ç§ã¯ããã»ã©æã¯ITã«æºãã£ãŠããŸããã§ããããæè¿ããµã€ããŒã»ãã¥ãªãã£ã®ãããã¯ã«å€¢äžã«ãªããŸããããã³ãã¹ã¿ãŒã®è·æ¥ã¯ç¹ã«èå³æ·±ããã®ã§ãããµãŒãã£ã³ãããŠãããšãSecurityShenanigansã«ãããDBã®æ§æãäžé©åãªããã«25,000ãè¶ ãããã¹ãã®ã¯ã©ãŠãå šäœãææã§ããããã«ãªã£ãããšããã¯ãŒã«ãªèšäºãç®ã«ããŸãããäž¡æ¹ã®éšåã®ç¿»èš³ãšããªãã®æ³šæãåèµ·ããŸãã
åæžã
ãã®èšäºã§ã¯ã倧èŠæš¡ãªã¯ã©ã€ã¢ã³ããå±éºã«ãããããã«BMC / IPMIã䜿çšããŠããŒã¿ããŒã¹ãžã®çŽæ¥sqlmapæ¥ç¶ãå®è¡ããæ¹æ³ãåŠç¿ããŸãã
ããã¯ã°ã©ãŠã³ã
æ°å¹Žåãç§ãã¡ã®ããŒã ã¯ãOpenstackãããã¯ãŒã¯ã§ã€ã³ãã©ã¹ãã©ã¯ãã£äŸµå ¥ãã¹ããå®æœãããšããã¿ã¹ã¯ãåãåããŸãããããã¯ã25,000ãè¶ ããä»®æ³ãã·ã³ããã¹ãããçŽ2,000ã®ç©çãµãŒããŒã§æ§æãããŠããŸãããçºä¿¡ãã©ãã£ãã¯ã®éã«å¶éã®ããå°ããªãµããããã§äœæ¥ãéå§ããŸãããã¯ã€ãã¯ã¹ãã£ã³ã®åŸãNmapã¯æªçšãããå¯èœæ§ã®ããæãããªè匱æ§ãèŠã€ããããšãã§ããŸããã§ããããã®ãããç§ãã¡ã¯å©çšå¯èœãªãµãŒãã¹ã®èª¿æ»ãéå§ããŸããããã®äžã«ãéçºãµãŒããŒã§ãã¹ããããŠããç¡é²åãªPostgreSQLãµãŒããŒãèŠã€ãããŸãããäŒç€Ÿåã®ããã€ãã®æŽŸçç©ã䜿çšããŠã«ã¹ã¿ã ã¯ãŒããªã¹ããäœæããåŸãã¢ã«ãŠã³ãããã®æ¯èŒçåçŽãªããŒã¿ã䜿çšããŠã·ã¹ãã ã«å¿ã³èŸŒãããšãã§ããŸããããŠãŒã¶ãŒåã¯Postgresããã¹ã¯ãŒãã¯ãadminãã§ããã
次ã«ã䜿çšããããšã«ããŸããsqlmapããã®ããŒã«ã¯SQLã€ã³ãžã§ã¯ã·ã§ã³ã䜿çšããããã«æ§ç¯ãããŠããŸãããçŽæ¥ããŒã¿ããŒã¹æ¥ç¶ã確ç«ãããšãã«ïŒè³æ Œæ å ±ãããå ŽåïŒãããã€ãã®ãªãã·ã§ã³ãæäŸããããšãã§ããŸãããããã®ãªãã·ã§ã³ã®1ã€ã¯ãæ¬çªç°å¢ã®ããŒã¿ããŒã¹ã«å¯ŸããŠã³ãã³ãã·ã§ã«ãèµ·åããããšã§ãã
ã·ã§ã«ããã¹ãããåŸãéæ¥ç¶ãååŸããããã«ã«ã¹ã¿ã ãã€ããŒãïŒãã€ããŒãïŒãæ§ç¯ããããšã«ããŸãããããã«ãããããå¿«é©ã«äœæ¥ã§ããããã«ãªããŸãã
