WebLogic の脆弱性(CVE-2017-10271)を狙う攻撃者たちの手法

2018೥2݄24೔ ୈ3ճϋχʔϙολʔٕज़ަྲྀձൃදࢿྉ WebLogic ͷ੬ऑੑ(CVE-2017-10271)Λ ૂ͏߈ܸऀͨͪͷख๏ @morihi_soc

XIPBNJ w ৿ٱ࿨ত !NPSJIJ@TPD w ຊۀ͸ηΩϡϦςΟΤϯδχΞɾΞφϦετ w झຯͰϋχʔϙοτͷӡ༻Λ͢Δϋχʔϙολʔ w
ϒϩάˠIUUQXXXNPSJIJTPDOFU w ϋχʔϙολʔٕज़ަྲྀձओ࠵ऀ w άϧʔϓˠIUUQTIBOJQPUFDIDPOOQBTTDPN ˡϒϩάͷʮϋχʔϙοτ؍࡯ه࿥ʯ͕ ຊʹͳΓ·ͨ͠ ೥݄೔ൃച ిࢠॻ੶൛ແྉࢼಡ൛͋Γ·͢ ʮαΠόʔ߈ܸͷ଍੻Λ෼ੳ͢Δ ϋχʔϙοτ؍࡯ه࿥ʯ ஶऀɿ৿ٱ࿨ত ग़൛ɿल࿨γεςϜ ࠓ·Ͱʹ͓ੈ࿩ʹͳͬͨΠϕϯτ ɾ*5,FZT ݱ4FD$BQ ɾωοτϫʔΫύέοτΛಡΉձ Ծ ɾ/*4$αΠόʔϋϩ΢Οϯ ɾ*OUFSOFU8FFL ɾ)BSEFOJOH 7BMVF$IBJO༏উ ɾTTNKQ ɾ"*4FD ɾULULηΩϡϦςΟษڧձ

͓඼ॻ͖ w 8FC-PHJDͷ੬ऑੑ $7& ͱ͸ w ࠃ͝ͱͷ߈ܸݕ஌ճ਺ͷूܭ w ߈ܸස౓ͷ෼ੳ w
߈ܸର৅ͷௐࠪͱ߈ܸ w Ͳͷϙʔτ͕ૂΘΕͨͷ͔ w ߈ܸऀͷ؀ڥΛਪଌ͢Δ w ߈ܸࣄྫ঺հ w ·ͱΊ 3

8FC-PHJDͷ੬ऑੑ $7& ͱ͸ w +7/J1FEJBΑΓ l0SBDMF'VTJPO.JEEMFXBSFͷ0SBDMF8FC-PHJD 4FSWFSʹ͸ɺ8-44FDVSJUZʹؔ͢Δॲཧʹෆඋ͕͋ ΔͨΊɺػີੑɺ׬શੑɺ͓ΑͼՄ༻ੑʹӨڹͷ͋Δ੬ ऑੑ͕ଘࡏ͠·͢ɻl lϦϞʔτͷ߈ܸऀʹΑΓɺ৘ใΛऔಘ͞ΕΔɺ৘ใΛվ
͟Μ͞ΕΔɺ͓ΑͼαʔϏεӡ༻๦֐ %P4 ߈ܸ͕ߦΘ ΕΔՄೳੑ͕͋Γ·͢ɻl 4 JVNDB-2017-008734 Oracle Fusion Middleware ͷ Oracle WebLogic Server ʹ͓͚Δ WLS Security ʹؔ͢Δ੬ऑੑ http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-008734.html →ϦϞʔτ͔Β೚ҙͷίʔυΛ࣮ߦ(RCE)Մೳͳ ެ։͞Εͨ߈ܸπʔϧ͕ެ։͞Εͨ

߈ܸϦΫΤεταϯϓϧ 5

λΠϜϥΠϯ w ೥݄ɿ0SBDMF͔Βमਖ਼ϓϩάϥϜ͕ެ։ w ೥݄Լ०ɿ߈ܸίʔυ͕ެ։ w ೥݄೔ɿϋχʔϙοτͰ߈ܸΛݕ஌ w ೥݄೔ɿϒϩάهࣄެ։ w
೥݄೔࣌఺ɿ߈ܸܧଓதʜ 6 ϋχʔϙοτ؍࡯ه࿥(38)ʮWebLogic ͷ WLS Security ʹର͢ΔίϚϯυ࣮ߦͷࢼΈ(CVE-2017-10271)ʯ http://www.morihi-soc.net/?p=910

