΔ
    • 8FCαʔόʢ"QBDIF/HJOYʣͷόʔδϣϯ͕ݹ͗͢ͳ͍͔
    ˠ ZVNVQEBUF
    • ϑΝΠΞ΢Υʔϧ JQUBCMFTηΩϡϦςΟάϧʔϓ
    ˠ ࢖༻͍ͯ͠ͳ͍αʔϏε͕ىಈͨ͠··ʹͳ͍ͬͯͳ͍͔
    • ϩάϩʔςʔγϣϯ
    • 44-Խ
    ˠ ύεϫʔυɾݸਓ৘ใΛѻ͏৔໘͸͋ͬͨ΄͏͕͍͍ɻ4&0తʹ΋ɻ
    Α͘Θ͔Βͳ͍ɺ໘౗͍͘͞ͱ͍͏ਓ͸
    Ϩϯλϧαʔό΋͘͠͸8PSE1SFTTDPNΛར༻͠·͠ΐ͏

    View Slide




  28. View Slide



  29. Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild
    https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild/
    ੬ऑੑΛѱ༻͞Ε
    εΫϦϓτΛຒΊࠐ·ΕΔ
    Ӿཡऀ͕࣮ߦ͢Δͱ
    ࠮ٗαΠτʹ༠ಋ͞ΕΔ
    ͦͷޙϓϥάΠϯ͸࡟আ͞ΕΔ
    ։ൃऀʹ௨஌͸͍͔ͳ͍ʂʁ

    View Slide



  30. ͲͪΒ΋࠮ٗαΠτʹ
    ༠ಋ͞ΕΔ
    8PSE1SFTTϓϥάΠϯΛૂ͏߈ܸ͕׆ൃԽ͍ͯ͠Δ݅Λ·ͱΊͯΈͨ
    IUUQTQJZPMPHIBUFOBEJBSZKQFOUSZ

    View Slide




  31. ੬ऑੑΛѱ༻͞Ε
    ೚ҙίʔυ͕࣮ߦ͞ΕΔ
    Ξοϓσʔτʹͯ
    ੬ऑੑରԠՄೳ
    • αΠτվ͟Μ
    • όοΫυΞຒΊࠐΈ
    • ϑΝΠϧ࡟আͳͲ
    • ϑΟογϯάαΠτԽ
    • ِαΠτ΁ͷ༠ಋ
    ͳΜͰ΋Ͱ͖Δ
    Duplicator Update Patches Remote Code Execution Flaw
    https://www.wordfence.com/blog/2018/09/duplicator-update-patches-remote-code-execution-flaw/

    View Slide



  32. 8PSE1SFTTͷࣄނରԠͰΑ͘ݟΔࣄྫ
    8FC4IFMMͱ͍͏πʔϧΛαʔό಺ʹஔ͔ΕΔ
    ͜ΕΛΩοΧέʹαʔόͰͷૢ࡞ΛߦΘΕΔ

    View Slide




  33. मਖ਼΍ϝϯςφϯε͕Α͘ߦΘΕ͍ͯΔ΋ͷΛબͿ
    ௕ظؒ์ஔ͞Ε͍ͯΔ΋ͷ͸ཁ஫ҙ
    ੬ऑੑͷ߈ܸํ๏͕޿·͍ͬͯΔՄೳੑ΋͋Γ
    ϓϥάΠϯ΍ςʔϚͷϖʔδͰ
    ͜ͷΑ͏ͳදه͕ग़Δͱཁ஫ҙ

    View Slide




  34. όοΫΞοϓ͸େࣄ
    8PSE1SFTTͷඪ४తͳϩά؀ڥ͚ͩͰ͸ɺ
    ༗ࣄͷͱ͖ʹඃ֐ঢ়گΛ೺Ѳ͢Δ͜ͱ͕೉͍͠
    ʢݪҼΛಛఆͨ͠͏͑Ͱʣ
    ฏৗ࣌ʹ໭ͯ͠͠·͏ํ͕ૣ͍͜ͱ΋͋Δ
    ɾιʔεϑΝΠϧ
    ɾ%# %VNQϑΝΠϧ

    ͷόοΫΞοϓ͕͋Ε͹
    ͳΜͱ͔ͳΔ
    ϓϥάΠϯΛ׆༻͢Δͷ΋0,
    ੬ऑੑͱϥΠηϯεʹ͸ؾΛ͚ͭͯ

    View Slide




  35. View Slide

  36. 42-ΠϯδΣΫγϣϯ
    944ʢΫϩεɾαΠτɾεΫϦϓςΟϯάʣ
    σʔλϕʔε΁ͷ߈ܸ
    σʔλϕʔε΁ͷ࿙͍͑΍ॻ͖׵͑ͳͲ
    ୈࡾऀʹΑΔ +BWB4DSJQUͷ࣮ߦ
    αΠτ๚໰ऀ΁ͷෆਖ਼αΠτ΁ͷ༠ಋ΍ɺ
    Ϛϧ΢ΣΞμ΢ϯϩʔυͳͲ


    View Slide

  37. 8PSE1SFTT͕ఏڙ͢Δؔ਺Λ༻͍Δ
    The WordPress Codex Is Your Friend…
    $wpdb->prepare ϓϨʔεϗϧμʔΛ࢖ͬͨΫΤϦͷอޢ
    wp_kses
    esc_html / esc_attr
    ୈࡾऀʹΑΔ+BWB4DSJQUͷ࣮ߦ๷ࢭ
    How to Prevent File Upload Vulnerabilities
    https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/
    current_user_can('upload_files')
    ݱࡏͷϢʔβ͕ݖݶΛ΋͔ͭɻ
    ྫͰ͸ΞοϓϩʔυݖݶΛ΋͔ͭͲ͏͔
    wp_check_filetype
    ϑΝΠϧλΠϓΛνΣοΫ͢Δ
    .*/&λΠϓΛؚΊͯνΣοΫ͢Δඞཁ͕͋Δ