msfvenomã䜿çšããŠãã€ããŒããäœæããŸããããã®å Žåã®ãã€ããŒãã¯ãLinuxx64ãã·ã³ã®ãªããŒã¹TCPã·ã§ã«ã§ãããåã®ç»åã§ã¯ãããŒã¿ããŒã¹ã¢ãŒããã¯ãã£ãéžæããå¿ èŠãããããšãããããŸãã
msfvenomã䜿çšããŠãã€ããŒããåéãã
ãã®ãã€ããŒãã®å©ç¹ã¯ãåçŽãªNetcatã䜿çšããŠæ¥ç¶ãçŽãããã«äœ¿çšã§ããããšã§ããä»ã®ã»ãšãã©ã®ãã€ããŒãã¯ãåãã¿ã¹ã¯ã«å¯ŸããŠMetasploitïŒãšã¯ã¹ããã€ã/ãã«ã/ãã³ãã©ãŒãéžæïŒã®ãããªãã®ãå¿ èŠãšããŸãã
sqlmapã©ãããŒã䜿çšããŠãã€ããŒããå®è¡ããåŸããµãŒããŒãžã®æ¥ç¶ãååŸããŸããã
ãã€ããŒãã®èµ·åæ¥ç¶ã®å埩
ãšã¢ã¯ã»ã¹ã®ãã¹ã
BMCããã€ã¹ã®äœ¿çš
ã€ã³ãã©ã¹ãã©ã¯ãã£äŸµå ¥ãã¹ããå®è¡ããæ°ãããããã¯ãŒã¯ã»ã°ã¡ã³ãäžã®ãã·ã³ãå±éºã«ããããšãã¯ãã€ã§ããæ°ãããã®ãåºçŸããŠããªããã©ããã確èªããããã«åã¹ãã£ã³ããå¿ èŠããããŸãããã®ããŒã¿ããŒã¹ã«ãããã»ãšãã©ã®ä»®æ³ãã·ã³ãšãã¹ããå«ââãäŒç€Ÿã®ã¯ã©ãŠããããã¯ãŒã¯ã«æ¥ç¶ããããšãã§ããŸãããããã€ãã®BMCããã€ã¹ãèŠã€ãã£ããããæ°ããã¹ãã£ã³ã®çµæã«éåžžã«æºè¶³ããŸããã
3ã€ã®BMCããã€ã¹ã®1ã€
BMCïŒBaseboard Management ControllerããµãŒãã¹ããã»ããµïŒã¯ãã¡ã€ã³ãµãŒããŒã«æ¥ç¶ãããåªå çãªçµã¿èŸŒã¿ããã€ã¹ã§ããã垯åå€ã®ç£èŠãšå¶åŸ¡ãæäŸããŸããCPUãBIOSããªãã¬ãŒãã£ã³ã°ã·ã¹ãã ãšã¯ç¬ç«ããŠåäœããŸãããããã®èŠçŽ ã®ããããã§çºçãããšã©ãŒã¯ããã®åäœã«åœ±é¿ãäžããããšã¯ã§ããŸããããã€ã¯ãããã»ããµã«ã¯ç¬èªã®ããã»ããµãã¡ã¢ãªããããã¯ãŒã¯ã€ã³ã¿ãŒãã§ã€ã¹ãããããããµãŒããŒèªäœã®é»æºããªãã®å Žåã§ã䜿çšã§ããŸãããã¹ãŠã®äž»èŠãªæ©åšãµãã©ã€ã€ãŒã¯ãèªç€Ÿè£œåã«ç¹å®ã®BMCãæã£ãŠããŸãã
- Dell DRAC
- IBM IMM
- HP iLO
- ã¹ãŒããŒãã€ã¯ãIPMI
ããªããã«ç²Ÿéããå¿ èŠãããããšãå¥ã®çšèªã¯ãIPMIïŒã€ã³ããªãžã§ã³ããã©ãããã©ãŒã 管çã€ã³ã¿ãã§ãŒã¹ïŒã¯ãåºæ¬çã«ããªãããããã®ããã€ã¹ãšã®éä¿¡ã«äœ¿çšãããããã³ã«ã§ãããã®ç®çã¯ããµãŒããŒã®é»æºããªãã«ãªã£ãŠãããé»æºã«æ¥ç¶ãããŠããå Žåã§ãããªãã¬ãŒãã£ã³ã°ã·ã¹ãã ã«é¢ä¿ãªãããµãŒããŒããŒããŠã§ã¢ãç£èŠããã³ç®¡çããããšã§ãã