ϋχʔϙολʔͷ೰Έ ϩάެ։ج४ w ͳ݄ͥ೔࣌఺Ͱ͸πΠʔτͷΈ 7 w ໌֬ʹ߈ܸίʔυ͕ެ։͞Ε͍ͯΔͱ͍͏৘ใ͕ ಘΒΕͳ͔ͬͨɻϩάΛެ։͢Δ͜ͱͰɺ໛฿͠ ͨ߈ܸʹΑΔೋ࣍ඃ֐ͷ๷ࢭΛ༏ઌɻ w
߈ܸΛݕ஌͍ͯ͠Δࣄ࣮͸఻͔͑ͨͬͨɻ w ͦͷޙɺ(JU)VC౳Ͱ߈ܸπʔϧ͕ެ։͞Ε͍ͯΔ ͜ͱΛ֬ೝɻϒϩάެ։ʹࢸΔɻ w ߈ܸϩάΛެ։͢Δ͜ͱͰɺύονద༻ͷۓٸੑɺ ͓Αͼ߈ܸੑͷߴ͞Λ఻͔͑ͨͬͨɻ

ηΩϡϦςΟͷ৘ใڞ༗͸೉͍͠ w ηΩϡϦςΟͷ৘ใڞ༗ͱ͍͑͹ɺ*1"΍+1$&35 $$ɺηΩϡϦςΟϕϯμʔΛ͸͡ΊɺॏཁΠϯϑϥ Ͱ͋Ε͹/*4$ͷηϓλʔɺ*1"ͷαΠόʔ৘ใڞ ༗ΠχγΞςΟϒ +$4*1 ͳͲɺଟ਺ଘࡏ͢Δɻ w ͨͩ͠߈ܸͷ࣮ମ͕Ұൠެ։͞ΕΔ͜ͱ͸كɻ
w ߈ܸऀ͸Ξϯμʔάϥ΢ϯυͳͱ͜ΖͰɺ߈ܸ৘ใ Λڞ༗͍ͯ͠Δʹ΋ؔΘΒͣɺηΩϡϦςΟʹܞΘ Δਓͨͪͷ৘ใڞ༗ʹ͸λΠϜϥά͕͋Δɻ 8 ˠϋχʔϙοτͩͱ৘ใެ։͠΍͍͢ͷͰɺ  ݸਓతͳ׆ಈͱͯ͠ϒϩάΛॻ͍͍ͯ·͢ɻ

ࢀߟ ੬ऑੑ৘ใ͓͍ͬͯ͘Β w ࠓճͷ੬ऑੑ৘ใ ߈ܸίʔυ ͷ஋ஈ͸ɾɾɾ 9 Oracle WebLogic Server
10.3.6.0.0/12.1.3.0.0/12.2.1.1.0/12.2.1.2.0 WLS Security unknown vulnerability https://vuldb.com/?id.108063 →0day ͷؒ͸ɺ໿1100ສԁ-5300ສԁͩͬͨ

ࠃ͝ͱͷ߈ܸݕ஌ճ਺ͷूܭ w ੈք֤஍͔Β߈ܸͷϩά͕࢒͍ͬͯͨɻ 10 352 தࠃ 331 ΞΠϧϥϯυ 324 ΞϝϦΧ߹ऺࠃ
168 ηΠγΣϧ 100 Χβϑελϯڞ࿨ࠃ 89 ೔ຊ 53 Χφμ 47 ߳ߓ 46 ΢ΫϥΠφڞ࿨ࠃ 44 υΠπ࿈๜ڞ࿨ࠃ 24 ϋϯΨϦʔڞ࿨ࠃ 20 γϯΨϙʔϧ 12 ίϩϯϏΞڞ࿨ࠃ 11 ΢ϧάΞΠڞ࿨ࠃ 3 େؖຽࠃ 3 ϒϧΨϦΞڞ࿨ࠃ 2 ϧʔϚχΞ 2 ΦϥϯμԦࠃ 1 ϩγΞ 1 ε΢ΣʔσϯԦࠃ ࢖༻ͨ͠ GeoIP σʔλϕʔε(GeoLite2 Country: 2018೥2݄ʹμ΢ϯϩʔυͨ͠ϑΝΠϧΛར༻) https://dev.maxmind.com/ja/geolite2/

