Upgrade to Pro — share decks privately, control downloads, hide ads and more …

あの脆弱性は今 ~ハニーポットで追ってみた~

あの脆弱性は今 ~ハニーポットで追ってみた~

2018年11月10日 すみだセキュリティ勉強会2018その3
@morihi_soc #sumida_sec
https://sumidasec.connpass.com/event/104182/

Kazuaki Morihisa

November 10, 2018
Tweet

More Decks by Kazuaki Morihisa

Other Decks in Technology

Transcript

  1. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ XIPBNJ w ৿ٱ࿨ত !NPSJIJ@TPD  w ຊۀ͸ωοτϫʔΫηΩϡϦςΟΤϯδχΞɾΞφϦετ w

    झຯͰϋχʔϙοτͷӡ༻Λ͢Δϋχʔϙολʔ w ϒϩάˠIUUQTXXXNPSJIJTPDOFU w ϋχʔϙολʔٕज़ަྲྀձओ࠵ऀ w IUUQTIBOJQPUFDIDPOOQBTTDPN 2 ࠓ·Ͱʹ͓ੈ࿩ʹͳͬͨΠϕϯτ(Ұ෦) ɾ*5,FZT ݱ4FD$BQ  ɾωοτϫʔΫύέοτΛಡΉձ Ծ  ɾ/*4$αΠόʔϋϩ΢Οϯ ɾ*OUFSOFU8FFLɾ)BSEFOJOH ɾTTNKQɾ"*4FDɾ4UVEZ$PEF ɾULULηΩϡϦςΟษڧձ ɾ૯ؔ੢αΠόʔηΩϡϦςΟ-5େձ ɾ08"41/BHPZBɾ*P54FD+1 ग़൛ͨ͠ຊ΍ٕज़ಉਓࢽ NEW 2018೥10݄ˣ
  2. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ ϋχʔϙοτ w ϋχʔϙοτ )POFZQPU ͱ͸ɺ͋͑ͯ߈ܸΛड͚Δ ͜ͱΛલఏͱͨ͠γεςϜͰ͢ɻ w ϋχʔϙοτΛӡ༻͢Δਓͷ͜ͱˠϋχʔϙολʔ

    w ϋχʔϙοτͰ͸༷ʑͳϩάΛऩूՄೳ w ௕ظతʹϋχʔϙοτΛӡ༻͍ͯ͠Δ͔Βͦ͜ɺ
 ߈ܸͷ܏޲Λ೺Ѳ͢Δ͜ͱ͕Ͱ͖Δ w ࠓճ͸ɺڴҖ৘ใ 5ISFBU*OUFMMJHFODF ͷ৘ใݯͷ
 ͭͱͯ͠׆༻͢Δࣄྫͷ঺հͰ͢ɻ 3
  3. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ ηΩϡϦςΟ৘ใͷऩू w ηΩϡϦςΟٕज़ऀ͚ͩͰͳ͘ɺ*5ʹؔΘΔਓ͸
 ͳΜΒ͔ͷηΩϡϦςΟ৘ใΛऩू͍ͯ͠ΔͷͰ͸ w *1"৘ใηΩϡϦςΟ
 IUUQTXXXJQBHPKQTFDVSJUZ w

    +1$&35$$
 IUUQTXXXKQDFSUPSKQNFOV@SFDFJWFJOGPSNBUJPOIUNM w ಛʹࣗ෼͕ܞΘ͍ͬͯΔ੡඼΍ɺ࢖͍ͬͯΔιϑτ ΢ΣΞɺϥΠϒϥϦ͸ؔ৺͕ߴ͍͸ͣ
 Өڹ༗ແͷ֬ೝ͕ඞਢ 4
  4. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ ηΩϡϦςΟ৘ใ͕ൃ৴͞ΕΔ࣌ظ w ੬ऑੑ͕ใࠂɾൃݟɾमਖ਼͞Εͨͱ͖ w ߈ܸίʔυ 1P$ ͕ެ։͞Εͨͱ͖ w

