tag:blogger.com,1999:blog-57443247186098127582024-02-22T04:49:41.373-08:00Mai-Hsuan Chia's blog大膽假設,小心求證Kevinhttp://www.blogger.com/profile/08808437935222466403noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-5744324718609812758.post-73053041243587061902016-02-18T22:17:00.000-08:002016-02-18T23:10:26.693-08:00CVE-2015-7547<div>
<span style="font-family: inherit;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;">這篇簡單記錄了我第一次驗證別人poc(proof-of-concept)的過程。</span></span><br />
<span style="font-family: inherit;">poc就是驗證某個概念、原理,在資安領域講簡單一點就是去exploit。</span></div>
<div>
<span style="font-family: inherit;">
<span style="font-family: "times" , "times new roman" , serif;"><br /></span>
</span><br />
<h3>
<span style="font-family: inherit;"><b><span style="font-family: "times" , "times new roman" , serif; font-size: x-large;">前言</span></b></span></h3>
</div>
<div>
<span style="font-family: inherit;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span></span>
<span style="font-family: inherit;">
<span style="font-family: "times" , "times new roman" , serif;">CVE-2015-7547 是glibc中的 <code>getaddrinfo()</code>存在stack-based buffer overflow漏洞。</span></span><span style="font-family: times, 'times new roman', serif;">這個漏洞其實從2015年就發現了,後來google和red hat的人一起研究並寫出了</span><a href="https://github.com/fjserna/CVE-2015-7547" style="font-family: times, 'times new roman', serif;">poc</a>,<span style="font-family: inherit;"><span style="font-family: "times" , "times new roman" , serif;">表示這</span></span><span style="font-family: "times" , "times new roman" , serif;">個漏洞有其嚴重性。</span><br />
<span style="font-family: times, 'times new roman', serif;">漏洞主要發生在glibc 2.9版以後,查了一下發現我手邊的server全部中招。</span><br />
比較完整的資訊可以參考:<br />
<h2 style="background-color: white; color: #222222; font-family: 'Lucida Grande', 'Lucida Sans Unicode', Arial, sans-serif; line-height: 1.6em; margin: 0px; padding: 0px;">
<span style="color: #993333; font-size: small;"><a href="https://isc.sans.edu/forums/diary/CVE20157547+Critical+Vulnerability+in+glibc+getaddrinfo/20737/" style="color: #993333;">CVE-2015-7547: Critical Vulnerability in glibc getaddrinfo</a></span></h2>
</div>
<div>
<br />
<span style="font-family: inherit;"><a href="http://beej-zhtw.netdpi.net/05-system-call-or-bust/5-1-getaddrinfo-start">getaddrinfo()</a> 主要用來查一個 host 所對應的 IP address,底層會去query DNS </span><span style="font-family: inherit;">Server並</span><span style="font-family: inherit;">得到結果。</span></div>
<div>
<span style="font-family: inherit;">此時若 DNS Server 回應了惡意的 payload ,可以造成 <code>getaddrinfo()</code> buffer </span><span style="font-family: inherit;">overflow,利</span><span style="font-family: inherit;">用這個漏洞來exploit client端的主機。</span><br />
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">
</span>
<h3>
<span style="font-family: inherit;"><span style="font-family: "times" , "times new roman" , serif; font-size: x-large;"><b>驗證過程</b></span></span></h3>
<div>
<span style="font-family: inherit;"><span style="font-family: "times" , "times new roman" , serif; font-size: x-large;"><b><br /></b></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhaNCgwrGBjwIyIXbnrOggRh5rymh2HVDDHfrXun3SE4I8qVnhFdbXDdMnzPfeL9EEaIED8rkXEoRtDcs4JlRwCdQEsG8EqDTg7CuOtxr_mUIMxtMf98-D22NO7MpS2OSJOFccCjE5x1tS/s1600/%25E8%259E%25A2%25E5%25B9%2595%25E5%25BF%25AB%25E7%2585%25A7+2016-02-19+%25E4%25B8%258B%25E5%258D%25881.41.28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhaNCgwrGBjwIyIXbnrOggRh5rymh2HVDDHfrXun3SE4I8qVnhFdbXDdMnzPfeL9EEaIED8rkXEoRtDcs4JlRwCdQEsG8EqDTg7CuOtxr_mUIMxtMf98-D22NO7MpS2OSJOFccCjE5x1tS/s320/%25E8%259E%25A2%25E5%25B9%2595%25E5%25BF%25AB%25E7%2585%25A7+2016-02-19+%25E4%25B8%258B%25E5%258D%25881.41.28.png" width="320" /></a></div>