0 20 40 60 80 100 120 140 160 180
2017/12/24 2017/12/25 2017/12/26 2017/12/27 2017/12/28 2017/12/29 2017/12/30 2017/12/31 2018/1/1 2018/1/2 2018/1/3 2018/1/4 2018/1/5 2018/1/6 2018/1/7 2018/1/8 2018/1/9 2018/1/10 2018/1/11 2018/1/12 2018/1/13 2018/1/14 2018/1/15 2018/1/16 2018/1/17 2018/1/18 2018/1/19 2018/1/20 2018/1/21 2018/1/22 2018/1/23 2018/1/24 2018/1/25 2018/1/26 2018/1/27 2018/1/28 2018/1/29 2018/1/30 2018/1/31 2018/2/1 2018/2/2 2018/2/3 2018/2/4 2018/2/5 2018/2/6 2018/2/7 2018/2/8 2018/2/9 2018/2/10 2018/2/11 2018/2/12 2018/2/13 2018/2/14 2018/2/15 2018/2/16 2018/2/17 WebLogic (2017 12 24 -2018 2 17 ) ߈ܸස౓Λ෼ੳ w ϋχʔϙοτͰݕ஌ͨ͠߈ܸΛ೔͝ͱʹूܭ w 8FC-PHJDͷௐࠪͱ߈ܸͷ྆ํΛؚΉ 11 156݅ͷ߈ܸ/೔͕࠷ଟ શମͰ1,633݅

߈ܸର৅ͷௐࠪͱ߈ܸ w ߈ܸπʔϧʹΑͬͯ͸ɺ߈ܸର৅Ͱ8FC-PHJD͕  ಈ࡞͍ͯ͠Δ͔ௐࠪ͢Δ৔߹͕͋Γ·͢ɻ 12 ᶄWebLogic ͷِ૷Ԡ౴ ᶃGET/HEAD ϦΫΤετ WebLogic
ͷՔಇঢ়گͷௐࠪ ᶅPOST ϦΫΤετ ੬ऑੑΛૂͬͨ߈ܸ ߈ܸऀ WOWHoneypot

߈ܸର৅ͷௐࠪͱ߈ܸ w ϦΫΤετຖʹूܭ w ਪଌ w (&5ϝιου͸ɺίϯςϯπ಺༰Λௐࠪ w )&"%ϝιου͸ɺ4FSWFSϔομΛௐࠪ w
1045ϝιου͸ɺର৅ͷ؀ڥʹؔ܎ͳ͘߈ܸ 13 ϝιουͷछྨ ߈ܸݕ஌݅਺ (&5 )&"% 1045

Ͳͷϙʔτ͕ૂΘΕͨͷ͔ w ߈ܸऀ͸ɺ߈ܸର৅ͷ؀ڥΛඞͣ͠΋ߟྀ͍ͯ͠ͳ ͍ɻແࠩผʹ߈ܸ͍ͯ͠ΔՄೳੑ͕ߴ͍ɻ w 8FC-PHJDͷ؅ཧ༻ϙʔτͱͦΕҎ֎ͷϙʔτ΋  ߈ܸ͕͖͍ͯͨͷ͔ 14 Oracle®
Fusion Middleware Oracle Fusion Middlewareͷ؅ཧ 12c (12.1.2) https://docs.oracle.com/cd/E50629_01/core/ASADM/portnums.htm#CHDIACEF ※WebLogic ͷ؅ཧ༻ϙʔτͷ෦෼ʹ੺Լઢ

Ͳͷϙʔτ͕ૂΘΕͨͷ͔ w ߈ܸର৅ͷϙʔτ൪߸Λूܭͨ͠ͱ͜Ζɺ߈ܸͷ  େଟ਺͸൪ϙʔτͩͬͨɻ w 8FC-PHJDͷඪ४؅ཧ༻ϙʔτΛूதతʹ߈ܸͯ͠ ͍ͨ͜ͱ͕Θ͔ͬͨɻ߈ܸπʔϧ͕)5514ʹରԠ ͓ͯ͠Βͣɺ݅਺͕গͳ͍Մೳੑ͕͋Δɻ 15
ϙʔτ൪߸ ߈ܸݕ஌݅਺ ͦͷଞ ※Host ϔομʹه࿥͞Ε͍ͯͳ͍΋ͷ͸ूܭ͔Βআ֎