IPMIã¯ãèŠã€ããããšãã§ããæãå®å šã§ãªããããã³ã«ã®1ã€ã§ãããšã ãèšã£ãŠãããŸãããã IPMI 2.0ã¯ãèªèšŒã¹ãããäžã«ãµãŒããŒããã«ã¹ã¿ã ããã·ã¥ãçŽæ¥èŠæ±ã§ããããã«èšèšãããŠããŸãã ãæå·0ãã¢ãŒãã§èªèšŒãèŠæ±ãããšãå¥ã®è匱æ§ãååšããŸããããã«ãããä»»æã®ãã¹ã¯ãŒãã§ãã°ã€ã³ã§ããããã«ãªããŸãã
IPMIãããã¯ã¢ãŒããã¯ãã£
BMCããã€ã¹ã¯ãããŒã¿ã»ã³ã¿ãŒã®çµã¿ç«ãŠæ®µéã§äžåºŠæ§æããããµãŒããŒãåŸæ¥ã®æ¹æ³ã§å©çšã§ããªãå Žåã«ã®ã¿äœ¿çšãããã¿ã€ãã®ããã€ã¹ã§ãããããéåžžã¯ä¿è·ãäžååã§ããæå·0ã
æå¹ã«ãªã£ãŠããäžéšã®ããã€ã¹ã§ç°¡åã«èªèšŒã§ããŸããã
ããã§ã¯ãã©ã³ãã ãªãã¹ã¯ãŒãã§ãã°ã€ã³ããæ¹æ³ã確èªã§ããŸãã ã-C0ãã®éšåã«æ³šæããŠãã ããã
ã©ã³ãã ãªãã¹ã¯ãŒãã§ããã€ã¹ã«æ£åžžã«ãã°ã€ã³ããããã€ã¹ã®
ãããã¯ãŒã¯æ å ±
äžéšã®ããã€ã¹ã§æå·0ãæå¹ã«ãªã£ãŠããªãå Žåã§ããä»ã®æ¹æ³ã§ãã°ã€ã³ã§ããŸããæãæåãª2ã€ã¯ãããã©ã«ãã®è³æ Œæ å ±ã䜿çšãããïŒsysadminã¯éåžžå€æŽãè©Šã¿ãŸããïŒãããã·ã¥é瀺ã®è匱æ§ãæªçšããïŒãããŠããã·ã¥ãå£ãïŒããšã§ããåŸè ã¯ã»ãšãã©ã®ããã€ã¹ã§å®è¡ããå¿ èŠããããŸããã
ã»ãšãã©ã®ãŠãŒã¶ãŒã®Banalã®ããã©ã«ãã®ãŠãŒã¶ãŒåãšãã¹ã¯ãŒãã®ãã¢
ãµãŒããŒã«èŠæ±ãããŠãŒã¶ãŒã®ããã·ã¥ãå«ãåèªã®ãªã¹ã
metasploitã䜿çšããã«ã¹ã¿ã ããã·ã¥ã®æ¡åŒµ
ããã«ãå žåçãªããã·ã¥ã«é¢ããããŒã¿ãååŸããŸãã
ãã¹ãŠã®ããã·ã¥ãééããåŸãããããã¯ã©ãã¯ãå§ããŸããã
æåã®ããã·ã¥ãã¯ã©ãã¯
ããæ°åã§ãçŽ600åã®BMCã«ã¢ã¯ã»ã¹ã§ããŸããã
609åã®ããã·ã¥ãæ£åžžã«ã¯ã©ãã¯ã
ããŸããã¯ã©ãã¯ã§ããªãã£ãHPILOããã€ã¹ãããã€ããããŸããã幞ããªããšã«ãHP iLO 41.00ãã2.50ã«ãèªèšŒãã€ãã¹ããããŸããããã«ãããWebãµãŒããŒã«ãã£ãŠåŠçãããHTTPæ¥ç¶ããããŒã®ãããã¡ãŒãªãŒããŒãããŒãä»ããŠç®¡çè ã¢ã«ãŠã³ããäœæã§ããŸãã ãã®ãšã¯ã¹ããã€ãã¯ããã䜿çšããŠãAPIã®æ®ãã®éšåãžã®ç¹æš©ã¢ã¯ã»ã¹ãååŸããŸããããã«ãããã¢ã«ãŠã³ããäœæããæš©éãäžããããŸãã
