Ksecurity Advisory
(Korea security group)
±¹³» °Ô½ÃÆÇÀÇ º¸¾È ¹®Á¦ ¹× ÇØ°á ¹æ¾È
(CGI Security,perl security, php security)
- written by Ksecurity team
ksecurity@iland.co.kr
http://ksecurity.iland.co.kr
2001/01/16
---[ ¼¹® ]---
¿ì¸® ÆÀÀº ±¹³» °Ô½ÃÆǵéÀÇ º¸¾ÈÁ¡°ËÀ» ¼ö°³¿ùÀüºÎÅÍ ÁøÇàÇØ¿ÔÀ¸¸ç,
ÀÌ °úÁ¤¿¡¼ ±¹³» °Ô½ÃÆÇ °³¹ßÀÚµé°úÀÇ Á¢ÃËÀ» ¿©·¯¹ø ½ÃµµÇßÀ¸³ª
¸î¸î °³¹ßÀÚµéÀ» Á¦¿ÜÇÑ °³¹ßÀÚ ´ëºÎºÐÀÌ °ü½ÉÀ» º¸ÀÌÁö ¾Ê¾Ò´Ù.
±¹³»ÀÇ ´ëºÎºÐ °³¹ßÀÚµéÀÌ °£°úÇϱ⠽¬¿î ºÎºÐÀÌ Security À̸ç,
°Ô½ÃÆǵéÀº ¹ö±×·Î ÀÎÇÑ °ø°ÝÀÌ ¸Å¿ì ½±±â¶§¹®¿¡ ´õ¿í ½Å°æ½á¾ßÇÑ´Ù.
°Ô½ÃÆÇÀ» ÅëÇØ °ø°ÝÀ» ´çÇÏ´Â °æ¿ì, firewallÀÌ ¼³Ä¡°¡ µÇ¾î ÀÖ´õ¶óµµ
¹«¿ëÁö¹°ÀÌ µÇ±â ½Ê»óÀÌ´Ù.
±¹³» ¸¹Àº Áß¿ä ±â°ü, ±â¾÷µéÀÌ ±¹³»¿¡¼ °ø°³µÈ °Ô½ÃÆǵéÀ» »ç¿ëÇÑ´Ù.
ÃÖ±Ù º¸¾È ¹®Á¦¸¦ Á¦°øÇÏ´Â ¿øÀÎÁß »ó´çºÎºÐÀÌ ¹Ù·Î Ãë¾àÁ¡À» °¡Áö°í ÀÖ´Â
±¹³» °Ô½ÃÆÇÀΰÍÀÌ´Ù.
°¡Àå ÁÁÀº ÇØ°á ¹æ¹ýÀº °³¹ßÀÚµé ½º½º·Î º¸¾È ÀǽÄÀ» °¡Áö°í
ÇÁ·Î±×·¥À» ¸¸µé¸ç, ²ÙÁØÈ÷ ÆÐÄ¡Çϴ°ÍÀ̶ó°í »ý°¢ÇÑ´Ù.
±¹³» °Ô½ÃÆǵéÀÇ º¸¾ÈÀ» À§ÇØ °£·«ÇÑ ±ÛÀ» ¾´´Ù.
(ÀÌ·ÐÀûÀÎ ºÎºÐÀº ¸¹ÀÌ »ý·«Çß´Ù)
---[ º»·Ð ]--- "±¹³» °Ô½ÃÆÇÀÇ º¸¾ÈÃë¾à¼º°ú ¿¹¹æ¹ý"
1. upload Ãë¾àÁ¡
- intro
php¸¦ ÇÔ²² »ç¿ëÇÏ¸é¼ upload Ãë¾àÁ¡Àº ±¹³» °Ô½ÃÆÇÀÇ °øÅëÀûÀÎ ¹®Á¦Á¡ÀÌ´Ù.
Áö³ 5¿ù, ÀÌ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ 'How apache.org was defaced' °¡ °ø°³µÇ¾úÀ¸¸ç
ÃÖ±Ù ±¹³»¿¡¼ ³Î¸® ¾Ç¿ëµÇ´Â°ÍÀ¸·Î º¸ÀδÙ.
À¥¼¹ö¿¡ php¸¦ °°ÀÌ µ¹¸®°í Àִ°æ¿ì ÁÖÀǸ¦ ±â¿ïÀÌÀÚ
- in a case
.php .ph µîÀÇ fileÀ» uploadÇÑÈÄ nobody±ÇÇÑÀ» ȹµæÇÏ°í,
bindshellÀ» ÅëÇÑ ½Ã½ºÅÛ Ä§Åõ.apache site°¡ ÇØÅ·´çÇÑ ÀÌÈÄ
±¹³» Å©·¡Ä¿³ª black hatsÀÌ ¸¹ÀÌ »ç¿ëÇÏ´Â ±â¹ýÀÌ´Ù.