߈ܸऀͷ؀ڥΛਪଌ͢Δ w ߈ܸϦΫΤετͷ6TFS"HFOUΛूܭͯ͠Έͨɻ w ໌Β͔ʹෆ৹ͳ΋ͷͱɺ௨ৗൃੜ͠͏Δ΋ͷ͕ࠞࡏɻ 16 6TFS"HFOU ݅਺ .P[JMMB 8JOEPXT/5
"QQMF8FC,JU ,)5.- MJLF(FDLP $ISPNF4BGBSJ .P[JMMB 8JOEPXT/58JOYSW (FDLP'JSFGPY .FNFT .P[JMMB QZUIPOSFRVFTUT .P[JMMB .BDJOUPTI*OUFM.BD049@@ "QQMF8FC,JU ,)5.- MJLF(FDLP $ISPNF4BGBSJ QZUIPOSFRVFTUT .P[JMMB 8JOEPXT/5808 "QQMF8FC,JU ,)5.- MJLF(FDLP $ISPNF4BGBSJ$PSF 22#SPXTFS .P[JMMB DPNQBUJCMF#BJEVTQJEFS IUUQXXXCBJEVDPNTFBSDITQJEFSIUNM .P[JMMB 8JOEPXT/5SW (FDLP'JSFGPY .P[JMMB 8JOEPXT/5 "QQMF8FC,JU ,)5.- MJLF(FDLP $ISPNF4BGBSJ .P[JMMB DPNQBUJCMF.4*&8JOEPXT/58085SJEFOU .P[JMMB 8JOEPXT/5808SW (FDLP'JSFGPY ͦͷଞ → → → →

߈ܸऀͷ؀ڥΛਪଌ͢Δ w ߈ܸͷ1045σʔλ෦෼ΛΑ͘ݟΔͱɺ+BWBͷ  όʔδϣϯ͕ࢦఆ͞Ε͍ͯΔ͜ͱ͕෼͔Δɻ w ߈ܸπʔϧʹґଘ͢Δ͕ɺ߈ܸऀ͕࢖ͬͨ߈ܸ  πʔϧͷಛఆ΍+BWBͷόʔδϣϯ͕೺ѲͰ͖Δ͔΋ɻ w ඞͣೖΔΘ͚Ͱ͸ͳ͍఺ʹ஫ҙɻ 17

߈ܸऀͷ؀ڥΛਪଌ͢Δ w ͪΐͬͱݹ͍͕ɺ+%,ܥͷόʔδϣϯ͕ଟ͍ɻ w ߈ܸπʔϧʹϋʔυίʔυ͞Ε͍ͯΔՄೳੑ΋͋Γɻ 18 +BWBόʔδϣϯ ݅਺ @
@ @ Java™ SE Development Kit 8, Update 151 (JDK 8u151) October 17, 2017 http://www.oracle.com/technetwork/java/javase/8u151-relnotes-3850493.html ←2017೥10݄ʹެ։ ͞Εͨόʔδϣϯ w 8FC-PHJDͷ੬ऑੑ৘ใ͸೥݄ʹެ։͞Ε  ͍ͯͯɺπʔϧ͕࡞੒͞Εͨ࣌ظͱҰக͢Δɻ

౰೔ࢀՃऀͷΈʹެ։ 19 ࡟আ

߈ܸࣄྫ঺հ w 1045ͷσʔλ෦෼ͷΈΛநग़ͨ͠ͱ͜Ζɺશ෦Ͱ छྨͷ߈ܸύλʔϯ͕͋Γ·ͨ͠ɻ w ͦͷத͔Βಛ௃తͳ߈ܸΛϐοΫΞοϓͯ͠঺հ͠ ·͢ɻ w ߈ܸπʔϧ͕ެ։͞Ε͓ͯΓɺϋχʔϙοτͰݕ஌ ͨ͜͠ͱ͕͋ΔͨΊɺҰൠͷެ։αʔόʹରͯ͠΋
ಉ༷ͷ߈ܸΛड͚͍ͯΔՄೳੑ͕͋Γ·͢ɻ 20

߈ܸϦΫΤετ w -JOVY؀ڥΛૂͬͨ߈ܸɻ w XHFUίϚϯυΛ࣮ߦ͠ɺKJCBϑΝΠϧͷμ΢ϯ ϩʔυΛࢼΈ͍ͯΔɻ 21

߈ܸϦΫΤετ w ߈ܸϦΫΤετͷଓ͖ɻ w DINPEίϚϯυͰ࣮ߦݖݶΛ෇༩ͨ͠ͷͪɺ  ϑΝΠϧͷ࣮ߦΛࢼΈ͍ͯΔɻ 22

μ΢ϯϩʔυ͞ΕͨϑΝΠϧ w 7JSVT5PUBMͷ݁Ռ͔ΒɺԾ૝௨՟ΛϚΠχϯά͢Δ ϓϩάϥϜͱݟड͚ΒΕΔɻ w 4)"BE⒎EEDFFDFCBGBCGEF⒎CGCFFECEGCB 23

