Áß±¹ÀÇ ÇØÄ¿Á¶Á÷ÀΠȫĿ¿¬¸ÍÀº Çѱ¹ »çÀÌÆ®¸¦ ´ë»óÀ¸·Î ´ë±Ô¸ð ÇØÅ· °èȹÀ» °Ô½ÃÇϰí, À̸¦ À§ÇÑ ÇØÄ¿¸¦ ¸ðÁýÇϰí ÀÖ´Ù´Â ¼Ò½ÄÀÌ ÀÖ¾ú½À´Ï´Ù.
±×¸®°í ÀÌÈÄ¿¡ Áß±¹ »çÀ̹öº¸¾Èµ¿Çâ Àü¹®ÀÎ ¾¾¿£½ÃÅ¥¸®Æ¼¿¡ µû¸£¸é À̹ø¿¡ °Ô½Ã±ÛÀÌ ¿Ã¶ó¿Â »çÀÌÆ®´Â Á¤½Ä ȫĿ¿¬¸Í »çÀÌÆ®°¡ ¾Æ´Ï¶ó°í ÇÕ´Ï´Ù.
(»ó¼¼³»¿ë ¾Æ·¡ ±â»ç ÂüÁ¶) http://www.dailysecu.com/?mod=news&act=articleView&idxno=19171
Áö³ 2014³â ¾î³ª´Ï¸Ó½ºÀÇ OpKorea¶§ ó·³ ȫĿ¿¬¸ÍÀ» »çĪÇÏ´Â °ÍÀÏ °¡´É¼ºÀÌ Å©Áö¸¸, ±×·¡µµ ÀÌ¹Ì °ø°³µÈ Ãë¾àÁ¡¿¡ ´ëÇØ Á¶Ä¡¸¦ ÃëÇÏ´Â µî ¸¸¹ÝÀÇ ´ëºñ´Â ÇÊ¿äÇÒ °Í °°½À´Ï´Ù.
ȫĿ¿¬¸Í¿¡¼ ¹èÆ÷Çϰí ÀÖ´Ù´Â ÇØÅ·ToolÀ» »ç¹«±¹¿¡¼ ÀÔ¼öÇß½À´Ï´Ù. CONCERT HotLine ¸ÞÀϸµ¸®½ºÆ®¿¡´Â ºñȸ¿ø»çµµ Æ÷ÇԵǾî ÀÖ¾î ´Üü¸ÞÀÏÀ» ÅëÇØ ToolÀ» °øÀ¯ÇÏ´Â ÇÏ´Â °ÍÀº ºÎÀûÀýÇÏ´Ù°í ÆÇ´ÜµÇ¾î °øÀ¯ÇÏÁö ¾Ê½À´Ï´Ù. ´Ù¸¸, ³»ºÎ ºÐ¼®¿ëÀ¸·Î ²À ÇÊ¿äÇϽаæ¿ì¿¡´Â info@concert.or.kr·Î ¿äû Áֽøé È®ÀÎ ÈÄ °øÀ¯µå¸®°Ú½À´Ï´Ù.
åÙ剑 (sqlÀÎÁ§¼ÇÅø) å«树(sqlÀÎÁ§¼Ç,xssÅø) 挖ÏÞ鸡(sqlÀÎÁ§¼ÇÅø) Ù¥á³í综ùêñ¼ìý(sqlÀÎÁ§¼ÇÅø) õ±级SQLñ¼ìý(sqlÀÎÁ§¼ÇÅø) 啊D(sqlÀÎÁ§¼ÇÅø) webשÔ×扫ÙÚÐïv1.0(À¥Ãë¾àÁ¡ ½ºÄ³³Ê)
Áö³´ÞºÎÅÍ Apache Struts2 ÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ Áß±¹¹ß ÇØÅ·ÀÌ Áö¼ÓÀûÀ¸·Î ¹ß»ýÇϰí ÀÖ´Â »óȲÀ̸ç, CVE-2017-5638 Ãë¾àÁ¡¿¡ ´ëÇØ KISA °øÁö ÀÌÈÄ¿¡ °ø°Ý º¤Å͸¦ º¯°æÇÑ »õ·Î¿î °ø°Ý ¹æ½ÄÀÌ µîÀåÇß½À´Ï´Ù. ¶ÇÇÑ IBM X-Force¿¡¼´Â ÇØ´ç Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°ÝIP(Indicator)·Î ´ÙÀ½ IP¿¡ ´ëÇØ Â÷´ÜÀ» ±Ç°íÇß½À´Ï´Ù.