- solution,patch
php4.xÀ̻󿡼´Â passthruÇÔ¼öµîÀº Á¦°Å°¡ µÇ¾úÁö¸¸
ÇöÀç ´ëºÎºÐÀÇ ±¹³» °Ô½ÃÆÇÀÌ À§¿Í ºñ½ÁÇÑ Ãë¾à¼ºÀÌ ÀÖ´Ù.
ÇØ°áÃ¥À¸·Î´Â JSBoard °³¹ßÀÚÀÎ ±èÁ¤±Õ¾¾°¡ Á¦½ÃÇÑ ¹æ¹ýÀÌ ÁÁÀº
¹æ¹ýÀÌ´Ù.
fileÀÇ È®ÀåÀÚ°¡ php,php3,ph,ph. µîÀÇ fileÀÌ uploadµÇ´Â°ÍÀ»
¹æÁöÇÏ°í, apache¿¡¼ ¶ÇÇÑ °·ÂÇÑ ÀÎÁõÀ» ÇÏ´Â °ÍÀÌ ÁÁ´Ù.
(Linux¿¡¼´Â php. php3. Æ÷ÇÔ)
http://jsboard.kldp.org/bbs/read.php?table=bbs_notice&no=60
http://jsboard.kldp.org/bbs/read.php?table=bbs_notice&no=62
2. setup file(db passwd,±âŸ¼³Á¤) ³ëÃâ
- intro
.ph .incµî ¼³Á¤ÈÀÏÀÌ ³ëÃâµÉ¼ö ÀÖ´Ù.
- in a case
urlÀ» ÅëÇØ ph, inc ÆÄÀÏ¿¡ Á¢±Ù ÇÒ ¼ö ÀÖ´Ù.
- solution,patch
apacheÀÇ httpd.conf¿¡ ´ÙÀ½ ÁÙÀ» Ãß°¡ÇÔÀ¸·Î ¼³Á¤ÆÄÀÏÀÌ ³ëÃâµÇ´Â
¹®Á¦¸¦ ÇØ°áÇÒ¼ö ÀÖ´Ù.
AddType application/x-httpd-php .php .php3 .ph .inc
¶ÇÇÑ .ph.php .inc.php ÀÌ·±½ÄÀ¸·Î À̸§À» ÁÙ ¼ö°¡ ÀÖ´Ù.
3. directory,file permission
- intro
±¹³» °Ô½ÃÆÇÀÇ ´ëºÎºÐÀÌ µ¥ÀÌŸ¸¦ ÀúÀåÇÔ¿¡ ÀÖ¾î¼
mode 777 ·Î µÈ µð·º¿¡ ÀúÀåÀÌ µÇ°í o+w±ÇÇÑÀÌ ÀÖ´Â ÈÀÏÀÌ
»ý¼ºÀÌ µÈ´Ù.
- in a case
¾ÇÀÇÀûÀÎ ¸ñÀûÀ» °¡Áø Å©·¡Ä¿³ª black hatsÀº
local ¿¡¼ ½±°Ô web server ±ÇÇÑÀ» ÃëÇÒ¼ö ÀְԵȴÙ.
¶ÇÇÑ À߸øµÈ permissionÀ» ÅëÇØ ÇØ´ç ±ÛÀÌ ÀúÀåµÇ´Â ÈÀÏÀ»
º¼ ¼ö°¡ ÀÖ´Ù.
drwxrwxrwx 5 ksecurity ksecurity 4096 6¿ù 17 15:09 db/
-rw-rw-rw- 1 nobody nobody 154 7¿ù 27 23:37 article.cgi
- patch
nobody¸¦ Á¦¿ÜÇÑ À¯ÀúµéÀÇ w ±ÇÇÑÀ» ¾ø¾Ö´Â °Íµµ ÇϳªÀÇ ¹æ¹ý
ÇØ´ç ±ÛÀÌ ÀúÀåµÇ´Â ÈÀÏ¿¡ ´ëÇÑ permissionÀ» °Ë»çÇÑ´Ù.