<br />
先將 poc code clone下來,<br />
<pre><code class="prettyprint lang-bsh">$ git clone https://github.com/fjserna/CVE-2015-7547
</code></pre>
其中 <a class="js-directory-link js-navigation-open" href="https://github.com/fjserna/CVE-2015-7547/blob/master/CVE-2015-7547-poc.py" id="b7f763b586e00ed9c7e7714a77434b79-40188b3021795d816230b485295d86310d254272" style="background-color: whitesmoke; box-sizing: border-box; color: #4078c0; font-family: Helvetica, arial, nimbussansl, liberationsans, freesans, clean, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 13px; line-height: 20px; text-decoration: none; white-space: nowrap;" title="CVE-2015-7547-poc.py">CVE-2015-7547-poc.py</a> 是惡意的DNS Server code, <a class="js-directory-link js-navigation-open" href="https://github.com/fjserna/CVE-2015-7547/blob/master/CVE-2015-7547-client.c" id="b1a0f1456591ebb49465b256a19189be-ecd6e30d0d97fc6c4b6ef0045bfb0965560bf0d1" style="background-color: whitesmoke; box-sizing: border-box; color: #4078c0; font-family: Helvetica, arial, nimbussansl, liberationsans, freesans, clean, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 13px; line-height: 20px; outline: 0px; white-space: nowrap;" title="CVE-2015-7547-client.c">CVE-2015-7547-client.c</a> 是client端呼叫 <code>getaddrinfo()</code> 的code。<br />
<br />
我讓 <a class="js-directory-link js-navigation-open" href="https://github.com/fjserna/CVE-2015-7547/blob/master/CVE-2015-7547-poc.py" id="b7f763b586e00ed9c7e7714a77434b79-40188b3021795d816230b485295d86310d254272" style="background-color: whitesmoke; box-sizing: border-box; color: #4078c0; font-family: Helvetica, arial, nimbussansl, liberationsans, freesans, clean, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 13px; line-height: 20px; text-decoration: none; white-space: nowrap;" title="CVE-2015-7547-poc.py">CVE-2015-7547-poc.py</a> bind 在本機的port 53,這需要root權限。如果 port 53 有其他服務(像是ubuntu有dnsmasq)請先將它disable再執行.py檔。<br />
<pre><code class="prettyprint lang-bsh">$ sudo ./CVE-2015-7547-poc.py</code></pre>
<br />
再來更改本機 nameserver 的設定,把原本的nameserver設定註解掉,改成指向本機端的DNS Server,讓本機的DNS query都向我們的惡意DNS Server查詢。<br />
<code>/etc/resolv.conf</code><br />
<pre><code class="prettyprint lang-bsh"># Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#nameserver 140.112.2.2
nameserver 127.0.0.1</code></pre>
<br />
最後,將 <a class="js-directory-link js-navigation-open" href="https://github.com/fjserna/CVE-2015-7547/blob/master/CVE-2015-7547-client.c" id="b1a0f1456591ebb49465b256a19189be-ecd6e30d0d97fc6c4b6ef0045bfb0965560bf0d1" style="background-color: whitesmoke; box-sizing: border-box; color: #4078c0; font-family: helvetica, arial, nimbussansl, liberationsans, freesans, clean, sans-serif, 'apple color emoji', 'segoe ui emoji', 'segoe ui symbol'; font-size: 13px; line-height: 20px; outline: 0px; white-space: nowrap;" title="CVE-2015-7547-client.c">CVE-2015-7547-client.c</a> 編譯成可執行檔並執行,就會發生seg fault了。<br />
<pre><code class="prettyprint lang-bsh">$ make
gcc -o CVE-2015-7547-client CVE-2015-7547-client.c
$ ./CVE-2015-7547-client
Segmentation fault (core dumped)
</code></pre>
接著我會嘗試利用這個漏洞拿到shell,但好像沒那麼簡單XD,如果成功的話會再把payload貼上來。</div>
Kevinhttp://www.blogger.com/profile/08808437935222466403noreply@blogger.com4tag:blogger.com,1999:blog-5744324718609812758.post-8209453821955336542016-01-12T23:37:00.001-08:002016-02-18T23:16:45.522-08:00TW.edu CTF 2015 Write-up<br />
<a href="https://github.com/j84255801912/practice/blob/master/ctf/final/write_up.md">My Write-up</a> <br />
<br />