CVEã®äœ¿çš-2017-12542
ãããã®æé ã®åŸãäŒç€Ÿã®BMCããã€ã¹ã®90ïŒ ãå®å šã«å¶åŸ¡ã§ããããã«ãªããŸãããBMCããã€ã¹ã«ã€ããŠèªãã ããšãããã°ã次ã®ããšãã§ããããšãããããŸãã
- ã¢ãã¿ãŒ
- ãªããŒã
- åã€ã³ã¹ããŒã«
- KVMïŒä»®æ³åïŒ
æ¥ç¶ãããããã€ã¹ãããã¯çŽ æŽãããããšã§ããããµãŒããŒãžã®ç©ççãªã¢ã¯ã»ã¹ãã·ãã¥ã¬ãŒãããã ããªã®ã§ãå éšã«å ¥ãå¿ èŠããããŸããã¯ããããã€ã¹ã®é»æºãåãããšã§ã ãŸãããŸãããããã ãã§ã¯äžååã ãšæã£ãã®ã§ãæãäžããŸããã
ç©çã¢ãã¬ã¹ãæã€ããŒããŠã§ã¢ããããã³ã°ããæãäžè¬çãªæ¹æ³ã®1ã€ã¯ãããŒããŠã§ã¢ãåèµ·åããŠãã«ãŒãã·ã§ã«ã®èªåå®è¡ãå¶åŸ¡ããããšã§ããããã¯ãUnixãMacãããã³Windowsã§å®è¡ã§ããŸãã
ãã®ã¢ãããŒãã®é£ããã¯ãåãµãŒããŒãéåžžçŽ2000ã®ä»®æ³ãã¹ãããã¹ãããããšã§ãããã®ãããæªäœ¿çšã®ãµãŒããŒãèŠã€ããå¿ èŠããããŸãããèšç»ã¯ãããããªãã«ãïŒãŸãã¯ããã§ã«ãªãã«ãªã£ãŠããå Žåã¯éå§ããïŒãèªåå®è¡ãç·šéããŠã«ãŒãã¢ã¯ã»ã¹ãèš±å¯ããããšã§ããããã®åŸãæ§æã調ã¹ãŠãä»ã®ãµãŒããŒãå±éºã«ãããå¯èœæ§ã®ãããã°/ãã€ããŒããèŠã€ããããšæããŸããã
Openstackã䜿çšãããšãããŒã«ã«ã€ã³ãã©ã¹ãã©ã¯ãã£ãç §äŒããç¹å®ã®ãã©ã¡ãŒã¿ãŒãç §äŒã§ããŸãããããã®1ã€ã¯ãä»®æ³ãã·ã³ã®ç¶æ ã§ãããã®ããŒã«ã«äŒæ¥ã®å ŽåãVMã®å¯çšæ§ïŒãã©ãã£ãã¯ãåä¿¡ããããã®ãã¯ã€ã/ãã©ãã¯ãªã¹ãïŒ+åäœç¶æ ïŒéå§/ç¡å¹ïŒãšããŠå®çŸ©ãããŸããã
ãã©ãã¯ãªã¹ãã«ç»é²ããããµãŒããŒãèŠã€ããå¿ èŠãããïŒåäœç¶æ ã¯é¢ä¿ãããŸããïŒããã£ã¹ã¯ã®åé¡ãåå ã§åäœããŠããªããµãŒããŒãèŠã€ãããŸããã幞ããèµ·åã¯ã§ããŸãããããã¡ã€ã«ã·ã¹ãã ã®äžéšãèªã¿åãå°çšã¢ãŒãã«ãªã£ãŠããŸããŸããã
é©åãªãããã³ã°ãµãŒããŒã®Openstackãªã¯ãšã¹ã
ãããèŠã€ãã£ããã以åã«èŠã€ããè³æ Œæ å ±ã䜿çšããŠãã°ã€ã³ããŸããã
以åã«ååŸããã¢ã¯ã»ã¹ã䜿çšã