    ߈ܸΛݕ஌ͨ͠ͱ͖ w ྲྀߦͷஹ͕͋͠Δͱ͖ w ݄࣍ɾ࢛൒ظɾقץɾ೥࣍ͳͲͷఆظϨϙʔτͳͲ 5 Өڹൣғͷେ͖͍΋ͷ΄Ͳ χϡʔεʹͳΓ(औΓ্͛ΒΕ)΍͍͢
  5. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ ΍͹͍Αɺ΍͹͍Α w ੬ऑੑରࡦ͸ॏཁɻύονద༻΍Ξοϓσʔτ͸ɺ ඞཁͩΑͶɻ w Ͱ΋ɺ͜͏͍͏৔߹΋͋Δ w ௕࣌ؒࢭΊΒΕͳ͍αʔϏε͔ͩΒɺࠜຊରࡦͷ

    ࣮ࢪ·ͰɺϫʔΫΞϥ΢ϯυͷํ๏Λ࠾༻͢Δ
 4USVUT 44 ΛϑΟϧλͰ͙྇  w ߈ܸͷྲྀߦΓ͕͓͞·Δ·ͰɺΞΫηε੍ݶΛ͠ ͯ߈ܸΛड͚ΔՄೳੑΛ௿͘͢Δ
 $JTDP8FCFYͰඞཁͳ઀ଓ͢Δάϩʔόϧ*1 ΞυϨε͚ͩΞΫηεΛڐՄ͢Δ 6
  6. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ ൃ৴͞ΕͨηΩϡϦςΟ৘ใͷߟ͑ํ w جຊతʹ߈ܸͷऩଋએݴ͸͞Εͳ͍ͱߟ͑Δ΂͖ w ߈ܸ৘ใ͕ެ։͞Ε͍ͯΔͱ؆୯ʹɺ޿ൣғʹ߈ ܸ͢Δ͜ͱ͕Ͱ͖Δ w αΠόʔۭؒʹ͸໛฿൜΍εΫϦϓτΩσΟͷΑ

    ͏ͳਓ͕ͨͪେ੎ଘࡏ͢Δ w ߈ܸ৘ใ͕༰қʹೖखՄೳͰɺ߈ܸऀ͕ଟ਺ଘࡏ͢ Δͷ͔ͩΒɺ͍ͭ߈ܸ͕࠶ൃ΍࠶ྲྀߦͯ͠΋͓͔͠ ͘ͳ͍ɻ
 ˠऩଋએݴ͸ग़ͤͳ͍ w ͨͩ͠ɺ܏޲ͷมԽ͸ಘΔ͜ͱ͕Ͱ͖Δɻ 8
  7. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ ϋχʔϙοτͷ߈ܸ܏޲ w ੬ऑੑΛϐοΫΞοϓͯ͠঺հ  $(*൛1)1ͷ੬ऑੑ "QBDIF.BHJDB  

    #BTI 4IFMMTIPDL   8FC-PHJD  %SVQBM %SVQBMHFEEPO   %PDLFS  K2VFSZ w ௐࠪظؒ͸೥݄೔͔Β݄೔·Ͱ w ର৅͸NPSJIJTPDͰߏஙɾ؅ཧ͍ͯ͠Δϋχʔϙο τ 808)POFZQPU ͷϩάͷΈ 10 WOWHoneypot: ॳ৺ऀ޲͚! ߈ܸऀΛ͓΋ͯͳ͢͠Δ Web ϋχʔϙοτ https://github.com/morihisa/WOWHoneypot
  8. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ ิ଍ ϋχʔϙοτͷϩά؅ཧͱௐࠪ 11 ϋχʔϙοτ ϋχʔϙοτ ϋχʔϙοτ Syslog Ͱ

    ϩάΛू໿ खݩʹόοΫ Ξοϓ Google Cloud Storage Google BigQuery Ξοϓϩʔυ Insert
  9. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ $(*൛1)1ͷ੬ऑੑ "QBDIF.BHJDB w $(*Ͱ࣮ߦ͍ͯ͠Δ1)1ʹର͢Δ߈ܸ 3$&  w $7&

    w ৽͍͠߈ܸख๏͕ެ։͞Ε೥݄͝Ζʹྲྀߦ w "QBDIF.BHJDBͱݺ͹ΕΔ 12 ࢀߟ৘ใ CGI൛PHPʹର͢Δຐ๏গঁΞύονϚΪΧ߈ܸΛ؍ଌ͠·ͨ͠
 https://blog.tokumaru.org/2013/11/apache-magica-attack.html CGI൛PHP΁ͷApache Magica߈ܸͷ؍࡯ https://ozuma.hatenablog.jp/entry/20131103/1383413495 ϋχʔϙοτ؍࡯ه࿥(12) https://www.morihi-soc.net/?p=114 PoC ͷίϝϯτʹॻ͔Ε͍ͯΔ https://www.exploit-db.com/exploits/29290/
  10. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ #BTI 4IFMMTIPDL w -JOVYͷγΣϧͷͭͰ͋Δ#BTIͷ؀ڥม਺ͷॲ ཧʹෆඋ͕͋Γɺ೚ҙͷίʔυ࣮ߦ͕Մೳͳ੬ऑੑ w $7&ͳͲෳ਺ w