Indicators 202.194.207.101 222.175.103.114 192.161.172.197 120.76.41.162 58.251.130.173 145.17.204.44 31.210.47.92 43.246.208.97 114.242.82.105 59.149.158.27 198.202.241.40 192.161.172.203 218.245.0.40 112.11.105.28 219.151.7.149 61.188.38.140 111.3.155.20 116.247.101.34 123.184.19.157 222.135.204.11 59.33.252.248 222.186.58.138 185.117.72.44 113.16.135.130 59.33.252.247 59.33.252.249 192.161.172.201 59.33.252.250 223.255.145.158 59.33.252.252 59.33.252.251
Ãâó : https://exchange.xforce.ibmcloud.com/collection/Apache-Struts-2-Attack-Campaign-adc572fb5f587f2159698fc38a26a2ca
============================================================== KISA º¸¾È°øÁö
Apache Struts ¿ø°Ý ÄÚµå ½ÇÇà Ãë¾àÁ¡ ¾÷µ¥ÀÌÆ® ±Ç°í 2017.03.07
¡à °³¿ä o Apache Struts¿¡¼ ÀÓÀÇ ÄÚµå ½ÇÇàÀÌ °¡´ÉÇÑ Ãë¾àÁ¡À» ÇØ°áÇÑ º¸¾È ¾÷µ¥ÀÌÆ® ¹ßÇ¥ [1] o Ãë¾àÇÑ ¹öÀüÀ» »ç¿ë ÁßÀÎ ¼¹öÀÇ ´ã´çÀÚ´Â ÇØ°á¹æ¾È¿¡ µû¶ó ÃֽйöÀüÀ¸·Î ¾÷µ¥ÀÌÆ® ±Ç°í ¡à ³»¿ë o Jakarta Multipart ÆÄ¼¸¦ ±â¹ÝÀ¸·Î ÇÑ ÆÄÀÏ ¾÷·Îµå¸¦ ¼öÇàÇÒ ¶§ HTTP Request Çì´õÀÇ Content-TypeÀ» º¯Á¶ÇÏ¿©
¿ø°Ý ÄÚµå ½ÇÇàÀÌ °¡´ÉÇÑ Ãë¾àÁ¡(CVE-2017-5638) ¡à ¿µÇâÀ» ¹Þ´Â Á¦Ç° ¹× ¹öÀü o Apache Struts 2.3.5~2.3.31 ¹öÀü o Apache Struts 2.5~2.5.10 ¹öÀü ¡Ø ¹öÀü È®ÀÎ ¹æ¹ý : webÇÏÀ§ÀÇ /WEB-INF/lib/struts-core.x.x.jar ÆÄÀÏ ¹öÀü È®ÀÎ ¡à ÇØ°á ¹æ¾È o Ãë¾àÁ¡ÀÌ ÇØ°áµÈ ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ® ¼öÇà - Apache Struts 2.3.32 ¹öÀü [2] - Apache Struts 2.5.10.1 ¹öÀü [3] o Content-Type¿¡ ¾ö°ÝÇÑ ÇÊÅ͸µ Àû¿ë ¹× ognl Ç¥Çö½Ä°ú »ç¿ë ±ÝÁö o commons-fileupload-x.x.x.jar ÆÄÀÏ »èÁ¦ ¡Ø ÇØ´ç ÆÄÀÏ »èÁ¦ ½Ã ¾÷·Îµå ±â´É »ç¿ë ºÒ°¡ ¡à ±âŸ ¹®ÀÇ»çÇ× o Çѱ¹ÀÎÅͳÝÁøÈï¿ø ÀÎÅͳÝÄ§ÇØ´ëÀÀ¼¾ÅÍ: ±¹¹ø¾øÀÌ 118 [Âü°í»çÀÌÆ®] [1] https://cwiki.apache.org/confluence/display/WW/S2-045 [2] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32 [3] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1 =======================================================
Apache Struts2 ¿ø°ÝÄÚµå½ÇÇà Ãë¾àÁ¡ ÁÖÀÇ!(CVE-2017-5638, S2-046)
ÃÖ±Ù S2-045 Ãë¾àÁ¡°ú À¯»çÇÑ ¿ø°ÝÄÚµå½ÇÇà Ãë¾àÁ¡ÀÌ ¶Ç ´Ù½Ã ¹ß°ßµÇ¾ú½À´Ï´Ù.