ãŸããKVMã€ã³ã¿ãŒãã§ã€ã¹ãžã®ã¢ã¯ã»ã¹KVMã€ã³ã¿ãŒãã§ã€ã¹
ã¯ãBMCãä»ãããµãŒããŒãžã®çŽæ¥æ¥ç¶ãã·ãã¥ã¬ãŒãããŸããèµ·åæã«ãGrubèªåããŒããç·šé
ro init = / bin / bash
ããé©åãªè¡ã«è¿œå ããŠã«ãŒãã·ã§ã«ã§èµ·åããå¿
èŠããããŸã..ãéåžžãèªã¿åã/æžã蟌ã¿ãã©ã°ïŒrwïŒã䜿çšãããŸãããé害ãçºçãããã£ã¹ã¯ã®åé¡ãé²ãããã«ãèªã¿åãå°çšãã©ã°ïŒroïŒã䜿çšããå¿
èŠããããŸããã
grubã¡ãã¥ãŒã®ç·šé
ãã°ã€ã³åŸããããã¯ãŒã¯ã€ã³ã¿ãŒãã§ã€ã¹ã調ã¹ãŠããµãŒããŒãžã®æ¥ç¶ããã¹ãããŸãããã芧ã®ãšãããifconfigã«ã¯10ãè¶ ããã¢ã¯ãã£ããªã€ã³ã¿ãŒãã§ã€ã¹ã衚瀺ãããŸãã
ãããã¯ãŒã¯ã®æ§é ãåæããç§ãã¡ãã©ãã«ããããç解ããããã«å°ãæéãåã£ãåŸãç§ãã¡ã¯ãµãŒããŒã®ç 究ãå§ããŸããã
æ°åã§ãbash_historyïŒLinuxãã·ã³ã§èŠã€ããããšãã§ãã貎éãªæ å ±ã®æè¯ã®ãœãŒã¹ã®1ã€ïŒ
novadbè³æ Œæ å ±ã®äžéç¹ãbash_historyã«èŠã€ãããŸããã
Openstackã¢ãŒããã¯ãã£ã«æ £ããŠããªã人ã®ããã«ãNovaã¯ã蚌ææžãã¯ã©ãŒã¿ãã€ã³ã¹ã¿ã³ã¹åãã¡ã¿ããŒã¿ããã®ä»ã®éèŠãªæ å ±ãªã©ãã¯ã©ãŠãå šäœã®ç®¡çæ å ±ãæ ŒçŽãã管çããŒã¿ããŒã¹ã§ãã
è³æ Œæ å ±ã®ç¢ºèªãã°ã€ã³
åŸãgrants_MySQLã䜿çšããŠç®¡çè ã¢ã¯ã»ã¹ã確èªããŸããã
ãããè¡ããšãNovaDBã®å éšæ§é ã確èªã§ããŸãã
NovadbããŒã¿ããŒã¹ã®ããŒãã«
VMã«é¢ããæ å ±ãèŠããšãçŽ34,000å°ã®ããã€ã¹ãèŠã€ãããŸããããã ãããããã®çŽ3åã®1ã¯å©çšã§ããªã/æ©èœããŠããŸãããæ£ç¢ºãªéé¡ã¯ãè¡ãšã³ããªfloat_ipsã§ç¢ºèªã§ããŸãã
ããŒã¿ããŒã¹ããã®ãã®ããŒã¿ãéåžžã«éèŠã§ããçç±ã説æããŸãããã
äŒç€Ÿå šäœãã·ã£ããããŠã³ããå Žåã¯ãBMCã€ã³ã¿ãŒãã§ã€ã¹ãä»ããŠåä»®æ³ãµãŒããŒãã·ã£ããããŠã³ã§ããŸãã sysadminsãé»æºããªã³ã«æ»ããŸã§æ©èœããŸããã
ç¬èªã®ãã«ãŠã§ã¢ãäœæããŠãã¹ãŠã®ãµãŒããŒã«ææãããããšã¯ã§ããŸãããBMCãã£ãã«ãä»ãã倧éå±éã¯ç°¡åã§ã¯ãããŸããïŒã¢ã¯ã»ã¹ããåã«æªäœ¿çšã®ãµãŒããŒãèµ·åããŠGrubã®èªåå®è¡ãç·šéããå¿ èŠããã£ãããšãæãåºããŠãã ããïŒã