    4IFMMTIPDLͱݺ͹ΕΔ 15 ࢀߟ৘ใ bashͷ੬ऑੑ(CVE-2014-6271) #ShellShock ͷؔ࿈ϦϯΫΛ·ͱΊͯΈͨ http://d.hatena.ne.jp/Kango/20140925/1411612246 GNU bash ͷ੬ऑੑ ʙ shellshock ໰୊ʙ ʹ͍ͭͯ http://www.nca.gr.jp/2014/shellshock/index.html bashʹ͓͚Δ੬ऑੑʮShellshockʯʹ͍ͭͯ https://www.netagent.co.jp/study/blog/ganso/51996406.html ←NHK ͷχϡʔεͰ΋ใಓ͞ΕΔ͘Β͍஫໨౓͕ߴ͔ͬͨ ӾཡͰ΢Πϧεײછ΋ʮ̷̱̰͂ʯʹॏେܽؕ http://www3.nhk.or.jp/news/html/20140927/k10014922101000.html ڕ୓ https://megalodon.jp/2014-0927-2204-24/www3.nhk.or.jp/news/html/20140927/k10014922101000.html
  11. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ 17 ิ଍ ߈ܸऀΛ͓΋ͯͳ͢͠Δʮ808)POFZQPUʯͷ঺հ ߈ܸऀ WOWHoneypot ᶃअຐ͢ΔͰʙ HTTP ϔομʹ

    echo 2014 | md5sum ΛؚΉ ᶅϘοτʹײછͤͨ͞Ζ wget ͰϑΝΠϧμ΢ϯϩʔυ&࣮ߦ ᶄίϚϯυ࣮ߦ݁ՌͰ͢ɻͲ͏ͧ! Ԡ౴಺༰Ͱʮad43fd99987a8f6a648abe05095bf52cʯΛฦ͢ ͓ͬίϚϯυ࣮ߦ੒ޭ͍ͯ͠Δ΍Μ ίϚϯυ࣮ߦ͠Α͏ͱͯ͠ΔΈ͍ͨ΍ͳ… GitHub→ https://github.com/morihisa/WOWHoneypot ෼ੳ ෼ੳ
  12. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ 8FC-PHJDͷ੬ऑੑ w 0SBDMF8FC-PHJD4FSWFSͷ8-44FDVSJUZʹؔ ͢Δॲཧͷෆඋʹ͓͚Δ੬ऑੑ 3$&  w $7&

    w ೥຤͕େมͳ͜ͱʹɾɾɾ 19 ࢀߟ৘ใ Oracle WebLogic Server ͷ੬ऑੑ (CVE-2017-10271) ʹؔ͢Δ஫ҙשى http://www.jpcert.or.jp/at/2018/at180004.html ϋχʔϙοτ؍࡯ه࿥(38)ʮWebLogic ͷ WLS Security ʹର͢ΔίϚϯυ࣮ߦͷࢼΈ(CVE-2017-10271)ʯ https://www.morihi-soc.net/?p=910 WebLogic ͷ੬ऑੑ(CVE-2017-10271)Λૂ͏߈ܸऀͨͪͷख๏ https://speakerdeck.com/morihi_soc/weblogic-falsecui-ruo-xing-cve-2017-10271-woju-ugong-ji-zhe-tatifalseshou-fa ←2017೥12݄24೔ͷπΠʔτ ߈ܸऀ͔Βͷશવخ͘͠ͳ͍ ϓϨθϯτʹ͍ͭͯڞ༗ https://twitter.com/morihi_soc/status/945054924114599936
  13. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ %SVQBM %SVQBMHFEEPO w $.4ͷͭͰ͋Δ%SVQBMʹ͓͚ΔɺϦϞʔτ͔Β ίʔυ࣮ߦՄೳͳ੬ऑੑ w $7& $7&