4. shellÀ» ½ÇÇàÇÏ´Â ÇÔ¼öÀÇ Ãë¾àÁ¡
- intro
< C >
system(),popen()
< perl >
system(),open(),eval(), exec(), ` `(Backticks)
< php >
system(),passthru(),exec(),popen(),escapeshellcmd(),` `(Backticks)
- patch
ÀÌ·¯ÇÑ ÇÔ¼öµéÀ» »ç¿ëÇÒ¶§¿¡´Â º¯¼ö°¡ ÀÎÀÚ·Î µé¾î°¡´Â °æ¿ì
shell metacharacters µéÀ» Á¦°Å ÇØ¾ß ÇÑ´Ù.
shell metacharacters
;<>*|'&;$!#()[]{}:'"/^\n\r
- case1
$value =~ tr/+/ /;
$value =~ s/~!/ ~!/g;
$value =~ s/<([^>]|\n)*>//g;
$value =~ s/([\&;\`'\\\|"*?~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g;
$value =~ s/\0//g;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
- case2
if($shell =~ tr/;<>*|`&$!#()[]{}:'"//) {
print "don't abuse";
exit(1);
}
- case3
$value =~ s/([;<>\*\|`&\$!#\(\)\[\]\{\}:'"])/\\$1/g;
5. file open Ãë¾àÁ¡
- intro
open()À̳ª fopen()°°Àº°æ¿ì FILEÀ» ¿¶§ º¸Åë ¸¹ÀÌ »ç¿ëÇϰԵȴÙ.
null byte,¿ªÆнº³ª \ , | ±âŸ meta charactersµéÀ» Á¦°ÅÇØ¾ß ÇÑ´Ù.
case in perl)
s/\0//g; #null byte Á¦°Å
s/\.\.//g
s/(\|)/\\$1/g
case in php)
eregi_replace("\.\.","",$file);
case in JSBoard)
(¿ªÆнº meta characters ´ëÀÀ¹æ¾È)
if(eregi("/",$dn[name]) || eregi("\.\.",$dn[path]) || !$dn[cd] || !$dn[name]) {
echo "\n";
exit;
}
6. ¿¹¿Ü ó¸® ¹®Á¦
- intro
ÇÁ·Î±×·¥ ÀÛ¼º½Ã¿¡ ¿¹¿Ü 󸮸¦ ÇÏÁö ¾ÊÀ¸¸é socketÀ̳ª fileµî
openÇÏ´Â ÇÔ¼ö¸¦ »ç¿ëÇÒ¶§ ¿À·ù°¡ ¹ß»ýÇÏ¸é¼ ÇØ´ç¼¹öÀÇ full path¸¦
³ëÃâÇÏ°Ô µÈ´Ù.
- case in JSBoard(whois.php)
if (!$table || !$host) {
echo "\n";
exit;
}
7. º¯¼ö Á¶ÀÛ°¡´É Ãë¾àÁ¡
- intro
ÇÁ·Î±×·¥ ±¸Á¶»ó ifµîÀ̳ª Á¦¾î¹®¿¡¼
Á¶°ÇÀ» ÆÇ´Ü Çҽÿ¡ º¯¼öÀÇ Á¶ÀÛ°¡´É¼ºÀ» »ìÆ캸´Â°Ô ÁÁ´Ù.
- in a case
if($admin)
{
admin modeÁøÀÔ
}
admin=1 À̶ó´Â °ªÀ» Áشٸé?
8. admin auth problem , ±âŸÀÎÁõ
- intro
°Ô½ÃÆÇ¿¡ ¸¹ÀÌ »ç¿ëÇÏ´Â admin mode½Ã¿¡ ÀÎÁõÀ» È®½ÇÈ÷ ÇÏÀÚ.
urlÀ» ÅëÇÑ ÀÎÁõµÇÁö ¾ÊÀºÀ¯Àú°¡ º¯¼ö¿¡´Ù°¡ Á÷Á¢°ªÀ»
³ÖÀ» ¼ö ÀÖµµ·Ï ÇÏ´Â°Ç ÇÇÇϴ°ÍÀÌ ÁÁ´Ù.
- in a case
(º¸Åë POST¹æ½ÄÀ¸·Î ÀÛµ¿ÇÏ´Â °Ô½ÃÆǵé)
ÇÑ°¡Áö ¿¹·Î ¿©·¯°¡Áö µµ¹è¶óµçÁö °¡´ÉÇØ Áö±â ¶§¹®ÀÌ´Ù.
9. buffer overflow
- intro
c,c++·Î programÀ» ÀÛ¼ºÇÏ´Â °æ¿ì¿¡´Â
buffer overflow ºÎºÐÀ» Á¶½ÉÇϵµ·Ï ÇÑ´Ù.