߈ܸϦΫΤετ w +BWBͷ1SJOU8SJUFSΫϥεΛར༻ͨ͠ɺ8FC4IFMM ࡞੒ͷࢼΈɻ w KTQܗࣜͰɺΫΤϦύϥϝʔλʹ04ίϚϯυΛࢦ ఆ࣮ͯ͠ߦ͢Δ͜ͱ͕Ͱ͖ΔػೳΛ࣋ͭɻ 24

߈ܸϦΫΤετ w 8JOEPXT؀ڥΛૂͬͨ߈ܸɻ w DNEFYFͰɺ߈ܸऀ͕༻ҙͨ͠*1ΞυϨεʹ  ରͯ͠QJOHίϚϯυΛ࣮ߦ͍ͯ͠Δ DBMMCBDL ɻ w ߈ܸऀ͕DBMMCBDLͷ༗ແΛௐ΂Ε͹ɺ੬ऑͳαʔ
όͷଘࡏΛ஌Δ͜ͱ͕Ͱ͖Δɻ 25

߈ܸϦΫΤετ w +BWBͷOFU63-ΫϥεͰɺ߈ܸऀ͕༻ҙͨ͠*1 ΞυϨεʹରͯ͠)551ϦΫΤετΛൃੜͤ͞Δ DBMMCBDL ɻ w HPPEύϥϝʔλʹ߈ܸର৅ͷάϩʔόϧ*1ΞυϨ εΛࢦఆ͍ͯͨͨ͠Ίɺ߈ܸऀ͕ΞΫηεϩάΛݟ Δͱ੬ऑͳαʔόͷଘࡏΛ֬ೝͰ͖Δɻ
26

߈ܸϦΫΤετ w ߈ܸϦΫΤετͷଓ͖ɻ1ZUIPOͷVSMMJCΛར༻͠ ͯ߈ܸऀ͕༻ҙͨ͠*1ΞυϨεʹରͯ͠)551Ϧ ΫΤετΛൃੜͤ͞Δ DBMMCBDL ɻ 27

߈ܸϦΫΤετ w ߈ܸϦΫΤετͷଓ͖ɻ1PXFSTIFMMͷXFCDMJFOU Λར༻ͯ͠߈ܸऀ͕༻ҙͨ͠*1ΞυϨεʹରͯ͠ )551ϦΫΤετΛൃੜͤ͞Δ DBMMCBDL ɻ 28

߈ܸϦΫΤετ w 8JOEPXT؀ڥΛૂͬͨ߈ܸɻ w 1PXFSTIFMMͷXFCDMJFOUΛར༻ͯ͠ɺϑΝΠϧΛ μ΢ϯϩʔυ͓Αͼ࣮ߦͤ͞Α͏ͱ͍ͯ͠Δɻ 29 SHA256: e080ee13da7371d1cbed9825540c19e94d8b2874adbe4c2d19c4d31a00c56ff8

߈ܸϦΫΤετ w -JOVY؀ڥΛૂͬͨ߈ܸɻ w DVSMίϚϯυͰɺQBTUFCJO͔ΒεΫϦϓτϑΝΠ ϧΛμ΢ϯϩʔυ͓Αͼ࣮ߦΛࢼΈΔɻ 30

QBTUFCJO͔Βμ΢ϯϩʔυ͢ΔϑΝΠϧ w CBTIͷεΫϦϓτϑΝΠϧɻ w 3FE)BUܥͷ04Λର৅ʹ͓ͯ͠ΓɺZVNίϚϯ υͰෳ਺ͷπʔϧΛΠϯετʔϧޙɺDQVNJOFSΛ  μ΢ϯϩʔυɺίϯύΠϧɺ࣮ߦ͍ͯ͠Δɻ w Ծ૝௨՟ͷ.POFSPΛϚΠχϯά͍ͯ͠ΔΑ͏ͩɻ 31