    w ೥ͷ੬ऑੑΛኲኵͱͤ͞Δ΄Ͳةݥ౓͕ߴ͍ ͨΊɺ%SVQBMHFEEPOͱݺ͹ΕΔɻ 22 ࢀߟ৘ใ Drupalgeddon2ʹؔ͢ΔݕূϨϙʔτʢCVE-2018-7600ʣ https://www.mbsd.jp/blog/20180420.html Drupalͷ੬ऑੑʹؔ͢ΔݕূϨϙʔτʢCVE-2018-7602ʣ https://www.mbsd.jp/blog/20180502.html Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ https://speakerdeck.com/morihi_soc/drupalgeddon2-wohanipotutodeguan-cha-sitemita ը૾Ҿ༻ݩˣ https://scanforsecurity.com/news/drupalgeddon-2-vulnerability-used-infect-servers-backdoors-coinminers.html
  14. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ %PDLFS w ઃఆෆඋͷঢ়ଶͩͱɺϦϞʔτ͔Β"1*ܦ༝Ͱίϯ ςφΛىಈՄೳ ੬ऑੑͰ͸ͳ͍  w )BSEFOJOH**$PMMFDUJWF


    ೥݄։࠵ Ͱ࢓ࠐ·
 Ε͍ͯͨωλͷͭΒ͍͠ w ೥݄݄͸ɺ೔ʹ
 ਺े݅ͷݕ஌͕͋Γ·ͨ͠ˠ 25 ࢀߟ৘ใ Docker ίϯςφͷઃఆෆඋΛѱ༻͠Ծ૝௨՟ൃ۷Ϛϧ΢ΣΞΛ֦ࢄ͢Δ߈ܸΛ֬ೝ https://blog.trendmicro.co.jp/archives/19773 Well that Escalated Quickly! How Abusing Docker API Led to Remote Code Execution Same Origin Bypass and Persistence in the Hypervisor via Shadow Containers https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same- Origin-Bypass-And-Persistence.pdf https://twitter.com/morihi_soc/status/1015530623279120384
  15. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ K2VFSZ w ೚ҙͷϑΝΠϧ͕ΞοϓϩʔυՄೳͳ੬ऑੑɻ 8PSE1SFTTͷϓϥάΠϯͳͲʹ΋࢖ΘΕ͍ͯΔͷ ͰӨڹൣғ͕޿͍ɻ w $7& w

    ݸਓతʹ਺೥લ͔Βɺ40$ͷ෼ੳऀ΍8PSE1SFTT ؅ཧऀɺ8FCαʔό؅ཧऀɺϋχʔϙολʔʹ͸ط ஌ͷ੬ऑੑͩͱࢥ͍ͬͯͨɻ
 खݩͷϩάͩͱ೥݄೔ʹࠟ੻༗Γ 28 ࢀߟ৘ใ Thousands of applications affected by a zero-day issue in jQuery File Upload plugin https://securityaffairs.co/wordpress/77245/hacking/jquery-file-upload-plugin-0day.html Having The Security Rug Pulled Out From Under You https://blogs.akamai.com/sitr/2018/10/having-the-security-rug-pulled-out-from-under-you.html
  16. ͋ͷ੬ऑੑ͸ࠓ ʙϋχʔϙοτͰ௥ͬͯΈͨʙ ·ͱΊ w ηΩϡϦςΟ৘ใͷऩू͸ॏཁɻͨͩ͠ɺެ։͞Ε ͨ߈ܸ৘ใʹ͍ͭͯɺऩଋએݴ͸͞Εͳ͍ͱߟ͑ͨ ํ͕͍͍ɻ w ϋχʔϙοτΛ௕ظӡ༻͢Δͱɺ߈ܸͷ܏޲มԽΛ ೺Ѳ͢Δ͜ͱ͕Մೳɻ

    w ੈؒͰ૽͕Εͨ੬ऑੑɺ૽͕Εͳ͔ͬͨ੬ऑੑͲͪ Β΋߈ܸ͸͞Εଓ͚͍ͯΔɻ 31 ৽چ໰Θͣɺࣗ෼ʹؔΘΓͷ͋Δ੬ऑੑ ৘ใ͸ऩूɾ׆༻͍͖ͯ͠·͠ΐ͏ ৘ใऩूͷબ୒ࢶͷ1ͭʹϋχʔϙοτ΋Ͳ͏ͧ(খ੠)