- in a case
bof bug¸¦ °¡Áö°í ÀÖ´Â code
int bof_exist(){
char buf[10];
strcpy(buf,get_table_name(tablename));
}
query_string_buf[1024];
querysend = getenv ("QUERY_STRING");
strcpy (query_string_buf, querysend);
ÀÌ·¯ÇÑ Á¾·ùÀÇ ÇÔ¼ö´Â »ç¿ëÇÒ¶§ ÁÖÀǸ¦ ÇÑ´Ù.
gets (),getenv(), strcpy (), strcat (), sprintf (),
fscanf (), scanf (), sscanf (), vscanf(),vsscanf,
vfscanf(),vsprintf (),realpath (), getopt (), getopt_long(),
getpass (), streadd (),strecpy (), strtrns ()
µÇµµ·Ï bcopy(),fgets(),memcpy(),strncpy(),snprintf(),strccpy(),
strcadd(),vsnprintf()À¸·Î ´ëüÇؼ »ç¿ëÇϵµ·Ï ÇÑ´Ù.
10. ±âŸ ÁÖÀÇÇÒ Á¡
Çش纯¼öÀÇ localhost°¡ ¾Æ´Ñ ´Ù¸¥ host·Î Redirect °¡´É¼ºÀÌ ÀÖ´ÂÁö
»ý°¢ ÇØ º»´Ù.
ȯ°æº¯¼ö ÀÌ¿ë½Ã ÁÖÀÇÇÑ´Ù.
system("ls -l /var/www/board/db");
Á¤È®ÇÑ PATH¸¦ ³Ö¾îÁÖÀÚ.
system("/bin/ls -l /var/www/board/db");
$ENV{"PATH"} = "/bin:/usr/bin:/usr/local/bin";
$ENV{"IFS"} = "/";
´Ù¸¥ ȯ°æº¯¼ö ¿¹
$val = $ENV{$var};
$val =~ s|\n|\\n|g;
$val =~ s|"|\\"|g;
print "${var}=\"${val}\"\n";
°£È¤ °Ô½ÃÆǵé ÇÁ·Î±×·¥Áß¿¡ ÀÓ½ÃÈÀÏÀ» ¸¸µå´Â °æ¿ì
¶Ç´Â ¹èÆ÷½Ã¿¡ .bakµî ¹é¾÷ÈÀÏÀº ³ÖÁö ¾Êµµ·Ï ÇÑ´Ù.
suid,sgid ´Â µÉ ¼ö ÀÖÀ¸¸é ÇÇÇϵµ·Ï ÇÑ´Ù.
---[ a conclusion ]---
c,c++,perl,php µîÀ» ÀÌ¿ëÇؼ cgi ÇÁ·Î±×·¥À» °³¹ßÇÏ´Â °³¹ßÀÚµéÀº
ÀÚ½ÅÀÇ ÇÁ·Î±×·¥ÀÌ È¤½Ã ¹ö±×°¡ ¾øÀ»±î Á¶±Ý¸¸ ´õ »ìÆ캸ÀÚ.
cgi º¸¾ÈÀº chroot,cgi wrappers(cgiwrap,suEXEC,sbox)µîÀ» ÀûÀýÈ÷ »ç¿ë
ÇÏ´Â °Íµµ ÇϳªÀÇ ¹æ¹ýÀÌ´Ù.
ÀÌ ¹®¼°¡ µµ¿òÀÌ µÇ¾ú±æ ¹Ù¶õ´Ù.
----------------------------------------------------------------
--[Reference]--
Ksecurity bbs - ±¹³» °Ô½ÃÆǵéÀÇ ¹®Á¦Á¡
Ksecurity bbs - bugtraq¿¡¼ÀÇ technote Ãë¾àÁ¡ °ø°³¿¡ ´ëÇØ
Ksecurity bbs - Building OpenBSD firewall,NAT,IDS (2/3)
Ksecurity auditing - ±¹³» °Ô½ÃÆǵéÀÇ Ãë¾àÁ¡ ºÐ¼®
Ksecurity auditing - ±¹³» À¥¼¹ö º¸¾È ¹®Á¦
Ksecurity auditing - CGI Security
Ksecurity auditing - PHP Security
Ksecurity Advisory - JSBoard muiltiple security hole
- JSBoard Distributed Spam Attack
- JSBoard write bypass admin security hole
- sepal board muiltiple security hole
- technote muiltiple security hole
- easyboard perl muiltiple security hole
- zeroboard muiltiple security hole
- CrazyWWWBoard muiltiple security hole
- NeoBoard muiltiple security hole
³ª¸ÓÁö ±¹³» °Ô½ÃÆǵéÀº »ý·«
-Ksecurity team
(korea security group)
ksecurity@iland.co.kr
http://ksecurity.iland.co.kr
Copyright 2001 Ksecurity team. All rights reserved