반응형
PHPUnit 취약점 / CVE-2017-9841
- PHPUnit RCE 취약점
- Util/PHP/eval-stdin.php 를 통해 임의의 PHP코드를 실행할 수 있는 취약점
최근까지 탐지되고 있는 취약점 공격이며,
이번 공격은 CVE-2017-9841 취약점과 CVE-2019-16759 취약점이 함께 유입되었습니다.
탐지된 IDS 시그니쳐 - ETPro
- ETPRO WEB_SPECIFIC_APPS PHPUnit Arbitrary Code Execution (CVE-2017-9841) M1
- WEB_SERVER disable_functions PHP config option in uri
- WEB_SERVER auto_prepend_file PHP config option in uri
- WEB_SERVER PHP tags in HTTP POST
- WEB_SERVER safe_mode PHP config option in uri
- WEB_SERVER allow_url_include PHP config option in uri
- WEB_SERVER suhosin.simulation PHP config option in uri
- WEB_SERVER open_basedir PHP config option in uri
- WEB_SPECIFIC_APPS vBulletin RCE Inbound (CVE-2019-16759 Bypass)
CVE-2017-9841 취약 버전
- 취약 버전 (제품 : phpunit)
- v4 : 4.8.28 이전 버전
- v5 : 5.6.3이전 버전
취약 버전 데이터가 너무 많아 아래 링크로 달아 두겠습니다.
보안 취약점 정보 포털
Home > 취약점 정보 공유 > 국내 취약점 취약점 세부정보 : 취약점 세부내용 jvn : cnnvd : ※주의 : 한글 세부 내용은 구글 번역기를 통한 한글 번역으로 참고만 가능합니다.
knvd.krcert.or.kr
vBulletin RCE 취약점 / CVE-2019-16759
해당 취약점은 아래 링크에 정리되어 있습니다.
vBulletin RCE – CVE-2019-16759 분석 자료
탐지 악성 쿼리
|
/protected/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
|
|
/base/post.php, /ispirit/im/upload.php
|
|
/webdav/
|
|
/cgi-bin/php-cgi?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi.force_redirect%3D0+-d+cgi.redirect_status_env%3D0+-n, /cgi-bin/php.cgi?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi.force_redirect%3D0+-d+cgi.redirect_status_env%3D0+-n, /cgi-bin/php4?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi.force_redirect%3D0+-d+cgi.redirect_status_env%3D0+-n
|
|
/cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi.force_redirect%3D0+-d+cgi.redirect_status_env%3D0+-n, /cgi-bin/php5?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi.force_redirect%3D0+-d+cgi.redirect_status_env%3D0+-n
|
|
/bbs/ajax/render/widget_tabbedcontainer_tab_panel, /forum/ajax/render/widget_tabbedcontainer_tab_panel, /forums/ajax/render/widget_tabbedcontainer_tab_panel
|
|
/forums/index.php, /ajax/render/widget_tabbedcontainer_tab_panel
|
|
/forums.php, /bbs/index.php, /forum/index.php
|
|
/sqladmin/index.php, /sql/index.php, /SQL/index.php
|
|
/mysql/mysqlmanager/index.php, /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php
|
|
/mysql/admin/index.php, /mysql/dbadmin/index.php, /mysql/sqlmanager/index.php
|
|
/phppma/index.php, /phpmy/index.php
|
|
/__phpMyAdmin/index.php, /program/index.php, /shopdb/index.php
|
|
/phpMyAdmln/index.php, /phpMyAdmin_ai/index.php
|
|
/phpMyAdminhf/index.php, /sbb/index.php, /WWW/phpMyAdmin/index.php
|
|
/123131/index.php, /phpMyAdminn/index.php
|
|
/phpMyAdmin_111/index.php, /phpmadmin/index.php, /321/index.php
|
|
/1/index.php, /download/index.php
|
|
/php2MyAdmin/index.php, /phpiMyAdmin/index.php, /phpNyAdmin/index.php
|
|
/fuck.php, /.config.php
|
|
/phpMyAdmin333/index.php, /phpmyadmin3333/index.php
|
|
/phpMyAdmin._/index.php, /phpMyAdmin._2/index.php, /phpmyadmin2222/index.php
|
|
/phpMydmin/index.php, /phpMyAdmins/index.php
|
|
/phpMyAdmin123/index.php, /pwd/index.php, /phpMyAdmina/index.php
|
|
/MyAdmin/index.php, /phpMyAdmin1/index.php
|
|
/phpMyadmi/index.php, /phpMyAdmion/index.php, /s/index.php
|
|
/phpMyAdm1n/index.php, /shaAdmin/index.php
|
|
/phpMyAdmin+++---/index.php, /v/index.php, /phpmyadm1n/index.php
|
|
/phpMyAbmin/index.php, /phpMyAdmin__/index.php
|
|
/phpmyadmin/phpmyadmin/index.php, /phpMyAdmin/phpMyAdmin/index.php
|
|
/claroline/phpMyAdmin/index.php, /typo3/phpmyadmin/index.php, /phpma/index.php
|
|
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php, /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php, /cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
|
|
/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php, /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
|
|
/wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php, /wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php, /wp-content/plugins/mm-plugin/inc/vendors/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
|
|
/sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php, /wp-content/plugins/cloudflare/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
|
|
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php, /lib/phpunit/src/Util/PHP/eval-stdin.php, /lib/phpunit/Util/PHP/eval-stdin.php
|
|
/phpunit/Util/PHP/eval-stdin.php, /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
|
|
/sanan.php, /02.php
|
|
/phpunit/phpunit/src/Util/PHP/eval-stdin.php, /phpunit/phpunit/Util/PHP/eval-stdin.php, /phpunit/src/Util/PHP/eval-stdin.php
|
|
/vendor/phpunit/src/Util/PHP/eval-stdin.php, /vendor/phpunit/Util/PHP/eval-stdin.php
|
|
/errors/processor.php, /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php, /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
|
|
/blog/xmlrpc.php, /blog/xmlrpc.php
|
결론
- 방화벽에서 출발지 IP 차단
- 공격자는 무작위 IP로 취약점 쿼리를 발생
보안 장비에서 악성 쿼리가 탐지가 되면 능동적으로 IP 접근제어 또는 쿼리 기반으로 차단
- 공격자는 무작위 IP로 취약점 쿼리를 발생
- WAF, IPS와 같은 보안 장비에서 signature 탐지/차단 확인
- URL 패턴 차단
- 취약점 정보 및 패치
반응형
'IT 보안' 카테고리의 다른 글
| VMware RCE 취약점(CVE-2021-21978, CVE-2021-21985) 분석 자료 (0) | 2024.09.23 |
|---|---|
| 아파치 웹 서비스 공격 탐지 분석 자료 (0) | 2024.09.23 |
| 악성코드 고급 분석의 기초 명령어 설명 (0) | 2024.09.23 |
| vBulletin RCE - CVE-2019-16759 분석 자료 (0) | 2024.09.23 |
| Fortinet SSL VPN 취약점 (CVE-2018-13379) 분석자료 (0) | 2024.09.23 |