    View Slide

  38. Q E
    C S 3
    7 K
    d
    L E7 o
    i

    View Slide



  39. View Slide




  40. View Slide



  41. 8PSE1SFTTαΠτΛߏங͢Δͱ͍͘Β͔͔Δʁ ݟੵΓษڧձͰՁ֨Λग़ͯ͠Έͨ
    IUUQTUPZBPOFUXQXPSECFODI

    View Slide


  42. 8PSE1SFTTαΠτΛߏங͢Δͱ͍͘Β͔͔Δʁ ݟੵΓษڧձͰՁ֨Λग़ͯ͠Έͨ
    IUUQTUPZBPOFUXQXPSECFODI

    View Slide



  43. 8PSE1SFTTαΠτΛߏங͢Δͱ͍͘Β͔͔Δʁ ݟੵΓษڧձͰՁ֨Λग़ͯ͠Έͨ
    IUUQTUPZBPOFUXQXPSECFODI
    ¥488,355

    View Slide




  44. ͱϗεςΟϯάձ͔ࣾΒ࿈བྷΛड͚ͨ
    ͦͷͨΊαΠτ͸ఀࢭத
    αΠτࣗ਎ͷϏδωεΠϯύΫτ͸௿͍ͨΊ
    ఀࢭࣗମʹେ͖ͳӨڹ͸ͳ͍͕ɺݪҼ΍ඃ֐ঢ়گΛ֬ೝޙɺ
    ҆શΛ֬ೝͨ͠͏͑ͰɺͳΔ΂͘ૣΊʹ࠶։͍ͤͨ͞
    2ηΩϡϦςΟϕϯμͷௐࠪඅ༻͸͍͘Β͍Ͱ͠ΐ͏
    ʮਆށΈͳͱࣃՊʯͷαΠτʹΞΫηε͢Δͱ
    ෆਖ਼ͳαΠτʹϦμΠϨΫτ͞ΕΔ
    ૝ఆࣄҊ

    View Slide




  45. ෼ྨ ಺༰ Ձ֨
    ॳظௐࠪ
    ɾΞΫηεαʔόϩάௐࠪ
    ɾϑΝΠϧεΩϟϯ
    ʢෆਖ਼ͳϑΝΠϧ͕ͳ͍͔ʣ
    ɾݸਓ৘ใ࿙ӮϦεΫ൑ఆ
    =
    ηΩϡϦςΟ਍அ
    ɾηΩϡϦςΟ਍அ
    ʢπʔϧ਍அɺຊ਍அ͓Αͼ࠶਍அʣ
    =
    Φϓγϣϯ ɾΦϯαΠτใࠂ =
    ظؒɿ̍िؒఔ౓ʢ਍அΛআ͘ʣ
    ೲ඼෺ɿௐࠪใࠂॻ
    ࡞Γ௚͢ͷͱ
    ͔ΘΒΜʼʻ

    View Slide




  46. υϝΠϯͱ͔ͱಉ͡Ͱ࠷ޙ·Ͱ؅ཧ͢Δ͜ͱΛ໨తͱ͢Δ
    ϦΞϧͳ࿩ͩͱ
    อकαʔϏεΛένΒͳ͍
    ؅ཧͰ͖͍ͯͳ͍΢ΣϒαΠτ͸ด࠯ͷݕ౼Λ
    IUUQTXXXJQBHPKQTFDVSJUZDJBESWVMPMEDNTIUNM
    • ͓٬༷ɺؔ࿈اۀɺ؂ಜ׭ி΁ͷઆ໌
    • 8"'ͳͲͷηΩϡϦςΟ੡඼ͱͷ৽نܖ໿
    • หޢ࢜අ༻
    • ࠶ߏஙඅ༻ɺۀऀ࠶બఆ
    ݕ౼߲໨
    ࣮ࢪ߲໨͕

    View Slide




  47. ͜ͷεϥΠυ͸ϑΟΫγϣϯͰ͢
    ఘΊͯ࡞Γ௚͢΄͏͕҆͘Ͷʁ
    ͓͔͚ۚͯௐࠪͯ͠΋݁ہݪҼ͕෼͔Βͳ͔ͬͨ
    ͏ͪͰى͜Δͱ͸ࢥΘͳ͔ͬͨɻ
    өըͷ࿩Έ͍ͨ
    ͦ͏ͳΜͰ͕͢ɺ্ʹઆ໌͢Δͱ͔ͳΜͱ͔Ͱൃ஫͞ΕΔํ΋
    8PSE1SFTTͷඪ४తͳϩάͩͱಛఆ͸೉͍͜͠ͱ΋͋Γ·͢
    ·͊͜ͷεϥΠυ͸ϑΟΫγϣϯͰ͔͢Β

    View Slide



  48. View Slide

  49. • 8PSE1SFTTͷϩάΠϯΛकΔ
    • ੬ऑੑ৘ใΛ֬ೝ͢Δ
    • ϓϥάΠϯͱςʔϚΛબͿ
    • 8PSE1SFTTͷؔ਺Λ࢖͏
    • ηΩϡϦςΟΘ΀ʔ΄͘͠ͳ͍ʁʢ୭͔ʂ
    8PSE1SFTTΛ҆શʹ࢖͏ํ๏ʂ Ͱ͖Ε͹ָͳ΍ͭ

    View Slide

  50. a r u t 9
    ? W a r
    9 9 9
    W s
    a r
    = P
    e r ? = 914 o
    h P 1
    d o
    h s= 9

    View Slide

  51. 45
    0 0
    0 .

    View Slide