ãã ããNovaDBã«ã¢ã¯ã»ã¹ãããšãããŒã¿ããŒã¹ãç Žæããã ãã§ãã¯ã©ãŠãç°å¢å šäœãæ©èœããªããªããŸãã sysadminãããŒã¿ããŒã¹ããã°ãã確èªã§ããã»ã©è³¢ããšããŠããç ŽæããããŒã¿ããŒã¹ã®ãã©ãã«ã·ã¥ãŒãã£ã³ã°ã¯ãæ¬ èœããŠããããŒã¿ããŒã¹ãããã¯ããã«å°é£ã§ãã
ãŸããã·ã¹ãã 管çè ã¯äœããééã£ãŠããããšãç解ããææ°ã®ããã¯ã¢ããã§ãã¹ãŠãäžæžãããã ãã§ãããïŒç§ãã¡ãããã«ã€ããŠèããŸãããããããå ã«é²ãã§ããã¯ã¢ãããå±éºã«ããããçç±ã§ãã
æåã¯ãã®ãããªãã®ã§ã¡ã€ã³ããŒã¿ããŒã¹ã«ã¯ãšãªãå®è¡ããããšããŸãã
SELECT * FROM information_schema.PROCESSLIST AS p WHERE p.COMMAND = 'Binlog Dump';
ããäŒç€Ÿã¯äžèŠåã«å®è¡ããããã¹ã¿ãŒ/ã¹ã¬ãŒãã¹ããŒã ã䜿çšããªãç¬èªã®ããã¯ã¢ãããœãªã¥ãŒã·ã§ã³ã䜿çšããŸããããã®ãããã¡ã€ã³ã®ããŒããšåãããŒãã§å®è¡ãããŠããããã¯ã¢ããããŒã¿ããŒã¹ãèŠã€ããããã«ãé£æ¥ãããµããããã®ã¹ãã£ã³ãç¶ããŸããã
ããã¯ã¢ãã
ãèŠã€ããæ¹æ³æ¢åã®è³æ Œæ å ±ã䜿çšããå¯èœæ§ã確èªãããšããããã¡ãããããããèŠã€ãããŸããã
ããã¯ã¢ãããžã®ã¢ã¯ã»ã¹ã®ç¢ºèª
ç¬èªã®ããã¯ã¢ããã䜿çšããŠãä»®æ³åã€ã³ãã©ã¹ãã©ã¯ãã£ã®å®å šãªäŸµå®³ãšãæ°åã§æäœãå®äºããæ¹æ³ã蚌æããããšãã§ããŸããã
ç§ã¯åžžã«ã¬ãã¥ãŒ/ã¬ããŒããçµäºããèŠã€ãã£ãåé¡ãä¿®æ£ã§ããããã«ããŸããããã«ããããã®å€ãããããŸãããäŸãã°ïŒ
- è³æ Œæ å ±ã®åå©çš
- ãããã¯ãŒã¯ã»ã°ã¡ã³ããŒã·ã§ã³ã¯ãããŸãã
- çŠæ¢ãã¹ã¯ãŒã
- å®å šã§ãªãããã¯ã¢ããæ§é
- å€ããã¡ãŒã ãŠã§ã¢
ä¿®æ£ã容æã§ã¯ãªãã£ãé倧ãªåé¡ã®1ã€ã¯ãIPMIãããã³ã«ã®æ¬ é¥ã§ããã
æãæåãã解決çã¯ãBMC察å¿ãµãŒããŒããIPã¢ãã¬ã¹ã®ãªã¹ããå¶éãããå¶åŸ¡ãããå¥ã®ãããã¯ãŒã¯ã»ã°ã¡ã³ãã«é 眮ããããšã§ããããããã®äŒç€Ÿãæçµçã«è¡ã£ãããšã§ãã
ç§ãã¡ã®è©±ã楜ããã§ããã ããã§ãããããç§ãã¡ããã®ãããã¯ãåŠã¶ã®ã楜ããã ã®ãšåããããã