Ãë¾àÁ¡ °³¿ä
¾Ç¼º Content-Disposition°ª ȤÀº ºÎÀûÀýÇÑ Content-Length Çì´õ¸¦ ÀÌ¿ëÇÏ¿© ¿ø°ÝÄڵ带 ½ÇÇàÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡ ÀÔ´Ï´Ù. ÇØ´ç Ãë¾àÁ¡Àº S2-045¿Í À¯»çÇÏÁö¸¸, »ç¿ëÇÏ´Â °ø°Ý º¤ÅͰ¡ ´Ù¸¨´Ï´Ù.
CVE ¹øÈ£
CVE-2017-5638
PoC
POST /doUpload.action HTTP/1.1 Host: localhost:8080 Content-Length: 10000000 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAnmUgTEhFhOZpr9z Connection: close ------WebKitFormBoundaryAnmUgTEhFhOZpr9z Content-Disposition: form-data; name="upload"; filename="%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test','Kaboom')}" Content-Type: text/plain Kaboom ------WebKitFormBoundaryAnmUgTEhFhOZpr9z--
ÇØ°á¹æ¹ý
1) Apache Struts 2.3.2 ȤÀº 2.5.10.1·Î ¾÷µ¥ÀÌÆ® (¢ºÂü°í : Struts 2.3.32 ¾÷µ¥ÀÌÆ®, Struts 2.5.10.1¾÷µ¥ÀÌÆ®)
2) ¸¸¾à ¾÷µ¥ÀÌÆ®¸¦ ÇÒ ¼ö ¾ø´Â »óȲ Áß Apache Struts 2.3.8 – 2.5.5 ȤÀº 2.3.20 – 2.5.5¹öÀü »ç¿ëÀÚ¶ó¸é »õ·Î°³¹ßµÈ Ç÷¯±×ÀÎ »ç¿ë (¢ºÂü°í : https://github.com/apache/struts-extras)
3) ¸¸¾à ¾÷µ¥ÀÌÆ®¸¦ ÇÒ ¼ö ¾ø´Â »óȲ Áß Struts 2.5.8 – 2.5.10 »ç¿ëÀÚ¶ó¸é ½ºÅÿ¡¼ File Upload Interceptor »èÁ¦ÇÏ°í ½ºÅÃÀ» Á¤ÀÇÇÏ°í ±âº»À¸·Î ¼³Á¤ÇÑ´Ù. (¢ºÂü°í : https://cwiki.apache.org/confluence/display/WW/How+do+we+configure+an+Interceptor+to+be+used+with+every+Action)
Âü°í : https://cwiki.apache.org/confluence/display/WW/S2-045 https://cwiki.apache.org/confluence/display/WW/S2-046 https://community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723#.WNAr_RLyvpR
Ãâó: http://blog.alyac.co.kr/1025 [¾Ë¾à °ø½Ä ºí·Î±×]
==============================================================
|