߈ܸϦΫΤετ w 8JOEPXT؀ڥΛૂͬͨ߈ܸ w 1PXFSTIFMMͰ%PXOMPBE4USJOHΛ࢖͍CBUϑΝΠ ϧΛμ΢ϯϩʔυɾ࣮ߦΛࢼΈΔɻ w ϩάൃݟ࣌ʹɺ͢ͰʹCBU͸μ΢ϯϩʔυͰ͖ͣɻ 32

߈ܸϦΫΤετ w 8JOEPXT؀ڥΛૂͬͨ߈ܸ w CBUϑΝΠϧΛ࡞੒࣮ͯ͠ߦ͠Α͏ͱ͍ͯ͠Δɻ w GUQʹΞΫηε͢ΔͨΊͷΞΧ΢ϯτ໊ɾύεϫʔ υؚ͕·Ε͓ͯΓɺϑΝΠϧͷऔಘɾௐࠪ͸ෆՄɻ 33

࡞੒͞ΕΔCBUϑΝΠϧ w Λվߦʹஔ׵ͯ͠ՄಡੑΛ্͛ͨ΋ͷɻ w '51αʔό͔ΒɺY[FYFΛμ΢ϯϩʔυ͢Δɻ w Y[FYFΛ࣮ߦͨ͠ޙɺ͢΂ͯͷϑΝΠϧΛ࡟আ͢Δɻ 34

߈ܸϦΫΤετ w -JOVY؀ڥΛૂͬͨ߈ܸɻ w QZUIPOΛ࢖ͬͯ߈ܸऀͷ༻ҙͨ͠αʔό΁ίωΫ τόοΫ͢Δίʔυؚ͕·Ε͍ͯΔɻ w QZUIPO΁ͷύε͕௨͍ͬͯΕ͹ɺDNEFYFܦ༝Ͱ 8JOEPXT؀ڥ΋߈ܸͰ͖Δͱߟ͑ΒΕΔɻ 35

߈ܸϦΫΤετ w 8JOEPXT؀ڥΛૂͬͨ߈ܸ w CJUTBENJOίϚϯυΛ࢖ͬͯϑΝΠϧΛμ΢ϯϩʔ υ͢Δɻ w μ΢ϯϩʔυͨ͠ϑΝΠϧͷ࣮ߦ͸ผͷϦΫΤετɻ 36

߈ܸϦΫΤετ w ߈ܸϦΫΤετͷ௥ܸɻ w TUBSUίϚϯυͰμ΢ϯϩʔυ͓͍ͯͨ͠ϑΝΠϧΛ ࣮ߦ͢Δ͚ͩɻܺΛੜ͡͵ೋஈߏ͑ w ϩάൃݟ࣌ʹɺEJTDV[FYF͸μ΢ϯϩʔυͰ͖ͣɻ 37

߈ܸϦΫΤετ w 8JOEPXT؀ڥΛૂͬͨ߈ܸ w FYQMPSFSίϚϯυͰ8FCϖʔδΛ։͘ɻ w DOIWDP͸ɺϒϥ΢βϚΠχϯάʹؔ͢ΔυϝΠϯ ͰɺΞΫηε͍ͯ͠ΔϑΝΠϧʹ͸+BWB4DSJQU͕ ؚ·Ε͍ͯͨɻ 38

উखʹ։͔ΕΔ8FCϖʔδͷιʔε Ұ෦ 39

߈ܸϦΫΤετ w 8JOEPXT؀ڥΛૂͬͨ߈ܸ w DFSUVUJMίϚϯυͰϑΝΠϧΛμ΢ϯϩʔυ͢Δɻ w อଘ͢ΔϑΝΠϧͷ֦ுࢠ͸ʮWCTʯ w ϩάൃݟ࣌ʹɺVQUYU͸μ΢ϯϩʔυͰ͖ͣɻ 40

߈ܸϦΫΤετ w ߈ܸϦΫΤετͷ௥ܸ w DTDSJQUίϚϯυͰɺμ΢ϯϩʔυͨ͠εΫϦϓτ ϑΝΠϧΛ࣮ߦ͢Δ͚ͩɻ w ߈ܸϦΫΤετ͸ඇৗʹ௝͍͠૊Έ߹Θͤɻ 41 (certutil
ࢀߟ)๷Ӵؔ࿈ͷϑΝΠϧΛ૷͏ϚΫϩϚϧ΢ΣΞͷ৽͍͠खޱ  (ϚΫχΧωοτϫʔΫε ηΩϡϦςΟݚڀηϯλʔϒϩά) http://blog.macnica.net/blog/2017/12/post-8c22.html