2016/01/06 ~ 2016/01/10 是計算機安全課的期末競賽,有台大,台科,中央的修課同學參賽。<br />
<br />
這次有幸和強者們同隊,隊名叫作shareifagree,然後拿下了不錯的成績XD。<br />
<br />
雖然我都只寫Web而且只貢獻了1/6的分數,但真的是學到不少阿,總之就是要擅於google,學習新技巧,然後應用到實務上。<br />
<br />
以後有空時應該就會玩玩CTF練練功吧,算是找到一個比較有興趣的領域了。Kevinhttp://www.blogger.com/profile/08808437935222466403noreply@blogger.com6tag:blogger.com,1999:blog-5744324718609812758.post-22649882646041157952015-09-16T02:38:00.001-07:002016-02-18T14:09:35.212-08:00包rpm的骯髒事最近在自己包rpm包,CentOS與Fedora的openssl rpm包因為某些版權問題把bitcoin所需要的橢圓曲線拿掉了,因此必須自己compile一個openssl給bitcoin使用。<br />
<br />
無奈的是要讓其他人自己在configure下參數來找到我們自己編的openssl實在是太麻煩了,只好想辦法讓bitcoin在configure與compile時不下任何參數也能避開系統的openssl,而是用到我們包的版本。<br />
<br />
我們的server清一色都是CentOS 7,因此團隊裡的大大們覺得乾脆我們自己包一個好了,然後就是由我來負責Orz。<br />
<br />
首先,rpm specfile雖然簡單明瞭,但在很容易不小心把沒列在file section中的file install到BUILD_ROOT,這樣會造成錯誤。install section是在整個包的過程最後一步,openssl build一次又需要5~10分鐘,各種低級的error就浪費了我很多時間。<br />
<br />
最後終於包好了,要怎麼讓bitcoin找到我們自己compile的libssl.so與libcrypto.so呢?<br />
(以下方法滿髒的但小弟是新手又有deadline只好出此下策)<br />
<ol>
<li>在<code>/etc/profile</code>中加入<code>export PKG_CONFIG_PATH=/usr/local/openssl/lib</code> ,讓每個使用者登入時都會設好PKG_CONFIG_PATH,這樣在configure時autoconf會找到我們要的SSL_CFLAGS和SSL_LD_FLAGS並產生好Makefile。</li>
<li>這時去make還是會發現我們仍是抓到系統的.so,真的很奇怪。打開verbose模式 <code>make V=1</code> 才發現需要用到openssl的某幾條gcc指令竟然還有幾個-L/usr/lib之類的linker path參數放在我們的-L/usr/local/openssl/lib之前!</li>
<li>最後我們只好在<code>/etc/profile</code>中又加上了<code>export CXX="c++ -L/usr/local/openssl/lib"</code> 這樣就保證了我們的路徑比系統的還優先找到XDD</li>
</ol>
此時,我們已經能抓到正確的openssl來編了。然而一執行bitcoind …
<br />
<pre> <code class="prettyprint lang-bsh">./bitcoind: /usr/lib/libcrypto.so: no version information available ...</code></pre>
去google才發現若執行時ld.so發現抓到的.so版本比編譯時的.so還舊,就會報這個error。<br />
<br />
此時才想到忘記把.so的path加入ld.so.cache。在/etc/ld.so.conf.d/下創一個檔案並把路徑加入後,再執行
<br />
<pre> <code class="prettyprint lang-bsh">$ ldconfig</code></pre>
讓路徑load至cache中就完成了!<br />
最後,感謝強者lantw44的指導阿!Kevinhttp://www.blogger.com/profile/08808437935222466403noreply@blogger.com8tag:blogger.com,1999:blog-5744324718609812758.post-1112557094302434582015-08-21T22:43:00.003-07:002017-08-09T06:18:32.036-07:00Cross Initialization<pre>今天和朋友聊到了會發生在Switch statement與goto statement的Cross Initialization問題。</pre>
<pre><code class="prettyprint">switch (ch) {
case 1:
int jval = 1;
break;
case 2:
jval = 2;
}
</code></pre>
compile時會出現<br />
<br />
<code>error: crosses initialization of 'int jval'</code><br />
<br />
然而只要改成<br />
<pre><code class="prettyprint lang-cpp">switch (ch) {
case 1:
int jval;
break;
case 2:
jval = 2;
}</code></pre>
就不會出現error了<br />
或者是使用block來限制變數的scope也可解決這問題。<br />
<pre><code class="prettyprint">switch (ch) {
case 1: {
int jval;
break;
}
case 2: {
jval = 2;
}
}</code></pre>
去google了一下,<a href="http://stackoverflow.com/questions/92396/why-cant-variables-be-declared-in-a-switch-statement">stackoverflow</a>有許多篇在介紹這個問題,似乎是compiler不允許在同一個scope中jump over initialization.<br />
<br />
在<a href="http://cs.nyu.edu/courses/fall11/CSCI-GA.2110-003/documents/c++2003std.pdf">ISO C++ ‘03</a> 6.7/3 有規範<br />
<blockquote>
It is possible to transfer into a block, but not in a way that bypasses declarations with initialization. A program that jumps from a point where a local variable with automatic storage duration is not in scope to a point where it is in scope is ill-formed unless the variable has POD type (3.9) and is declared without an initializer (8.5)</blockquote>
<br />
還需要弄懂的是為什麼只有initialization被禁止(不只有explicit的使用initializer來init,default init和value init也都不行),但是卻可以做definition與assignment。Kevinhttp://www.blogger.com/profile/08808437935222466403noreply@blogger.com5