߈ܸϦΫΤετ w -JOVY؀ڥΛૂͬͨ߈ܸɻ w DVSMίϚϯυͰɺIUUQTͰγΣϧεΫϦϓτΛμ΢ ϯϩʔυ͠ɺ࣮ߦ͠Α͏ͱ͍ͯ͠Δɻ w ߈ܸऀͷૂ͍͕ɺ͔ͳΓΤά͍ɻ 42

USBOTGFSTIͷத਎ 43 linuxsyn→DoS πʔϧ minerd→ϚΠχϯάπʔϧ crontab ΁ొ࿥ͯ͠ɺ  ఆظతʹ࣮ߦ ߈ܸऀͷ ssh
ͷ伴ొ࿥ ෆਖ਼ૢ࡞ͷࠟ੻ͷফڈ

߈ܸ͕੒ޭ͢Δͱ w %P4πʔϧͷར༻ʹΑΓɺωοτϫʔΫϦιʔεΛ  ࢖͍௵͞ΕΔՄೳੑ͕ߴ͍ɻ w ϚΠχϯάπʔϧͷར༻ʹΑΓɺ$16ϦιʔεΛ࢖ ͍௵͞ΕΔՄೳੑ͕ߴ͍ɻ w ఆظతʹ࣮ߦ͞Εɺͳ͓͔ͭ44)ʹΑΔϦϞʔτ ϩάΠϯ΋ڐͯ͠͠·͏ɻ͔͠΋ࠟ੻͸ফ͞ΕΔɻ
w ৵ೖ͞Ε͕ͨ࠷ޙɺࠎͷ਷·Ͱ͠ΌͿΓͭ͘͞ΕΔ 44

·ͱΊ w 0SBDMF8FC-PHJDͷ੬ऑੑ $7& ʹ ͍ͭͯ঺հ͠·ͨ͠ɻ w ೥݄຤͔Β೥݄·ͰͷϩάΛ෼ੳ͠ ͨ݁Ռɺແࠩผʹ߈ܸ͍ͯ͠Δͱߟ͑ΒΕΔ௨৴͕ େଟ਺Ͱͨ͠ɻ
w ੬ऑੑ৘ใͱ߈ܸπʔϧͷ࡞੒࣌ظΛਪଌ͢Δͱɺ ೥݄຤ΑΓલʹ߈ܸ͞Ε͍ͯͨՄೳੑ༗ɻ w ੬ऑͳ؀ڥͩͬͨ৔߹ɺ$16Ϧιʔε΍ωοτϫʔ ΫϦιʔεͷෆਖ਼࢖༻͚ͩͰͳ͘ɺෆਖ਼ϩάΠϯͳ Ͳ༷ʑͳӨڹΛड͚ΔՄೳੑ͕ߴ͍ɻ w ࠓճ঺հͨ͠߈ܸϩά͸શମͷׂʹ΋ຬͨͳ͍ɻ 45

*P$ 01ebeaf06f5a2fcbf14025a8e683293d cat.php 036b34853622f38c285babf1a8670b62 svchosx.exe 0a6f3934f53966e2bdd4721ba512bd1c weblogic.hta 0b156ec492ea45d282cf823415ecaf12 IPsecSrv.dll 0d91bd78bfb6eab168ebb697bd5d31a4
transfer-etn.sh 26198be2276b9d7a4cbf4dad4155995d kworker.sh 2874b491c166d3b3949b2f94182e1759 svvchost.exe 38535ff9e16902305e3d938a5f429879 mssql.exe 3acdb039179e120da05aa2c53542f944 paSmuRYy 3af4c8196fbb3ae1744291bfdeaa6f98 pool.zip 3fb41234895102be5c439132f85c0ef9 payload.py 5aeb79a353888fd552dc7cc129e696a6 dada.x86_64 5c53d65c44e5e7c05c743811487eecdb x32.exe 5ff51056a25c8b9a20842ea9d05c0495 minerd 8327245a8feb3290de39df5ceefd58bf start_xmr.ps1 8c8a30372e4fdba50cb2e6ffdb5af883 mssql.exe 929c9eeff262e198fd29f8c75edfc5fd xrun.exe 9ad4bd564978c1b5a8540b6b6f021bdb x64.exe 9cde0af2caa9fab7cb042487dfd9ab08 eblue.exe 9f0d6dce1e043858f3d239b101d0b19d 7001.exe a2ac17c2bb6148b7e22c610964e398d2 rZhqDVLP a2ce07681d158a13557928457c950ebe ex32.exe a4f2b45c832257b5fd662b9eee2f82f1 linuxsyn b29e0910573f96d8447801814dd2b73e xrun-etn.exe b6657f348f5915ae6052e5f9c56343e8 loveby.exe b8a107d8b0f1e582c86a6def628ab1f3 jiba bf4ba4b0450a5a436a9ec9dc4b504d72 kefarbo.exe c357a4ad84dd7c3d4de5f7ab3942a121 minerxmr.exe c97b69f1bbf36ca94aaa664ea78e16dc pri.sh d5aa5b2a023893460b9ef2584d0fa7a8 niao.exe dbdac5198ffde5c15710176cbd79095c transfer.sh df980ebae2a9a83409a3ccd03a5e3603 cross.exe f50298bbe7226587bd641410849174df cloud fdac6a6d0c98e45c3b93d478cd4d0042 18r4m 46 ෆ৹ͳϑΝΠϧͷϋογϡ஋ɾϑΝΠϧ໊ 107.181.174.248 111.67.198.104 111.67.198.246 112.30.132.138:2323 120.132.17.180:66 123.249.24.175:8088 132.148.150.15:8080 133.242.163.81:4444 137.59.18.173 18.217.195.175:132 182.18.8.69:8088 185.216.117.85:11152 185.227.152.132:2124 190.60.206.11 190.60.206.11:8443 199.188.104.73:32135 199.188.104.75:32135 204.152.209.251:2114 204.152.209.251:21145 204.152.209.251:221 205.209.177.18 221.9.251.236 222.184.79.11:5317 222.184.79.11:5318 222.184.79.11:5319 222.184.79.11:5320 222.184.79.11:5329 222.186.150.175:8080 222.186.150.175:81 223.68.209.7:65510 27.148.157.89:8899 35.189.171.208:55555 43.226.35.42:2323 46.4.26.204 58.218.201.20:8088 67.218.135.178 80.82.70.234:6969 97.64.19.115 bbc.servehalﬂife.com cnhv.co get.fu2k.net:66 ipfs.fu2k.net qwer.world usa.neozju.com www.kangnajiang.top:132 ϑΝΠϧμ΢ϯϩʔυݩɾcallback ͷ௨৴ઌ ※ίϩϯ(:)Ҏ߱͸ϙʔτ൪߸

*P$ w ߈ܸऀͷ44)ͷެ։ݤ ˞SPPUϢʔβͷTTIBVUIPSJ[FE@LFZTϑΝΠϧ΁௥ه ΛࢼΈ͍ͯ·ͨ͠ɻ w 1BTUFCJOͷϑΝΠϧ IUUQˠI99Q IUUQTˠI99QT
w I99QQBTUFCJODPNSBXS;IR%7-1 w I99QTQBTUFCJODPNSBXQB4NV3:Z 47 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV1VxPVZFUOOWZwMFVBwP/904lhAZNj2U5DPsZyIWw33jHeFRElM++XnUYmkMDiu 8KuJXnFDJMkyXxsq77fOpDhVGOoexll3+P6SmZWViWwnhOgvxhccgT72J+LPZEIwPqPZQVHR4ksdVSnMVreyZs+rQ7O+L2xychpqze Irk4Q/08f5XreOnq4Rgxp9oKwSlf7vKmQ7tUWUxfMHHL1wQYZPmdKpgSi/JmokLpp5cKAT7r0gGOj1jV8ZAJc+z45Ts2JBH9JYscHB ssh7MBWWymcjXANd9a6XaQnbnl6nOFFNyYm8dBuLkGpEUNCdMq/jc5YLfnAnbGVbBMhuWzaWUp root@host-10-10-10-26

)BQQZ)POFZQPU 48 ←ϔϦΞϯϑΥϥͷ஥ؒ(৯஬২෺) 2017೥10݄27೔ ເͷౡ ೤ଳ২෺ؗͰࡱӨ ೆΞϝϦΧͷΪΞφߴ஍ʹ͚ͩੜଉ͢Δɻ ͓͠·͍

WebLogic の脆弱性(CVE-2017-10271)を狙う攻撃者たちの手法

WebLogic の脆弱性(CVE-2017-10271)を狙う攻撃者たちの手法

More Decks by Kazuaki Morihisa

Other Decks in Technology

Featured

Transcript